Cypherpunk is any activist advocating widespread use of strong cryptography and privacy-enhancing technologies as a route to social and political change. Originally communicating through the Cypherpunks electronic mailing list, informal groups aimed to achieve privacy and security through proactive use of cryptography. Cypherpunks have been engaged in an active movement since the late 1980s.
Before the mailing list
Until about the 1970s, cryptography was mainly practiced in secret by military or spy agencies. However, that changed when two publications brought it out of the closet into public awareness: the US government publication of the Data Encryption Standard (DES), a block cipher which became very widely used; and the first publicly available work on public-key cryptography, by [[Whitfield Diffie and Martin Hellman.
The technical roots of Cypherpunk ideas have been traced back to work by cryptographer David Chaum on topics such as anonymous digital cash and pseudonymous reputation systems, described in his paper “Security without Identification: Transaction Systems to Make Big Brother Obsolete” (1985).
In the late 1980s, these ideas coalesced into something like a movement. In November 2006, the word was added to the Oxford English Dictionary.
The Cypherpunks mailing list was started in 1992, and by 1994 had 700 subscribers. The number of subscribers is estimated to have reached 2000 in the year 1997. a network of independent mailing list nodes intended to eliminate the single point of failure inherent in a centralized list architecture. At its peak, the Cypherpunks Distributed Remailer included at least seven nodes. By mid-2005, al-qaeda.net ran the only remaining node. In mid 2013, following a brief outage, the al-qaeda.net node’s list software was changed from Majordomo to GNU Mailman and subsequently the node was renamed to cpunks.org. The CDR architecture is now defunct, though the list administrator stated in 2013 that he was exploring a way to integrate this functionality with the new mailing list software. who would subscribe a victim to the mailing list in order to cause a deluge of messages to be sent to him or her. (This was usually done as a prank, in contrast to the style of terrorist referred to as a mailbomber.) This precipitated the mailing list sysop(s) to institute a reply-to-subscribe system. Approximately two hundred messages a day was typical for the mailing list, divided between personal arguments and attacks, political discussion, technical discussion, and early spam.
The cypherpunks mailing list had extensive discussions of the public policy issues related to cryptography and on the politics and philosophy of concepts such as anonymity, pseudonyms, reputation, and privacy. These discussions continue both on the remaining node and elsewhere as the list has become increasingly moribund.
Events such as the GURPS Cyberpunk raid lent weight to the idea that private individuals needed to take steps to protect their privacy. In its heyday, the list discussed public policy issues related to cryptography, as well as more practical nuts-and-bolts mathematical, computational, technological, and cryptographic matters. The list had a range of viewpoints and there was probably no completely unanimous agreement on anything. The general attitude, though, definitely put personal privacy and personal liberty above all other considerations.
Early discussion of online privacy
The list was discussing questions about privacy, government monitoring, corporate control of information, and related issues in the early 1990s that did not become major topics for broader discussion until ten years or so later. Some list participants were more radical on these issues than almost anyone else.
Those wishing to understand the context of the list might refer to the history of cryptography; in the early 1990s, the US government considered cryptography software a munition for export purposes, which hampered commercial deployment with no gain in national security, as knowledge and skill was not limited to US citizens. (PGP source code was published as a paper book to bypass these regulations and demonstrate their futility.) The US government had tried to subvert cryptography through schemes such as Skipjack and key escrow. It was also not widely known that all communications were logged by government agencies (which would later be revealed during the NSA and AT&T scandals) though this was taken as an obvious axiom by list members.
The original cypherpunk mailing list, and the first list spin-off, coderpunks, were originally hosted on John Gilmore‘s toad.com, but after a falling out with the sysop over moderation, the list was migrated to several cross-linked mail-servers in what was called the “distributed mailing list.” The coderpunks list, open by invitation only, existed for a time. Coderpunks took up more technical matters and had less discussion of public policy implications. There are several lists today that can trace their lineage directly to the original Cypherpunks list: the cryptography list ([email protected]), the financial cryptography list ([email protected]), and a small group of closed (invitation-only) lists as well.
Toad.com continued to run with the existing subscriber list, those that didn’t unsubscribe, and was mirrored on the new distributed mailing list, but messages from the distributed list didn’t appear on toad.com. As the list faded in popularity, so too did it fade in the number of cross-linked subscription nodes.
To some extent, the cryptography list acts as a successor to cypherpunks; it has many of the people and continues some of the same discussions. However, it is a moderated list, considerably less zany and somewhat more technical. A number of current systems in use trace to the mailing list, including Pretty Good Privacy, /dev/random in the Linux kernel (the actual code has been completely reimplemented several times since then) and today’s anonymous remailers.
The basic ideas can be found in A Cypherpunk’s Manifesto (Eric Hughes, 1993): “Privacy is necessary for an open society in the electronic age. … We cannot expect governments, corporations, or other large, faceless organizations to grant us privacy … We must defend our own privacy if we expect to have any. … Cypherpunks write code. We know that someone has to write software to defend privacy, and … we’re going to write it.”
Some are or were quite senior people at major hi-tech companies and others are well-known researchers (see list with affiliations below).
The first mass media discussion of cypherpunks was in a 1993 Wired article by Steven Levy titled Crypto Rebels:
Later, Levy wrote a book, Crypto: How the Code Rebels Beat the Government – Saving Privacy in the Digital Age, covering the crypto wars of the 1990s in detail. “Code Rebels” in the title is almost synonymous with cypherpunks.
The term cypherpunk is mildly ambiguous. In most contexts it means anyone advocating cryptography as a tool for social change, social impact and expression. However, it can also be used to mean a participant in the Cypherpunks electronic mailing list described below. The two meanings obviously overlap, but they are by no means synonymous.
Documents exemplifying cypherpunk ideas include Timothy C. May’s The Crypto Anarchist Manifesto (1992) and The Cyphernomicon (1994), A Cypherpunk’s Manifesto.
Such guarantees require strong cryptography, so cypherpunks are fundamentally opposed to government policies attempting to control the usage or export of cryptography, which remained an issue throughout the late 1990s. The Cypherpunk Manifesto stated “Cypherpunks deplore regulations on cryptography, for encryption is fundamentally a private act.” in the scheme, helping to hasten its demise.
Steven Schear created the warrant canary to thwart the secrecy provisions of court orders and national security letters.
Hiding the act of hiding
An important set of discussions concerns the use of cryptography in the presence of oppressive authorities. As a result, Cypherpunks have discussed and improved steganographic methods that hide the use of crypto itself, or that allow interrogators to believe that they have forcibly extracted hidden information from a subject. For instance, Rubberhose was a tool that partitioned and intermixed secret data on a drive with fake secret data, each of which accessed via a different password. Interrogators, having extracted a password, are led to believe that they have indeed unlocked the desired secrets, whereas in reality the actual data is still hidden. In other words, even its presence is hidden. Likewise, cypherpunks have also discussed under what conditions encryption may be used without being noticed by network monitoring systems installed by oppressive regimes.
As the Manifesto says, “Cypherpunks write code”; The project demonstrated that DES was, without question, insecure and obsolete, in sharp contrast to the US government’s recommendation of the algorithm.
Cypherpunks also participated, along with other experts, in several reports on cryptographic matters.
One such paper was “Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security”. It suggested 75 bits was the minimum key size to allow an existing cipher to be considered secure and kept in service. At the time, the Data Encryption Standard with 56-bit keys was still a US government standard, mandatory for some applications.
Other papers were critical analysis of government schemes. “The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption”, evaluated escrowed encryption proposals. Comments on the Carnivore System Technical Review. looked at an FBI scheme for monitoring email.
Cypherpunks provided significant input to the 1996 National Research Council report on encryption policy, Cryptography’s Role In Securing the Information Society (CRISIS). This report, commissioned by the U.S. Congress in 1993, was developed via extensive hearings across the nation from all interested stakeholders, by a committee of talented people. It recommended a gradual relaxation of the existing U.S. government restrictions on encryption. Like many such study reports, its conclusions were largely ignored by policy-makers. Later events such as the final rulings in the cypherpunks lawsuits forced a more complete relaxation of the unconstitutional controls on encryption software.
Cypherpunks have filed a number of lawsuits, mostly suits against the US government alleging that some government action is unconstitutional.
Phil Karn sued the State Department in 1994 over cryptography export controls after they ruled that, while the book Applied Cryptography could legally be exported, a floppy disk containing a verbatim copy of code printed in the book was legally a munition and required an export permit, which they refused to grant. Karn also appeared before both House and Senate committees looking at cryptography issues.
Daniel J. Bernstein, supported by the EFF, also sued over the export restrictions, arguing that preventing publication of cryptographic source code is an unconstitutional restriction on freedom of speech. He won, effectively overturning the export law.
Peter Junger also sued on similar grounds, and won.
John Gilmore has sued US Attorneys General Ashcroft and Gonzales, arguing that the requirement to present identification documents before boarding a plane is unconstitutional. These suits have not been successful to date.
Cypherpunks encouraged civil disobedience, in particular US law on the export of cryptography. Until 1996, cryptographic code was legally a munition, and until 2000 export required a permit.
In 1995 Adam Back wrote a version of the RSA algorithm for public-key cryptography in three lines of Perl and suggested people use it as an email signature file:
#!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj $/=unpack('H*',$_);$_=`echo 16dioU$k"SK$/SM$nEsN0p[lN*1 lK[d2%Sa2/d0$^Ixp"|dc`;s/W//g;$_=pack('H*',/((..)*)$/)
Vince Cate put up a web page that invited anyone to become an international arms trafficker; every time someone clicked on the form, an export-restricted item — originally PGP, later a copy of Back’s program — would be mailed from a US server to one in Anguilla. This gained overwhelming attention. There were options to add your name to a list of such traffickers and to send email to the President of the United States registering your protest.
Cypherpunk and Bitcoin
In Neal Stephenson’s novel Cryptonomicon many characters are on the “Secret Admirers” mailing list. This is fairly obviously based on the cypherpunks list, and several well-known cypherpunks are mentioned in the acknowledgements. Much of the plot revolves around cypherpunk ideas; the leading characters are building a data haven which will allow anonymous financial transactions, and the book is full of cryptography.
But, according to the author the book’s title is — in spite of its similarity— not based on the Cyphernomicon, and Eric Hughes delivered the keynote address at the Amsterdam CryptoParty on 27 August 2012.
Cypherpunks list participants included many notable computer industry figures. Most were list regulars, although not all would call themselves “cypherpunks”. The following is a list of noteworthy cypherpunks and their achievements:
- Jacob Appelbaum: Tor developer, is at the Mailing List Archives
- Derek Atkins: Computer scientist, computer security expert, and one of the people who factored RSA-129.
- Adam Back: inventor of Hashcash and of NNTP-based Eternity networks, co-founder of Blockstream.
- Eric Blossom: designer of the Starium cryptographically secured mobile phone, founder of the GNU Radio project.
- Jon Callas: technical lead on OpenPGP specification, co-founder and Chief Technical Officer of PGP Corporation, co-founder with Philip Zimmermann of Silent Circle.
- Bram Cohen: creator of BitTorrent. and lecturer at The Ohio State University.
- Hugh Daniel (deceased): former Sun Microsystems employee, manager of the FreeS/WAN project (an early and important freeware IPsec implementation).
- Dave Del Torto: PGPv3 volunteer, founding PGP Inc. employee, longtime Cypherpunks physical meeting organizer, co-author of RFC3156 (PGP/MIME) standard, co-founder of IETF OpenPGP Working Group and the CryptoRights Foundation human rights non-profit, HighFire project principal architect.
- Suelette Dreyfus: co-author of Rubberhose, a deniable encryption archive.
- Satoshi Nakamoto: anonymous creator(s) of thdecentralized [[Bitcoin cryptocurrency, and inventor(s) of the blockchain technology.
- Hal Finney (deceased): cryptographer, main author of PGP 2.0 and the core crypto libraries of later versions of PGP; designer of RPOW.
- Michael Froomkin*: Distinguished Professor of Law University of Miami School of Law.
- Eva Galperin: Malware researcher and security advocate, Electronic Frontier Foundation activist.
- John Gilmore*: Sun Microsystems’ fifth employee, co-founder of the Cypherpunks as well as the Electronic Frontier Foundation, project leader for FreeS/WAN.
- Mike Godwin: Electronic Frontier Foundation lawyer, electronic rights advocate.
- Ian Goldberg*: professor at University of Waterloo, designer of the Off-the-record messaging protocol.
- Rop Gonggrijp: founder of XS4ALL, co-creator of the Cryptophone.
- Sean Hastings: founding CEO of Havenco and co-author of the book God Wants You Dead.
- Johan Helsingius: creator and operator of Penet remailer.
- Nadia Heninger: assistant professor at University of Pennsylvania, security researcher.
- Robert Hettinga: Founder of the International Conference on Financial Cryptography and originator of the idea of Financial cryptography as an applied subset of cryptography.
- Marc Horowitz: author of the first PGP key server.
- Tim Hudson: co-author of SSLeay, the precursor to OpenSSL. Creator of the stealth technology used in Stuxnet, virus author, programmer.
- Peter Junger (deceased): Law professor at Case Western Reserve University.
- Werner Koch: author of GNU Privacy Guard.
- Paul Kocher: president of Cryptography Research, Inc., co-author of the SSL 3.0 protocol., Principal Cryptographic Engineer for PGP Corporation, Co Founder of Silent Circle., Co Founder 4th-A Technologies, LLC.
- Julian Oliver: Artist, privacy advocate, critical engineer. Co-founder of Critical Engineering.
- Sameer Parekh: former CEO of C2Net and co-founder of the CryptoRights Foundation human rights non-profit.
- Runa Sandvik: Tor developer, political advocate.
- Len Sassaman (deceased): maintainer of the Mixmaster Remailer software, researcher at Katholieke Universiteit Leuven, and a biopunk.
- Steven Schear: Creator of the warrant canary, and GNURadio, team member Counterpane, former Director at data security company Cylink and MojoNation, current Vice President at StashCrypto.
- Bruce Schneier*: well-known security author,
- Jillian C. York: Director of International Freedom of Expression at the Electronic Frontier Foundation (EFF).
- John Young: anti-secrecy activist and cofounder of Cryptome.
- Philip Zimmermann: original creator of PGP v1.0 (1991), co-founder of PGP Inc. (1996), co-founder with Jon Callas of Silent Circle.
* indicates someone mentioned in the acknowledgements of Stephenson’s Cryptonomicon.