Susan Landau

Making Sense from Snowden: What's Significant in the NSA Surveillance Revelations

Did Edward Snowden cause irreparable harm, or did he reveal facts that should be publicly examined? What are the facts, anyhow? This article seeks to put the Snowden revelations in context, explaining whats new, why it matters, and what might happen next.

Functional decomposition of polynomials

Fast DecoIIlposition in the tame case 2 polynomials over F. We obtain a range of results, trom Ulldecidability over sufficiently general fields to fast sequential and parallel algorithms over finite fields. A version of the algorithm of Theorem 1 below has beel implemented [2,6J and compares favorably with [3J. Dick erson [9J has extended some of these results to multivariate polynomials. We should give a brief history of the research behind this joint paper. Kozen and Landau [18] gave the first polynomial-time sequential and NCalgorithms for this problem in the tame case. The time hounds were O(n3 ) sequential, O(n ) if F supports an FFT, and 0(1og2 n) parallel. They also presented the structure theorem (Theorem 9), reducing the problem in the wild case to factorization, and gave an O(n ) algorithm for the decomposition of irreducible polynomials over general fields admitting a polynomial-time factorization algorithm, and an NC algorithm for irreducible polynomials over finite fields. Based on the algorithm of [18], von zur Gathen [17] improved the bounds in the tame case to those stated above. These results are presented in §2. He also gave an improved algorithm for the wild case, yielding a polynomial-time reduction to factorization of polynomials, and observed undecidability over sufficiently general fields. These results are presented in §3. Introduction 1

Security Implications of Applying the Communications Assistance to Law Enforcement Act to Voice over IP

For many people, Voice over Internet Protocol (VoIP) looks like a nimble way of using a computer to make phone calls. Download the software, pick an identifier and then wherever there is an Internet connection, you can make a phone call. From this perspective, it makes perfect sense that anything that can be done with the telephone system — such as E911 and the graceful accommodation of wiretapping — should be able to be done readily with VoIP as well.

How to Tangle with a Nested Radical

Like many an intriguing question in algebraic manipulation, the problem of denesting nested radicals had its origins with Ramanujan. That is not to say that no one had ever considered the problem of denesting radicals before he did. Certainly the fact that q _____(____ ( __ ( __ 5 + 2 6 = 2 + 3 is simple enough that it must have been known several centuries ago. Ramanujan [?] upped the ante. For each of the formulae below, he took the doubly nested radical on the left and simplified it to a combination of singly nested radicals on the right: q3(3_______ q3 _____ 3q_____ 3q_____ 2 - 1 = 1/9 - 2/9 + 4/9 q (3____3(___ (3__ 3(___ 3(___ 5 - 4 = 1/3( 2 + 20 - 25 ) q6_(3__________ q3 _____ 3q_____ 7 20 - 19 = 5/3 - 2/3 v _____(4____ 4(__ u43 + 2 5 5 + 1 u _____(4___ = (4_______ t 3 - 2 5 5 - 1 q (3______3(____ (3___ 3(___ 28 - 27 = 1/3( 98 - 28 - 1) 3rq5________5q_______ q5 ______ 5q______ 5q______ 32/5 - 27/5 = 1/25 + 3/25 - 9/25 . What Ramanujan neglected to do was provide a theory for simplifying nested radicals. When computers came along, symbolic computation became important. There was a practical reason to find an algorithm for denesting nested radicals. A machine has no problem with: q _____(____ ( __ ( __ 3/2 1, 5 + 2 6 , 5 + 2 6 , (5 + 2 6 ) q _____(____ as a basis for Q( 5 + 2 6 ) over Q. Most human beings seem to prefer the basis: ( __ ( __ ( __ 1, 2, 3, 6. The difficulty is that there was no general method to go from the complex form of a nested radical to a simplified version. If Ramanujan had one, he never wrote it down. Necessity has often been the mother of invention, and so it proved to be in this case. Although the general problem remains open, there are now solutions to a number of sub- problems: for denesting real nested square roots [?], for radicals of a special form [?], [?], for radicals using roots of unity [?], [?]. We are interested in three questions: When does a simplification exist? Is there a technique for finding it? How long does it take? In this article, we will briefly present some recent theorems for radical simplification, and the algo- rithms they lead to. For proofs, and complete presentations, the reader is urged to read the original papers.

Privacy and security A multidimensional problem

Its not just science or engineering that will be needed to address security concerns, but law, economics, anthropology, and more.

Security, wiretapping, and the Internet

In a move that is dangerous to network security, the US Federal Bureau of Investigation is seeking to extend the Communications for Law Enforcement Act to voice over IP. Such an extension poses national security risks.

Polynomials in the Nation's Service: Using Algebra to Design the Advanced Encryption Standard

1. INTRODUCTION. Cryptography, the science of transforming communications so that only the intended recipient can understand them, should be a mathematician’s playground. Certain aspects of cryptography are indeed quite mathematical. Publickey cryptography, in which the encryption key is public but only the intended recipient holds the decryption key, is an excellent demonstration of this. Both Diffie-Hellman key exchange and the RSA encryption algorithm rely on elementary number theory, while elliptic curves power more advanced public-key systems [21], [4]. But while public key has captured mathematicians’ attention, such cryptography is in fact a show horse, far too slow for most needs. Public key is typically used only for key exchange. Once a key is established, the workhorses of encryption, privateor symmetric-key cryptosystems, take over. While Boolean functions are the mainstay of private-key cryptosystems, until recently most private-key cryptosystems were an odd collection of tricks, lacking an overarching mathematical theory. That changed in 2001, with the U.S. government’s choice of Rijndael 1 as the Advanced Encryption Standard. Polynomials provide Rijndael’s structure and yield proofs of security. Cryptographic design may not yet fully be a science, but Rijndael’s polynomials brought to cryptographic design “more matter, with less art” (Hamlet, act 2, scene 2, 97). Rijndael is a “block-structured cryptosystem,” encrypting 128-bit blocks of data using a 128-, 192-, or 256-bit key. Rijndael variously uses x −1 , x 7 + x 6 + x 2 + x, x 7 + x 6 + x 5 + x 4 + 1, x 4 + 1, 3x 3 + x 2 + x + 2, and x 8 + 1 to provide cryptographic security. (Of course, x −1 is not strictly a polynomial, but in the finite field GF(2 8 ) x −1 = x 254 and so we will consider it one.) In this paper I will show how polynomials came to play a critical role in what may become the most widely-used algorithm of the new century. To set the stage, I will begin with a discussion of a decidedly nonalgebraic algorithm, the 1975 U.S. Data Encryption Standard (DES), which, aside from RC4 in web browsers and relatively insecure cable-TV signal encryption, is the most widely-used cryptosystem in the world. 2 I will concentrate on attacks on DES, showing how they shaped future ciphers, and explain the reasoning that led to Rijndael, and explain the role that each of Rijndael’s polynomials play. I will end by discussing how the algebraic structure that promises security may also introduce vulnerabilities. Cryptosystems consist of two pieces: the algorithm, or method, for encryption, and a secret piece of information, called the key. In the nineteenth century, Auguste Kerckhoffs observed that any cryptosystem used by more than a very small group of people will eventually leak the encryption technique. Thus the secrecy of a system must reside in the key.

Overview of cyber security: a crisis of prioritization

The Internet, originally a development of the USA government, opened to commercial traffic in the early 1990s. Since then, its growth internationally has been phenomenal. In several nations, the Internet is now fundamental for communication, and it has become basic to society, including supporting several aspects of the USA national critical information infrastructure. Because the Internet was built as all information-sharing network, security did not figure prominently in its original architecture. This deployment is beneficial but it has also brought serious risks.

The real national-security needs for VoIP

In August 2005 the Federal Communications Commission announced that the Communications Assistance for Law En f o rcement Ac t (CALEA) applies to broadband Internet access and “ i n t e rconnected voice over IP” (VoIP). VoIP p rov i d e r s a l ready had to comply with legally authorized wire t a p o rders; the FCC ruling means that all VoIP i m p l em e n t a t i o n s would now have to pass federal wire t a pping standards before they could be deployed. This is not merely a hair-splitting distinction of concern only to telephone companies; in essence, this new ruling places the FBI in the middle of the design p rocess for VoIP protocols and pro d u c t s . Those who think the new FCC ruling will affect only the U.S. are mistaken. After CALEA (which re q u i res that digitally switched telephone networks be built w i ret a p enabled) became law in 1994, the FBI pressed o t h e r nations to adopt similar legislation. Di g i t a l s w i t c h i n g technology sold in the U.S. telecom market must comply with C A L E A , thus effectively forcing much of the rest of the world to adopt CALEA access interf a c e s . T h e re we re objections to the ruling from many q u a rters: civil-liberties organizations, In t e r n e t p roviders, and the computer industry. Although CALEA applies to services that provide a “re p l a c ement for a substantial portion of the local telephone e xchange service,” there is currently a clear exe m p t i o n for the Internet. It is likely that the FCC ruling will be challenged in court. If, as some expect, the FCC ruling is ove rturned, the FBI is likely to seek Cong re s s’s help in expanding CALEA to include Vo I P. CALEA applied to VoIP might simplify the FBI’s e f f o rts to conduct legally authorized wire t a p s (although the FBI has not disclosed any instances in which it has had difficulty conducting VoIP wire t a p s ) . Howe ve r, applying CALEA to VoIP would necessitate i n t roducing surveillance capabilities deep into the netw o rk protocol stack. The IETF considered such a surveillance protocol five years ago in RFC 2804, and concluded that it simply could not be done secure l y. Ne t w o rks have become even more fragile since then. O ver the last decade, the Internet has proven irresistible to business; it and private networks using Internet protocols are now used to control much of the world’s critical infrastru c t u res. The vulnerabilities i n h e rent in the Internet put vital assets at risk. In the wake of September 11 and the Madrid and London bombings, protection of such infrastru c t u re has taken on a new urgency. In t roducing surveillance capabilities into Internet protocols is simply dangerous, the fundamental problem being that designing and building secure surveillance systems is too difficult. It might be argued that the surveillance technology can be built securely and without risk of penetration by hostile f o rces. The track re c o rd is not encouraging. Even organizations considered in excellent positions to pre vent penetration have been vulnerable. A number of U.S. Gove r n m e n t agencies, including the Defense De p a rtment and the De p a rtment of Justice, have been successfully attacked. It is possible to write better software, even with the limited state of the current art, but the processes still a re n’t foolpro o f. For example, avionics software (which is held to a ve ry high standard and is not expected to deal with Internet attacks) is not immune to critical flaws. With CALEA, incentives work against security. VoIP companies are unlikely to pay for high-assurance d e velopment; they don’t rely on the proper function of w i retapping software in their normal operations. The s o f t w a re won’t be available to many friendly eyes that might re p o rt bugs and holes. Instead, the likely targets of wire t a p s — o r g a n i zed crime and foreign and industrial spies who would want to subve rt the monitoring capabilities for their own ends—would most cert a i n l y not disclose any holes that they find. Gi ven this, how likely is it that ISPs will be able to s e c u re their surveillance and remote monitoring capabilities from attack and takeover by hostile agents? Not imposing CALEA on VoIP does n o t mean that law enforcement will be helpless to wiretap Vo I P. Instead it means that wiretapping will be accomplished at either the application layer (by the Vo I P p rovider) or the link layer (by monitoring the target’s n e t w o rk connection), rather than from functions embedded more perva s i vely across the network stack. In the debate over cryptography policy, seve r a l nations (including the U.S. and France) wisely concluded a decade ago that weakening Internet security in the hope of occasionally helping law enforc e m e n t was a bad trade-off. Extending CALEA to Vo I P would be a dangerous step backward. c The Real National-Security Needs for Vo I P Inside Risks S t even M. Bellovin, Matt Blaze, and Susan Landau

Communications surveillance: privacy and security at risk

As the sophistication of wiretapping technology grows, so too do the risks it poses to our privacy and security.