Schneier on Security

Clive Robinson • May 12, 2025 7:10 AM

@ ALL,

Considering the article statement,

“The Social Media Use by Minors bill was “indefinitely postponed” and “withdrawn from consideration” in the Florida House of Representatives earlier this week. Lawmakers in the Florida Senate had already voted to advance the legislation, but a bill requires both legislative chambers to pass before it can become law.”

You have to ask if it was actually “self interest” that tipped the scale to “NO”…

Clive Robinson • May 12, 2025 10:53 AM

@ Peter Galbavy,

With regards,

“Backdoors should only be allowed when pi can be legislated to be 3.”

Not in Australia… There the writ of “Pustulent Encrusted “Stale White Insipid Males”(PE-SWIM) was made clear by some looser who said,

“The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia”

https://www.newscientist.com/article/2140747-laws-of-mathematics-dont-apply-here-says-australian-pm/

This was back in 2017, and in due course Malcolm Turnbull PM proved he was a looser in about a year (Aug 2018) he was gone. And got replaced by something even worse “Scotty from Marketing”).

But… Getting back to Pi a lot of people tried geometric tricks to make it not 3.14159… but 3 and an 1/7th or 22/7. Which to use a derogatory Australian phrase,

“Good enough for Government work”

(The US version was “Close enough…” and ment high standards).

But there is a fun “shuffle box” mathematical way of getting Pi to any arbitrary precision. Have a look at,

https://m.youtube.com/watch?v=6dTyOl1fmDo

It’s actually a fascinating algorithm.

Clive Robinson • May 13, 2025 2:46 AM

@ lurker,

There is an argument that there are an infinite number of vulgar[1] fractions of the form a.P/b.Q –where a&b are natural numbers and P&Q are primes– that will approximate Pi or similar.

22/7 is 2.11/1.7
355/113 is 5.71/1.113

A way to find some of them is the “shuffle box” idea I mention above. The argument goes on that the form a.P/Q works as well.

Then you get 317/101 which is just P/Q

I’m sure at some point in time several people must have gone down the rabbit hole ferreting after some meaning in it before Georg Cantor did his thing.

@ lurker, ALL,

With regards,

“The Florida Bill’s LEA backdoor appears to be an amendment as it went thru Senate, added as sub-para 5 in several Sections of the Bill. Also added were: Parents must be able to read all minors’ messages; and no “vanishing” messages for minors.”

As I’ve indicated in the past, it can be shown via the works of Claude Shannon and later Gus Simmons that none of that is actually possible to achieve.

So the idiocy of the Australian Premier M.Turnbull is still alive and well in politics less than a decade later… (No surprise there, especially in Florida[2] apparently called the “Red and nearly dead” state these days).

[1] The use of the word “vulgar” is not the normal meaning of rude/crude/etc, but the less used meaning of “common”, from the Latin “vulgus” refering to “the common people”

[2] Just reading,

https://www.propublica.org/article/ron-desantis-florida-redistricting-map-scheme

Indicates how dumb some politicians can be when it comes doing unlawful things in such obvious ways…

Clive Robinson • May 13, 2025 6:11 AM

@ Moderator

Post below sent at 10:55BST, response was the usual accepted message but it did not actually “post”. Trying to check showed “no connect issues”. Then reposting did not reject as duplicate but did not post. Trying again at 11:06BST gave “held for moderation”

@ Steve, ALL,

With regards,

“Since knowing the secret to encrypted data is tantamount to confession, the better the encryption and passphrase (in whatever form), the stronger the proof”

This problem was discussed last century with respect to the original UK “Regulation of Investigatory Powers Act”(RIPA) 2000 and in arguments against later similar UK legislation one of the most recent you might have heard called “The Snoopers Charter”.

There are only two defences to a charge, and they are,

1, It’s not encrypted.
2, You do not know the key.

That is as a first step the prosecution has to show the message is encrypted, “looks like” is not sufficient but judges tend to shy away from “technical arguments” as they are considered extremely difficult to grasp by even those considered of high intelligence (such as themselves).

Thus all to often it falls to a “duck test” argument put forward by the prosecution and does not get challenged under “reasonable doubt” as it should be. After all the burden of proof under “Traditional English Law” falls on the prosecution “To prove it’s case before the peers of the accused”.

If you think about it even if you have a “key” and can produce some kind of intelligible plaintext from the ciphertext it’s still in no way proof because of “Perfect Secrecy” and “Every message is equiprobable”. The simplest example being the “One Time Pad”. It’s the reason in his article Claude Shannon went through the statistical measure of “unicity distance”. Often given not quite correctly as,

“The Unicity Distance is a property of a certain cipher algorithm. It answers the question ‘if we performed a brute force attack, how much ciphertext would we need to be sure our solution was the true solution?’. The answer depends on the redundancy of English.”

[1]

It’s not quite correct in that,

It should not be “English” but “plaintext”.

Also the “certain cipher” is assumed to have certain properties it need not have,

Primarily that there is a “one to one mapping” on the plaintext to ciphertext alphabets.

Secondly that the “mapping is invariant”.

Thirdly that the “plaintext” has known, recognisable and consistent characteristics.

And several others. It’s actually not difficult to design a cipher system that breaks all of those assumptions, simply by combining aspects of ciphers that were in use over a century ago.

But inversely it can be seen that given any “ciphertext message”, it’s possible to come up with many “alleged” cipher systems that can produce “intelligible plaintext” with a freely chosen “key”.

But also there is the question of which way the ciphertext was going. If it was “from the defendant” they should be able to produce the “plaintext” (but not necessarily the key). However if it’s “to the defendant” it actually means nothing, unless subsequent behaviour by the defendant can be correlated to the arrival of the ciphertext.

But why might a defendant be able to produce a plaintext but not a key?

The simple answer is “web commerce” and Public Key systems do this hundreds of millions of times a day.

There are “automated key negotiation protocols” used in the likes of HTTPS and message apps that in effect generate a random key that the human never sees.

But lets go back to the “Duck Test” and ask a very important question,

“Can a cipher system be designed that takes ‘plaintext’ and encrypts it into what looks ‘intelligible relevant plaintext’ not ‘random nonsense’ that could be seen as ‘ciphertext’?”

The answer is “yes” and I’ve previously described a simple pencil and paper “hand cipher” that can do this[2].

So… If you were to use such a system and send the message across a backdoored commercial system, then the backdoor achieves nothing a point Gus Simmons proved quite a few years ago and gave rise to the notion of “subliminal channels”.

Can such a system use Shannon’s “Perfect Secrecy” yup…

[1] The opening paragraph from,

http://www.practicalcryptography.com/cryptanalysis/text-characterisation/statistics/

[2] A little while after I described how to do it with “pencil and paper” some researchers came up with a method that used current AI LLM systems, that got covered by this blog.