Superconductor

Voltage is known for its innovative encryption technologies, but we're also known for how easy our products are to use. Not too many years ago, it was extremely hard for the average person to encrypt their email. The classic paper "Why Johnny Can't Encrypt" describes exactly how hard this can be for a typical user and anyone interested in the usability of encryption should read it.

With Voltage's SecureMail, on the other hand, a user doesn't have to do anything more than click on the "Send Secure" button instead of the "Send" button. If you're implementing SecureMail at a gateway appliance, they don't even have to do that – it can just happen automatically. Decrypting is just as easy.

Because we worry so much about the usability of our products, I'm very interested in seeing any enterprise security products that might actually be easier to use than SecureMail. If we ever find one of these, we'll probably be able to learn a thing or two from it. That's why I got so excited when I recently learned of an application that may actually be easier to use than SecureMail. In this case, however, it's not enterprise software. It's the game Progress Quest.

Progress Quest is a massively multiplayer online role-playing game (MMORPG). Before I heard of Progress Quest, I had never actually played a MMORPG, but that didn't stop me from being a government expert on the topic. I say that because I was actually the invited speaker at a government workshop on MMORPGs a couple of years ago. Unfortunately, the fact that I had to sign an NDA for this event means that I can't say much more about it.

Here's how the manual for Progress Quest describes the game:

Progress Quest is a next generation computer role-playing game. Gamers who have played modern online role-playing games, or almost any computer role-playing game, or who have at any time installed or upgraded their operating system, will find themselves incredibly comfortable with Progress Quest's very familiar gameplay. Progress Quest follows reverently in the footsteps of recent smash hit online worlds, but is careful to streamline the more tedious aspects of those offerings. Players will still have the satisfaction of building their character from a ninety-pound level 1 teenager, to an incredibly puissant, magically imbued warrior, well able to snuff out the lives of a barnload of bugbears without need of so much as a lunch break. Yet, gone are the tedious micromanagement and other frustrations common to that older generation of RPG's.

You start Progress Quest by picking the class and race of the character that you'll be playing. After that, the game does everything else for you. I even created a Progress Quest character: Elrond Hubbard, a Demicanadian Ur-Paladin with a name that's almost funny. If you're more adventurous you can pick races like Double Wookiee or Enchanted Motorcycle and classes like Fighter/Organist or Battle-Felon. I wasn't.

If you let Progress Quest run, your character will gradually increase in power and gain useful magical treasures. As I write this, Elrond Hubbard is currently Level 60 and has +23 Fine Gilded Plasma Vambraces. I'm not really sure if that's good or bad, but I certainly didn't have to pay any $9.95 monthly fees to get my character to where he is now.

Surprisingly enough, or at least surprisingly enough to surprise to a one-time government expert like me, Progress Quest seems to be fairly popular. The good reviews of it dramatically outnumber the bad reviews. And that's for a game where the player does absolutely nothing.

I'm never surprised to learn that most people really don't want to worry about encryption at all - they're too busy doing their jobs to worry about fighting with software that's hard to use. But I never would have thought that people would actually enjoy a game in which they do absolutely nothing.

In any event, I suppose that the bottom line is that we haven't quite figured out what we can learn from Progress Quest that will help us make SecureMail better, but that doesn't mean that we won't keep trying.

(If anyone wants to quote me about Progress Quest, here's my position on it: "Of all the games available for the PC, this is one of them.")

 The next time that I hear people who tend to adopt new technologies before others do as "early adapters" instead of "early adopters," I may have to do some sort of Internet version of screaming loudly. This seems to be one of those hideous marketing-isms that have been created recently, much like "flushing" things out instead of "fleshing" them out.

Ack!

As I've noted before, it certainly seems like it's only native speakers of English that make blunders like these. Odd.

If we have an elliptic curve

y² = x³ + ax + b

then the j-invariant of the curve is given by

j(a,b)= 4a³ / (4a³ + 27b²)

or perhaps by some constant multiple of this. Sometimes there's an additional factor of 1728 thrown in there that makes some calculations come out cleaner, but it's not really necessary. Why does this definition make sense? Elliptic curves with the same j-invariant are isomorphic, or are really the same curve in disguise, and here's why.

Suppose that we have a lattice L in the complex plane with basis ω₁ and ω₂. When we multiply each of these basis elements by the same non-zero constant to get the basis cω₁ and cω₂ , we end up with essentially the same lattice, and the j-invariant captures that idea.

The Weierstrass invariants g₂ and g₃ for L are given by

g₂ = 60 ∑ ω^-4

and

g₃ = 140  ∑ ω^-6

where the sums are over all non-zero ω = nω₁ + mω₂.

If we multiply both ω₁ and ω₂ by a non-zero constant c we get the basis for a lattice L′ we get that

g₂' = 60 ∑ (cω)^-4 = c^-4 60 ∑ ω^-4 = c^-4 g₂

and

g₃' = 140 ∑ (cω)^-6 = c^-6 140 ∑ ω^-6 = c^-6 g₃

The value

j(g₂,g₃) = g₂³ / (g₂³ – 27 g₃²)

is invariant under this change of variables, so that

j(g₂' ,g₃' ) = j(g₂,g₃)

How is this reflected in an elliptic curve that's parameterized by the Weierstrass ℘-function that we get from these lattices?

If we have an elliptic curve

y² = 4x³ – g₂x – g₃

or

(y/2)² = x³ –g₂/4 x – g₃/4

and write this as

y² = x³ + ax + b

then we have that g₂ = -4a and g₃ = -4b so that

j(g₂,g₃) = j(-4a,-4b)

= (-4a)³ / ((-4a)³ – 27(-4b)²))

= 4a³ / (4a³ + 27b²)

which is the form that's usually given for the j-invariant, at least up to a constant.

We can also see how the mapping of L to cL, which maps z to cz, is reflected in the coordinates of a point on an elliptic curve.

The x-coordinate of a point on an elliptic curve that's parameterized by the Weierstrass ℘-function is given by

℘_L(z) = z^-2 + ∑ ((z - ω)^-2 - ω^-2)

so that

℘_cL(cz) = (cz)^-2 + ∑ ((cz - cω)^-2 - (cω)^-2)

= c^-2 (z^-2 + ∑ ((z - ω)^-2 - ω^-2))

= c^-2 ℘_L(z)

or that x gets mapped to c^-2x.

Similarly, we have that

℘′_L(z) = -2 ∑ (z - ω)^-3

so that

℘′_cL(cz) = c^-3 ℘′_L(z)

or that y gets mapped to c^-3y.

Here's a table that summarizes the correspondences between (x,y) on E: y² = x³ + ax + b and (x′,y′) on the isomorphic E′: (y′)² = (x′)³ + a′x′ + b′:

E	E′
a	a′ = c-4a
b	b′ = c-6b
x	x′ = c-2x
y	y′ = c-3y
j	j′ = j

Now suppose that we want to find an elliptic curve with a particular j-invariant, say J. If we have

a = b = (27/4) (J / (1 - J))

then we get that

j(a,b) = J

so the elliptic curve

y² = x³ + ax + b

has that j-invariant.

Now, if I could just learn why a j-invariant is called a j-invariant I'd be happy. I've never been able to track down that particular bit of history.

In a previous post, I noted a new social networking site called Blippy that basically lets you see what your friends are buying. Maybe if you're too young to remember the dot-com era, that sounds like a perfectly reasonable thing to do. To me it just sounds like a huge privacy problem just waiting to happen.

According the what's posted on Blippy's web site, the problems have already started. In particular, it looks like Blippy incorrectly considered raw transaction data to be harmless at one point, and some of it ended up the HTML on some of their web pages.

Yikes!

Blippy has a five-step plan for making sure that this doesn't happen again:

1. Hire a Chief Security Officer and associated staff that will focus solely on issues relating to information security.
2. Have regular 3rd-party infrastructure & application security audits.
3. Continue to invest in systems to aggressively filter out sensitive information.
4. Control caching of information in search engines.
5. Create a security and privacy center that contains information about what we are doing to protect you.

These steps look like a good move in the right direction, but why weren't these done in the first place? And with all the news about PCI DSS these days, who could possibly have thought that credit card transaction data wasn't sensitive and needed to be protected?

I recently came across what I thought was an unusual requirement for an enterprise encryption product. I heard this from the CEO of a company that wasn't encrypting their email yet and didn't plan to do so until they could find a product that met all of the CEO's requirements.

The particular requirement that I found somewhat surprising was that the user of an email encryption product would automatically be notified if a hacker somehow managed to decrypt an encrypted message.

I won't say that this is impossible to do, because someone might actually invent a clever way to do this some day, but it certainly seems as close to impossible as you can get. I certainly don't know of a good way to do it. But because they couldn't find a product that had this particular feature, at least one company out there isn't encrypting email messages that contains sensitive information.

The use of encryption has become much more widespread than it was just a few years ago, but there are still lots of cases where it's not used much. I have to wonder how much the adoption of encryption is being slowed by requirements that really aren't very practical.

Two divisors are equivalent if they differ by the divisor of a rational function. When it comes to calculating the pairings that we want to implement for pairing-based cryptography, it can be useful to know when two divisors are equivalent because there are lots of cases where we just need a divisor equivalent to a particular divisor instead just a particular divisor.

If this is the case, then we can pick a divisor that's nice in some way and use it instead of an equivalent but less nice form. In particular, this can help get rid of the point at infinity and use a finite point on an elliptic curve instead. We get Tate pairing of point P of order n and a second point Q, for example, by finding a rational function equivalent to the divisor

n(P) - n(O)

and evaluating this function at a divisor equivalent to

(Q) - (O)

To do this, having a way to get rid of the points at infinity can be useful. Here's a way to do this.

Suppose that we have two divisors on an elliptic curve

D₁ = (P₁) - (O)

and

D₂ = (P₂) - (O)

Let's say that P₁ + P₂ = P₃ and write u as the line through P₁, P₂ and -P₃ and v as the line through P₃ and -P₃. To help visualize things, the following picture may be useful:

 
Like we saw in a previous post, we can use u and v to write

(P₁) - (O) + (P₂) - (O) = (P₃) - (O) + div(u/v)

Now let's replace P₁ with P, P₂ with R and P₃ with P + R. With this change of notation we have that

(P) - (O) + (R) - (O) = (P + R) - (O) + div(u/v)

Rearranging terms a bit gives that

[ (P) - (O) ] - [ (P + R) - (R) ] = div(u/v)

or that the divisors

(P) - (O)

and

(P + R) - (R)

are equivalent because their difference is just div(u/v), which is the divisor of a rational function.

So if we need to do a calculation with a divisor equivalent to (P) - (O), we can just pick a random point R and use the divisor (P + R) - (R) instead of (P) - (O). The point at infinity can make it difficult to do calculations with (P) - (O), but that's not a problem with  (P + R) - (R).

There are also other ways to avoid dealing with the point at infinity. Some of these are actually simpler to implement, but they're also a bit more difficult to understand. Maybe that's a topic for a future post.

Not too long ago, Amazon introduced its EC2 Spot Instances, a new approach to cloud computing. Here's how Amazon describes this:

Spot Instances are a new way to purchase and consume Amazon EC2 Instances. They allow customers to bid on unused Amazon EC2 capacity and run those instances for as long as their bid exceeds the current Spot Price. The Spot Price changes periodically based on supply and demand, and customers whose bids meet or exceed it gain access to the available Spot Instances. Spot Instances are complementary to On-Demand Instances and Reserved Instances, providing another option for obtaining compute capacity.

Essentially, EC2 Spot Instances lets you bid for unused time on Amazon's systems, and it's the first real step towards making computing a commodity service. I believe that the biggest impact of cloud computing will be from EC2 Spot Instances and similar offerings, but probably not in the way that most people would guess.

I really don't see cloud computing ever becoming a true commodity service. Despite all of the talk about standards for cloud computing, cloud vendors really have no incentive to make their technologies interoperable, so I doubt that we'll ever see it become a reality. The huge number of different national laws will also make it very difficult for cloud computing to ever become a true commodity. You'll always have requirements that certain data essentially can't leave national boundaries either due to regulatory restrictions or other political issues. I don't foresee an easy solution to these problems, so I don't foresee  the market for cloud computing ever becoming quite like markets for other commodities. I doubt that we'll ever see things like derivatives and hedging for cloud computing, for example.

Instead, I see the real change that Amazon's offering will create is that people will start to question the value of computing and do a better job of trying to quantify it. After all, you really shouldn't be bidding for computing services if you don't really know how much the computing is really worth to you. Once businesses get accurate metrics for the cost and benefits of enterprise software, the enterprise software market will change dramatically.

I believe that the opportunity to buy cloud computing as a commodity, even on a relatively small scale, will get businesses to start thinking about exactly how much computing is worth to them. This will then lead them to think about exactly which applications are really worth their cost. Once they have more accurate metrics, I believe that they'll find that some enterprise computing simply isn't worth what they're paying for it. We'll eventually find that while some types of enterprise applications make sense, others don't. 

This will lead to either the collapse of parts of the enterprise software market or some difficult times for some software vendors as they try to make their offerings add value that's substantially more than the cost of the software. The products that remain after this big shake up will be the ones that should have been there in the first place. The products that disappear will be the ones that never should have been deployed. What we'll be left with will be much more efficient that what we have today, and that increased efficiency will be one of the biggest benefits from cloud computing.

I read an interesting article “Science 2.0 -- Is Open Access Science the Future?” in Scientific American a while ago. This article essentially asked whether or not the easy collaboration that the Internet allows will be a good thing or a bad thing for science. Interestingly, this article was actually based on comments that the on-line article, “Science 2.0: Great New Tool, or Great Risk?” received on the Scientific American web site, so it’s actually an example of the very type of collaboration that it talks about.

Supporters of open and collaborative science claim that it’s inherently more productive. That's definitely good. Critics of it say that if scientists aren’t careful then open and collaborative work can lead to ideas being stolen. Less-than-ethical people might take credit for someone else’s work. They might even patent it. That's definitely bad.

I personally wouldn’t want every step of my research published on-line, say in a blog or on Twitter. This is because when I’ve had jobs where I did research I found that for each good idea I had I also had several bad ideas, and if I openly talked about all of the bad ideas I’d probably look fairly foolish. On the other hand, I can also think of one particular case where someone might have pointed out a mistake that I was making and saved me six months of frustration. Overall, though, I don’t think that I’d like Science 2.0.

It seems to me that there are really two outputs from research: new knowledge and the people who understand what it took to gain the new knowledge. And it seems to me that although you might still get the first of these two with Science 2.0, the second really wouldn’t be the same. I believe that I learned more from my failures than from the successes, and that if you took away the pain of the failures, you’d also take away most of what you really learn from doing research. You might reach the end more quickly with Science 2.0, but the people doing the research wouldn’t get the same benefits from getting there as they would otherwise. In the long run, this will probably erode the ability of people to actually do significant research.

It will probably take a while to see whether open and collaborative research works or not, but you might wonder how the same approach might work for information security. That’s one area where openness is strongly encouraged. The principle that security technologies should be fairly open has been known for over 150 years and is essentially codified in Kerckhoffs’ principle.

Maybe we’re really already there. Although you won’t hear about the details of the research on Twitter, you can already find electronic publication copies of lots of research in cryptography on the IACR’s e-print server. These papers may not be the exact version that gets published, but they’re very close, and they definitely contain all of the new ideas, even if a few of the details of how they’re presented may eventually change.

Come to think of it, you can also get electronic copies of papers in other fields also. The Cornell University Library’s arXiv e-print server now has close to 600,000 papers from physics, computer science and mathematics. There are probably other similar sources out there that I don’t know about.

I don’t really see people doing many blog posts or tweets about the details of their research while I do see lots of papers becoming available on pre-print servers, so I suspect that’s where Science 2.0 is really headed.

I recently stumbled across the fact that there are nice, clean expressions for the sine and cosine of both π/5 and π/12. These turn out particularly simple for π/12 where we have that

sin(π/12) = (-1 + √3) / (2 √2)

and

cos(π/12) = (1 + √3) / (2 √2)

In high-school trigonometry, we learn these facts:

n	cos(π/n)	sin(π/n)
1	-1	0
2	0	1
3	1/2	√3/2
4	√2/2	√2/2
6	√3/2	1/2

I always assumed that we weren't taught the values of trig functions at other angles of the form π/n because they didn't have nice, clean forms, but it turns out that this isn't really true. Instead, a necessary and sufficient condition for it being possible to write the trig functions of angles of the form π/n using radicals is that φ(n) is a power of 2, or that φ(n) = 2^m for some integer m. The first several values for which this holds are the following:

1, 2, 3, 4, 5, 6, 8, 10, 12, 15, 16, 17, 20, 24, 30, 32, 34, 40, 48, 51, 60

These values are actually sequence A003401 in The On-Line Encyclopedia of Integer Sequences.

Some people out there seem to be extremely desperate for LinkedIn connections. I say this because lots of the Voltage email addresses that don't actually correspond to a real person (sales@voltage.com, etc.)  are now getting requests to connect on LinkedIn. But because Sales (maybe it's actually Mr. Sales) doesn't actually know any of these people, Sales isn't accepting their requests to connect.

Maybe that's not such a good idea. If we had Sales sign up to LinkedIn, maybe they could leave annoying recommendations for people there. That might be fun.

It turns out that encryption can turn up in places where you really don't expect it. The text of the story "Secret Message" in Jeff Strand's Gleefully Macabre Tales is actually printed encrypted, for example. Here's how this story begins:

Gzqudx eqnvmdc zr gd nodmdc sgd kdssdq. Otqd fhaadqhrg. Vgzs vzr sghr, z bncd?

Gd zkvzxr dminxdc rnkuhmf sgd czhkx bqxosnfqzl hm sgd mdvrozodq, ats gd'c mdudq gzc nmd lzhkdc sn ghl adenqd. Sgdqd vzr mn qdstqm zccqdrr nm sgd dmudknod, itrs z knbzk onrslzqj. Hs vzr oqnazakx nmd ne ghr atcchdr okzxhmf z injd.

If you want to read the rest of the story, you'll have to pick a copy of Gleefully Macabre Tales. The limited edition from Delirium Books is out of print and fairly expensive, but the paperback version from Dark Regions Press isn't.

According to Jeff, the cryptography team at Voltage actually provided the first known decryption of "Secret Message." Yet another first for us.

(I was actually planning to do a post about The Jack Kerouac School of Disembodied Poetics. It’s part of Naropa University, one of the few places where you can get a BA in Contemplative Psychology, an MA in Transpersonal Counseling Psychology or do hands-on work in a Consciousness Laboratory. I was going to do this in the style of Jack Kerouac, but it got way too ugly so I stuck to "Secret Message" instead.)

According to a web site traffic ranking web site that I came across today, the most common upstream web site for Voltage's corporate web site is actually an on-line dating site. That made me wonder exactly who is coming to Voltage's web site and why. (It also made me question the accuracy of the rankings, of course.) I would have thought that people would come to our site to learn about either Voltage's technologies or products, but I appear to be wrong in this particular case.

An alternative explanation is that there are lots of single, attractive men and women who work at Voltage, and people who view their on-line dating profiles want to learn more about who their employer is. If that's the case, our marketing people might be able to use this slogan as the basis for a campaign of some sort:

Voltage: it's not just our technology that's hot.

A bit of tax trivia. It's based on the data in Wikipedia, so I can't guarantee its accuracy, but according to the leading collaborative reference web site, the country of East Timor, sometimes known as Timore-Leste, has the world's highest tax revenue as a fraction of GDP. In the case of East Timor, it's actually 109.7%.

So it's no wonder there aren't many Voltage customers there. The TCO of our products may be a factor of three or more less than competing products, but when you're paying that much tax, it's probably even hard to justify buying SecureMail.

The recent PBA attack on RSA signatures has much in common with software-based attacks like SQL injection, buffer overflows, and cross-site scripting. In all of these cases, an attack can only work if data isn't properly validated. With the software attacks, we're learning how to handle these. Teaching programmers to think in terms of all data being designed with the express purpose of breaking their code is a big part of this. That's why Voltage regularly does training on secure coding practices for its engineers. It looks like this point of view isn't being taught to hardware engineers yet.

The PBA attack worked by varying the input voltage to an operating piece of hardware. And just like an application can be vulnerable to a SQL injection attack if it doesn't adequately validate user-input data, the hardware that implements RSA signatures can be vulnerable to the PBA attack if it doesn't validate all of its inputs. In this particular case, the relevant input was the power supply voltage for a device. I don't know for sure, but I'd guess that the specification for the hardware that was used to demonstrate the PBA attack specified correct operation for some range of input voltages, but didn't specify exactly how it would handle voltages outside that range.

A way to handle this is much like the white-listing approach to filtering data to prevent XSS attacks. In the case of white-listing, only certain inputs are allowed. A similar approach to hardware might guarantee operation over a certain range of parameters (voltage, temperature, clock speed, etc.) and also guarantee well-defined behavior outside those ranges. It's well known that hackers can cause all sorts of interesting behavior in hardware by varying parameters like voltage, temperature and clock speed, so it might be appropriate to also specify well-defined behavior outside the specified ranges.

 

Here's another thing that I just recently realized and wish that someone had pointed out when I was in school. It concerns Taylor series and Fourier series. They're really the same thing.

Suppose (with a little bit of hand waving) that we have an analytic function that we write as

f(z) = ∑a_nzⁿ

If we write

z = re^iθ

and substitute that back into the power series representation for f(z) we get that

f(re^iθ) = ∑a_n(re^iθ)ⁿ = ∑a_nrⁿe^inθ

Now suppose that we fix θ. In that case we can write

f(r) = ∑(a_ne^inθ)rⁿ= ∑A_nrⁿ

which is just a Taylor series.

If we fix r then we can write

f(θ) = ∑(a_nrⁿ)e^inθ = ∑B_ne^inθ

which is just a Fourier series.

To get the coefficients of a Taylor series, you calculate lots of derivatives. To get the coefficients of a Fourier series, you calculate lots of integrals. The fact that these two types of series are closely related probably tells you something profound about the connection between differentiation and integration of functions of a complex variable if you think about it for a while.

To use the RSA public-key scheme you need to generate a large number that's the product of two primes. The usual way to do this is to generate two primes and multiply them together. Suppose that we just pick a large number at random. What are the chances that it's of this form? In other words, what is the probability that a large number is the product of two primes? That's not an easy question to answer, but a closely related question is: what is the probability that a large number is the product of two distinct primes?

We can write 15 = 3 x 5, so 15 is the product of two primes. It's also the product of two distinct primes. But because we can write 45 = 3 x 3 x 5 = 3² x 5, 45 it's the product of three primes, but only the product of two distinct primes.

A profound theorem by Paul Erdös and Mark Kac (the Erdös-Kac theorem) tells us that the number of distinct prime factors of an integer n is asymptotically normally distributed, and has both mean and variance equal to log log n. Even for numbers as big as the ones that we commonly use in cryptography, log log n isn't very big, so such numbers tend to not have too many distinct prime factors.

Here's what log log n looks like for common RSA key sizes.

n	Log log n
21,024	6.65496
22,048	7.25811
23,072	7.66357

This means that we can expect a 1,024-bit number or 2,048-bit number to have about seven distinct prime factors, and we can expect a 3,072-bit number to have about eight distinct prime factors. Because log log n grows so slowly, there's really not much difference between the number of distinct factors that we expect over this huge range. So even for numbers as big as those that we encounter in cryptography, we really don’t expect numbers to have too many distinct prime factors.

Clod computing - when the only thing missing from cloud computing is "U."

After the spam message that invited me to submit a paper to The 14th World Multi-Conference on Systemics, Cybernetics and Informatics, the conference that's probably most  famous for accepting a computer-generated paper, I received another similar message. This one was from the same people who organize WMCSI 14, and it turns out that they're also organizing the 2nd International Conference on Peer Reviewing. Here's an interesting blurb from the ICPR web site:

Empirical studies have shown that assessments made by independent reviewers of papers submitted to journals and abstracts submitted to conferences are no [sic] reproducible, i.e. agreement between reviewers is about what is expected by chance alone. Rothwell and Martyn (2000), for example, analyzed the statistical correlations among reviewers' recommendations (made to two journals and two conferences) by analysis of variance and found out that for one journal "was not significantly greater than that expected by chance" and, in general, agreement between reviewers "was little greater than would be expected by chance alone."

The Rothwell and Martyn (2000) reference is available here, and the ICPR blurb seems to be an accurate summary of its findings. It looks like your ability to flip a coin and have it come up "heads" is just as good a predictor of whether or not a reviewer will like your paper as any other indicator is. That's not entirely encouraging, is it?

I recently came across an interesting blog post that talked about teaching writing. Here's what its author, Art Scheck, had to say about this:

Here's my biggest problem with teaching composition: I have no idea where good sentences come from. Most of the time, strings of words just appear in my noggin. When I'm stuck for a word, phrase, or clause, I wait awhile, and what I need floats up from my subconscious. I don't know what's happening while I wait for words. Somewhere, scads of neurons are working hard, but I can't see that work going on. The genesis of sentences remains a perfect mystery to me.

When I read that I thought That's exactly right! Where do the words come from? I don't know either.

It's probably fair to say that I've done a fair amount of writing - maybe not be as much as the real pros write, but definitely more than the average guy on the street does. Despite this, I still don't know where the words come from, and there's nothing more frustrating than having a deadline approaching and for those strings of words to not mysteriously appear in your head.

Scheck went on to say this:

None of that means that writing is easy for me. I write slowly, I revise a lot, and my brain is tuckered out when I stop.

Another case of That's exactly right! My rule of thumb is that for each hour I spend writing I spend at least five hours editing, and it's definitely hard work. It's good to see that it's not just me who feels this way.

Suppose you implement a security measure. Maybe it's a home alarm, maybe it's a security checkpoint before entering a building, it might even be putting tighter login requirements to a network.

You now sit back and wait to see how many people you catch. How many thieves trip your alarm and are hauled off to jail? How many corporate spies are now discovered at the checkpoint? How many crackers are denied entry into your network because of the new login protocol?

Suppose there are none. Why is that? I would imagine there are three main reasons.

1. No one was trying to break in before and no one is trying to break in now.
2. The security measures are not working.
3. Anyone who might try to break in sees the new measures and does not try to infiltrate, or at least does not try to infiltrate at that point.

Let's look at number 3 with a story about people improperly using a parking lot. Voltage HQ is in an office complex near a high school. Every morning when school is in session, there's a security guard standing at the entrance to the parking lot nearest the high school. In the past, parents dropping their kids off would turn around in the parking lot, creating congestion for the valid tenants. A sign posted saying the parking lot is not for turning around apparently did not do the trick. So the building owners have to hire a security guard to watch the people entering the parking lot.

Every morning, the security guard does nothing but stand there. With him there, no one tries to improperly use the parking lot. The moral of the story? Implement a security measure and you don't need it. Don't implement and you need it.

A recent episode of "Real Sports with Bryant Gumbel" supplies another example. The show reported on the governing body charged with enforcing drug rules for US Olympic (and potential Olympic) athletes. The program makes life much more difficult for the athletes, and some think it is not a successful program. The measure of failure is that very few athletes have been caught using banned substances. However, another explanation for the low rate of capture, is that people don't try to cheat if they think there is a good chance they'll get caught.

Some people try to use fake security for this very reason. Maybe they've seen that burglers rarely rob houses with Pit Bulls, Rottweilers, or German Shepherds. So they put up signs announcing a guard dog on duty, even when there is none. Fake surveillance cameras, signs declaring a home security system is installed, mannequins, recordings of people noise, and randomly turning lights on and off are supposed to make the bad guys move on to an easier target.

My guess is, such fake security is easily found out to be fake. It's probably a case that if you want security, you pretty much have to pony up for it.

In IT, fake security would work even less effectively. Someone might not pay for email encryption, but still say, "You can't read this email, it's encrypted." It would take very little effort to see that the statement is false. How about someone announcing that they have just implemented new measures to protect credit card numbers while in storage. That might thwart attackers for all of 10 minutes.

In IT, if you want security, fake won't do it. Besides, some attackers will be attracted to an enterprise that announces security, it's a challenge. They will test it immediately and of course, see immediately if it is fake.

So in IT, if you implement security measures, and describe exactly what they are, some attackers will indeed move on. Others will try to break it anyway, and others still will not have heard the announcement and will try to break in anyway. And then others will look for other vulnerabilities.

It seems to me, though, that if you have some metrics on attack attempts, employing security might cause those numbers to go down. Then you might feel as if the problem has gotten so much smaller, that you're spending too much money.

This is why it's probably a bit more difficult to sell security. If you don't have it, you see a problem. If you do have it, it looks as if the problem went away, so why spend money on it?

But the real way to look at is this: "We had a problem, we spent money on security, and the problem is now gone. The security worked."

Elliptic curves with the same j-invariant are isomorphic. But exactly where are they isomorphic?

Consider the elliptic curve over the rationals given by

y² = x³ + b

Let's use E_tors to represent the group of points of finite order on the curve E and #E_tors to represent the number of points in E_tors. The structure of E_tors as well as the value of #E_tors of depends on what the value of b is. Here's what we get for a few different curves with different values of b:

Curve	#Etors	Structure of Etors
y2 = x3 + 1	6	Z6 = <(2,3)>
y2 = x3 + 2	1	Z1 ={O}
y2 = x3 + 4	3	Z3 = <(0,2)>
y2 = x3 + 8	2	Z2 = <(-2,0)>
y2 = x3 + 9	3	Z3 = <(0,3)>

Each of these curves has the same j-invariant. In each case we have that j = 0, but the structure of E_tors varies from curve to curve.

Here's another example of curves with the same j-invariant that have different structures for E_tors:

Curve	#Etors	Structure of Etors
y2 = x3 + x	2	Z2 = <(0,0)>
y2 = x3 + 4x	4	Z4 = <(2,4)>
y2 = x3 – 4x	4	Z2 × Z2 = <(2,0),(0,0)>

Curves with the same j-invariant are supposed to be isomorphic. What's going on here?

Curves with the same j-invariant are only isomorphic over some extension field, not over the field that the elliptic curves are defined over. So although the curves in these examples aren't isomorphic over the rational numbers, they're isomorphic over some extension to the rational numbers.

Let E be the elliptic curve given by

y² = x³ +1

and E′ be the elliptic curve given by

y² = x³ + 4

We can write the isomorphism φ:E→E′ as

φ(x,y) = (c²x,c³y)

where

c = ∛2

Here's what we get when we look at what happens to the subgroup of points on E generated by P = (2,3) under the isomorphism φ, where φ(P) = P′, etc.

Point on E	Multiple of P	Point on E′	Multiple of P′
(2,3)	1	(25/3,6)	1
(0,1)	2	(0,2)	2
(-1,0)	3	(-22/3,0)	3
(0,-1)	4	(0,-2)	4
(2,-3)	5	(25/3,-6)	5
O	6	O	6

Not all of the multiples of  φ(P) = P′ have rational coordinates, but the ones that do give us a subgroup isomorphic to Z₃. So if we insist on rational coordinates, then we find that we only have three points of finite order, but if we extend what we allow for the coordinates of points to include ∛2 then we find that we have all six points. So although E and E′ aren't isomorphic over the rationals, they're isomorphic over an extension of the rationals that includes ∛2.

The "tors" in "E_tors" stands for "torsion." Points of finite order on an elliptic curve are sometimes called "torsion points," but nobody quite seems to know exactly why. If you know this bit of elliptic curve history, be sure to let me know.

I just heard an interesting story that may show why having checklists for security isn't quite as good as having people use their good judgment to carry out the intent of security policies. This story concerned the way in which the TSA apparently inspected a traveler's luggage.

The storyteller's wife was recently flying from Albuquerque to San Jose. Knowing that the TSA randomly inspects luggage, she didn't lock the bags shut. Instead, she fastened the lock that came with her bag to one of the pull tabs of the zipper. This didn't stop the zipper from functioning, of course. To lock a bag shut you need to run the lock through two pull tabs. A lock on a single pull tab just makes a fancier pull tab and doesn't actually stop anyone from getting into your luggage.

When she got home, she noticed that the pull tabs of the bag had been torn from the bag, which contained a note from the TSA explaining how they had opened her bag for inspection. Apparently, the TSA just rips off any locks on luggage, even if they're not actually locking anything shut, and it doesn't leave it to the judgment of an individual TSA employee to decide whether or not a particular lock actually needs to be ripped off.

I just read an interesting Burton Group report Data Masking: Runtime Data Aliasing. Here's a high-level summary of the report's findings:

Bottom Line: Enterprises should increase their focus on developing an information-centric security strategy. Data aliasing can be used to reduce the amount of confidential data processed and the number of locations it's stored. Runtime data aliasing is the reversible replacement of confidential data with similarly formatted surrogates. Data can be aliased using format-preserving encryption or (pseudo) random replacement using a lookup database. Data modeling and architectural concerns drive the design and implementation of the enterprise data aliasing solution. Data aliasing can complement or replace traditional application- and database-level encryption used or considered by the enterprise.

This report does an excellent job of comparing and contrasting the different ways (suppression, redaction, aliasing and anonymization) to do data masking. Here's how this report summarizes these techniques:

Data masking method	Security and privacy properties	Data Management Properties
Suppression	Completely removing a set of data items to protect it from disclosure, as well as many privacy attacks, although some privacy attacks may make use of relationships with or in the unsuppressed items.	Alters the semantic value of the data by making data values inaccessible to applications.
Redaction	Irreversibly blocking part or all of a data item to protect a data item from full or partial disclosure, but which—although it often destroys relationships to other data—does not necessarily protect data from all privacy attacks.	Offers better context preservation than suppression but the semantic value of the remaining text may be incorrect or misleading.
Aliasing (pseudonymization)	Reversibly transforming part or all of a data item to protect a data item from full or partial disclosure, but which is not designed to protect data from all privacy attacks (e.g., inference attacks) because data relationships may be maintained.	Offers better context preservation than suppression but the semantic value of the remaining text may be incorrect or misleading.
Anonymization	Manipulating data to maintain desired information properties, using a combination of methods that is designed to create an irreversible transform resistant to disclosure and privacy attacks.	Best for semantic behavior preservation and certain statistical behavioral measures although the resultant data may be unsuitable for testing application logic.

This is the first time that I've seen a careful description of the different ways to mask sensitive data. There's more anaylsis of the strengths and weaknesses of each of the four approaches to data masking in this report. It looks like you can't buy a copy of this report from the Burton Group's web site - you might only be able to get a copy if you subscribe to their service. I hope that there are other ways for people to get copies of this report. It's definitely worth reading.

You can also contact the author of the report, Ramon Krikken (ramonkrikken on Twitter) if you have more questions about this report.  

The Economist recently had a special report on managing information. There was some information in this report that I hadn't seen before, and that was the fact there's now more information being created each year than the amount of available storage to hold the new information. According to the IDC research that The Economist cites, it's actually been this way since 2007, so I'll claim that's when the Information Age really began. So we're not just  creating more and more information each year. We're also losing more and more information, because there's no place to store it.

The article in The Economistdoesn't do more than identify the trend of huge amounts of information being created and claim that the trend is important to understand. The experts that they quote in their report don't really do any better. They all agree that things are going to be very different in the future, and learning how to make sense of all of the available data is going to be even more important in the future than it is now, but that's about as much as they can say.

I'd guess that a dramatic loss of privacy is one of the biggest changes that we'll see in.the future from the huge amounts of information that will be available. Maybe that's not a big deal to people who grow up posting all the details of their lives on the Internet, but that's not something that I'm looking forward to.

Out of the thousands (millions?) of April Fools' blog posts out there, I found one particularly entertaining: the one by Greg Mankiw that claimed that Harvard was going to auction off 100 slots to next year's incoming class.  Here's what he said:

Today is the day Harvard announces admission decisions to the college.  Moreover, as you may know, Harvard has been struggling with a sizable budget shortfall.  The budget problem, however, has now been solved.  Harvard has decided to auction off 100 slots in next year's freshman class to the highest bidders.  If you are interested in entering a bid or learning more about the program, click here.  Bids are due by the end of the day.

At Voltage, of course, we're known for our innovative security technologies instead of our sense of humor, so you won't find anything like Mankiw's post here. Or if it's here it will probably be buried in some arcane discussion of elliptic curves that almost nobody will actually read.

There has been a lot of attention over the past few months on how Format Preserving Encryption (FPE) can be applied to secure end to end encryption of credit card payments, but FPE also has applicability in other areas, for example I recently heard of a novel use of FPE for VoIP systems.   

While it is clear that IBE could be used to secure the Session Initiation Protocol (SIP) by using the Request-URI as the identity, IBE could not be used for securing the Real-time Transport Protocol (RTP) stream.  This is where FPE comes in.

From my last blog post one can see how you can encrypt, say, a street address to another street address using regular expressions.  This new application of FPE is similarly used to encrypt the voice stream of a VoIP call.

In this new use of FPE a spoken noun is encrypted to another spoken noun, a spoken verb to another spoken verb etc.  

The receiver of the voice stream can then decrypt to the original voice stream.

For example:   Alice, call originator, wants to leave a critical voice message for Bob.   
She speaks the phrase “Bob, the iPad is delayed by a critical hardware error, short Apple stock”,
but using FPE in this new mode the message is left in Bob’s voicemail as:  “Bill, the iPhone is on-time because of excellent software, buy AT&T stores”

Rather than use regular expressions, this new method uses something called irregular expressions.  We hope to make it available in the upcoming 4.1 release of the Voltage Encryption Toolkit.

I recently read an interesting article in the Wall Street Journal about altering memories, and I don't mean the DRAM that your desktop computer uses. Apparently it's possible to permanently change your memories. This sounds like something that Phillip K. Dick might have used in one of his science-fiction stories like "We Can Remember It For You Wholesale," the story that the movie Total Recall was based upon. Or maybe it's more like something from Richard Condon's The Manchurian Candidate, the basis for the movie with the same name.

And although researchers claim that their work is only meant to replace traumatic memories, like those that combat veterans or crime victims might have, with less troubling ones, the possibility for other uses seems to be even more attractive. Imagine how intelligence agencies could use the ability to selectively alter memories, for example.

The ethical implications of that use alone makes me wonder whether this research is really something that really we ought to be doing. Like Douglas Quail in "We Can Remember It For You Wholesale," we might end up now knowing exactly what's real and what's not.