MATLAB Answers

Rik
1

Is discussion of cryptography allowed?

Asked by Rik
on 8 Jan 2019
Latest activity Answered by Walter Roberson
on 9 Jan 2019
The answer seems to be that it isn't, but the resources are pretty confusing. My legal background is limited to two courses in Dutch health care law (one of those covering a slightly broader array of legal topics). It seems this is not enough for me to understand what is going on here, nor does there seem to be a good resource to refer users who are posting questions about cryptography.
I have read the Wikipedia page, which made me fall deep into the rabbit hole pretty fast (I stopped when I was reading US federal code definition documents). The Wiki page and the documents it links to read like a lot of things are illegal to discuss (as that results in publishing and therefore export of software).
However, a search of Answers turns up many threads where cryptography is discussed. Some have an accepted answer, but other also mentions of personal experiences and indications that more detail would not be allowed. One of the most confusing threads in my opinion is this one, where a lot of details are provided in a discussion, but also some content has been removed for (fear of) violating the export restriction.
What is the closest we can get to a short answer about what is allowed and what isn't? I am aware a definitive answer would probably require the legal team from Mathworks to answer this thread (and maintain it after any rule change). Seeing as that is unlikely, I'm hoping for any input that helps me better judge which question to close/ignore and which can be answered.

  0 Comments

Sign in to comment.

Tags

2 Answers

Answer by Image Analyst
on 8 Jan 2019

I pretty much just ignore them all. I mean, it's not my project, so why should I expose myself to any risk? If I don't answer, there is no risk to me. It's not my responsibility to answer/solve their question. Don't feel you need to answer every question out there that you can answer. It's within your right to not answer a question, even if you know the answer. I don't answer every image processing question, even if I know the answer, not because of legal reasons but just because sometimes it would take hours of explanation and hand holding. Anyone interested in teaching a semester long course in Fourier theory to a novice who needs it so the solution to his question can be understood? Not me. I know some people at the Mathworks are pretty hands off unless a complaint is made, while others are more "by the book", so whether changes are made by them to File Exchange submissions or Answers posts may depend on who saw it.
Now there are some gray areas. Like what about watermarking, especially invisible watermarking to detect image theft or in forensics? When does watermarking cross the line from encoding to encryption. What is steganography? Is it encoding or is it encryption?

  1 Comment

Rik
on 8 Jan 2019
Thank you for your comments.
For myself it isn't really the need to answer everything, but more a question of which question I should close. As a recent example: this one. This user has posted two previous questions, which were both closed for cryptography reasons (if I recall correctly). Apart from all the other issues with this question, I don't think the poster is really aware why his questions are being closed. I suppose questions like those is what flagging is for.

Sign in to comment.


Answer by Walter Roberson
on 9 Jan 2019

The USA does not have an absolute ban on discussion of cryptography or posting of cryptography programs.
  • in cases where posting of cryptography programs is permitted, the person who posted the cryptography program must immediately thereafter report the posting to the appropriate branch of the US government.
  • Although the reporting onus is on the person doing the posting, then because arguments can be made that matlabcentral does not fall within the "Safe Harbor" provisions of US law, there are legal arguments that Mathworks might be considered the "publisher" for legal purposes, and that therefore Mathworks could be liable for posted cryptography programs that were not prompty reported by the author. This is a legal risk that is mitigated by Mathworks saying that such postings are not permitted
  • the USA regulations generally permit discussion of encryption when the keyspace is no more than 56/64 bits (many 64 bit encryption techniques involve stuffing the MSB of 7 bytes into an 8th byte to get 64 bits with the top bit clear in each byte)
  • For discussion with larger key spaces, the person must actively get permission for the discussion from the appropriate branch of the US government before the discussion happens.
  • Major difficulty: the discussion of even small key-space encryption requires prior permission if users can readily extend the key space beyond 56/64 bits.
This bit about possibility to extend is a big PITA, because about the only encryption technique that cannot be readily extended to larger key spaces is the null encryption whose output is the unchanged source.
Every time I notice someone posting ROT13, I have to close the discussion, because ROT13 is a Caeser Cipher example that is very easily extended to arbitrary large keyspaces. Extending ROT13 to use a key of 'MATHWORKS' would result in a cipher that would require prior permission to discuss.
So legally speaking, it would be possible for Mathworks to permit discussion of small key space techniques, but only in one of the two situations:
  1. The program contains obvious and fundamental bugs that would prevent it from ever working as a successful encryption program -- not just small implementation bugs like an off-by-one that someone might be able to fix: it would have to be theoretical errors that make the program useless; or
  2. The program is so long and complex and obscure as to make it impractical for most people to understand and so it exceeds the required level of modification difficulty to make it work with longer key spaces
In practice, this means that they occasionally permit a sufficiently ugly program in the File Exchange, but that they cannot really permit encryption discussion.
So... why can encryption discussions be found in practice in Answers:
  • Mathworks doesn't read every posting. They hope one of the volunteers will close or flag encryption discussions. None of the volunteers read every posting either. Things get overlooked.
  • the boundaries between watermarking and steganography are rather blury.
  • The legal restraints are on encryption specifically. Not on mathematical techniques that could potentially be used for encryption. For example function out256 = incr(in); out=mod(in+1,256); could potentially be used in the context of a Caeser Cypher. If the poster were to say that they wanted to do a Caeser Cypher we would have to block the posting. But it is a basic mathematical technique that has other uses. Elliptic Curves have other uses than just cryptography, so a question about Elliptic Curve compution is not inherently a question about cryptography. We aren't required to ask about intended use of everything.

  0 Comments

Sign in to comment.