Cypherpunk

Before the mailing list

Until about the 1970s, cryptography was mainly practiced in secret by military or spy agencies. However, that changed when two publications brought it into public awareness: the first publicly available work on public-key cryptography, by Whitfield Diffie and Martin Hellman,^[5] and the US government publication of the Data Encryption Standard (DES), a block cipher which became very widely used.

The technical roots of Cypherpunk ideas have been traced back to work by cryptographer David Chaum on topics such as anonymous digital cash and pseudonymous reputation systems, described in his paper "Security without Identification: Transaction Systems to Make Big Brother Obsolete" (1985).^[6]

In the late 1980s, these ideas coalesced into something like a movement.^[6]

Etymology and the Cypherpunks mailing list

In late 1992, Eric Hughes, Timothy C. May, and John Gilmore founded a small group that met monthly at Gilmore's company Cygnus Solutions in the San Francisco Bay Area and was humorously termed cypherpunks by Jude Milhon at one of the first meetings—derived from cipher and cyberpunk.^[7] In November 2006, the word was added to the Oxford English Dictionary.^[8]

The Cypherpunks mailing list was started in 1992, and by 1994 had 700 subscribers.^[7] At its peak, it was a very active forum with technical discussions ranging over mathematics, cryptography, computer science, political and philosophical discussion, personal arguments and attacks, etc., with some spam thrown in. An email from John Gilmore reports an average of 30 messages a day from December 1, 1996, to March 1, 1999, and suggests that the number was probably higher earlier.^[9] The number of subscribers is estimated to have reached 2,000 in the year 1997.^[7]

In early 1997, Jim Choate and Igor Chudov set up the Cypherpunks Distributed Remailer,^[10] a network of independent mailing list nodes intended to eliminate the single point of failure inherent in a centralized list architecture. At its peak, the Cypherpunks Distributed Remailer included at least seven nodes.^[11] By mid-2005, al-qaeda.net ran the only remaining node.^[12] In mid-2013, following a brief outage, the al-qaeda.net node's list software was changed from Majordomo to GNU Mailman,^[13] and subsequently the node was renamed to cpunks.org.^[14] The CDR architecture is now defunct, though the list administrator stated in 2013 that he was exploring a way to integrate this functionality with the new mailing list software.^[13]

For a time, the cypherpunks mailing list was a popular tool with mailbombers,^[15] who would subscribe a victim to the mailing list in order to cause a deluge of messages to be sent to him or her. (This was usually done as a prank, in contrast to the style of terrorist referred to as a mailbomber.) This precipitated the mailing list sysop(s) to institute a reply-to-subscribe system. Approximately two hundred messages a day was typical for the mailing list, divided between personal arguments and attacks, political discussion, technical discussion, and early spam.^[16][17]

The cypherpunks mailing list had extensive discussions of the public policy issues related to cryptography and on the politics and philosophy of concepts such as anonymity, pseudonyms, reputation, and privacy. These discussions continue both on the remaining node and elsewhere as the list has become increasingly moribund.^{[citation needed]}

Events such as the GURPS Cyberpunk raid^[18] lent weight to the idea that private individuals needed to take steps to protect their privacy. In its heyday, the list discussed public policy issues related to cryptography, as well as more practical nuts-and-bolts mathematical, computational, technological, and cryptographic matters. The list had a range of viewpoints and there was probably no completely unanimous agreement on anything. The general attitude, though, definitely put personal privacy and personal liberty above all other considerations.^[19]

Privacy of communications

A very basic cypherpunk issue is privacy in communications and data retention. John Gilmore said he wanted "a guarantee -- with physics and mathematics, not with laws -- that we can give ourselves real privacy of personal communications."^[30]

Such guarantees require strong cryptography, so cypherpunks are fundamentally opposed to government policies attempting to control the usage or export of cryptography, which remained an issue throughout the late 1990s. The Cypherpunk Manifesto stated "Cypherpunks deplore regulations on cryptography, for encryption is fundamentally a private act."^[25]

This was a central issue for many cypherpunks. Most were passionately opposed to various government attempts to limit cryptography—export laws, promotion of limited key length ciphers, and especially escrowed encryption.

Anonymity and pseudonyms

The questions of anonymity, pseudonymity and reputation were also extensively discussed.

Arguably, the possibility of anonymous speech, and publication is vital for an open society and genuine freedom of speech—this is the position of most cypherpunks.^[31]

Censorship and monitoring

In general, cypherpunks opposed the censorship and monitoring from government and police.

In particular, the US government's Clipper chip scheme for escrowed encryption of telephone conversations (encryption supposedly secure against most attackers, but breakable by government) was seen as anathema by many on the list. This was an issue that provoked strong opposition and brought many new recruits to the cypherpunk ranks. List participant Matt Blaze found a serious flaw^[32] in the scheme, helping to hasten its demise.

Steven Schear first suggested the warrant canary in 2002 to thwart the secrecy provisions of court orders and national security letters.^[33] As of 2013^[update], warrant canaries are gaining commercial acceptance.^[34]

Hiding the act of hiding

This section does not cite any sources. (January 2023)

An important set of discussions concerns the use of cryptography in the presence of oppressive authorities. As a result, Cypherpunks have discussed and improved steganographic methods that hide the use of crypto itself, or that allow interrogators to believe that they have forcibly extracted hidden information from a subject. For instance, Rubberhose was a tool that partitioned and intermixed secret data on a drive with fake secret data, each of which accessed via a different password. Interrogators, having extracted a password, are led to believe that they have indeed unlocked the desired secrets, whereas in reality the actual data is still hidden. In other words, even its presence is hidden. Likewise, cypherpunks have also discussed under what conditions encryption may be used without being noticed by network monitoring systems installed by oppressive regimes.

Software projects

Anonymous remailers such as the Mixmaster Remailer were almost entirely a cypherpunk development.^[36] Other cypherpunk-related projects include PGP for email privacy,^[37] FreeS/WAN for opportunistic encryption of the whole net, Off-the-record messaging for privacy in Internet chat, and the Tor project for anonymous web surfing.

Hardware

In 1998, the Electronic Frontier Foundation, with assistance from the mailing list, built a $200,000 machine that could brute-force a Data Encryption Standard key in a few days.^[38] The project demonstrated that DES was, without question, insecure and obsolete, in sharp contrast to the US government's recommendation of the algorithm.

Expert panels

Cypherpunks also participated, along with other experts, in several reports on cryptographic matters.

One such paper was "Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security".^[39] It suggested 75 bits was the minimum key size to allow an existing cipher to be considered secure and kept in service. At the time, the Data Encryption Standard with 56-bit keys was still a US government standard, mandatory for some applications.

Other papers were critical analysis of government schemes. "The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption",^[40] evaluated escrowed encryption proposals. Comments on the Carnivore System Technical Review.^[41] looked at an FBI scheme for monitoring email.

Cypherpunks provided significant input to the 1996 National Research Council report on encryption policy, Cryptography's Role In Securing the Information Society (CRISIS).^[42] This report, commissioned by the U.S. Congress in 1993, was developed via extensive hearings across the nation from all interested stakeholders, by a committee of talented people. It recommended a gradual relaxation of the existing U.S. government restrictions on encryption. Like many such study reports, its conclusions were largely ignored by policy-makers. Later events such as the final rulings in the cypherpunks lawsuits forced a more complete relaxation of the unconstitutional controls on encryption software.

Lawsuits

Cypherpunks have filed a number of lawsuits, mostly suits against the US government alleging that some government action is unconstitutional.

Phil Karn sued the State Department in 1994 over cryptography export controls^[43] after they ruled that, while the book Applied Cryptography^[44] could legally be exported, a floppy disk containing a verbatim copy of code printed in the book was legally a munition and required an export permit, which they refused to grant. Karn also appeared before both House and Senate committees looking at cryptography issues.

Daniel J. Bernstein, supported by the EFF, also sued over the export restrictions, arguing that preventing publication of cryptographic source code is an unconstitutional restriction on freedom of speech. He won, effectively overturning the export law. See Bernstein v. United States for details.

Peter Junger also sued on similar grounds, and won.^{[citation needed][45]}

Civil disobedience

Cypherpunks encouraged civil disobedience, in particular, US law on the export of cryptography.^{[citation needed]} Until 1997, cryptographic code was legally a munition and fell under ITAR, and the key length restrictions in the EAR was not removed until 2000.^[46]

In 1995 Adam Back wrote a version of the RSA algorithm for public-key cryptography in three lines of Perl^[47][48] and suggested people use it as an email signature file:

# !/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj
$/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1
lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/)

Vince Cate put up a web page that invited anyone to become an international arms trafficker; every time someone clicked on the form, an export-restricted item—originally PGP, later a copy of Back's program—would be mailed from a US server to one in Anguilla.^[49][50][51]

Cypherpunk fiction

In Neal Stephenson's novel Cryptonomicon many characters are on the "Secret Admirers" mailing list. This is fairly obviously based on the cypherpunks list, and several well-known cypherpunks are mentioned in the acknowledgements. Much of the plot revolves around cypherpunk ideas; the leading characters are building a data haven which will allow anonymous financial transactions, and the book is full of cryptography. But, according to the author^[52] the book's title is—in spite of its similarity—not based on the Cyphernomicon,^[29] an online cypherpunk FAQ document.

Legacy

Cypherpunk achievements would later also be used on the Canadian e-wallet, the MintChip, and the creation of bitcoin. It was an inspiration for CryptoParty decades later to such an extent that A Cypherpunk's Manifesto is quoted at the header of its Wiki,^[53] and Eric Hughes delivered the keynote address at the Amsterdam CryptoParty on 27 August 2012.