The Power of Epsilon: 2025

Monday, February 10, 2025

Identity Management Atoms: Asymmetric Public/Private Keys

Asymmetric keys are the final element we need for Identity Management. So far, everything we've covered makes it possible to send data secretly, and to make sure that we can confirm that data we send or receive hasn't been tampered with -- but we cannot share Symmetric keys easily, out in the open, where everyone can see it -- we have to share these things privately -- and that's kindof difficult to do on a forum open to the public, such as the internet.

Heck, even if we limit our communications to pencil an paper, it might be nice to share a way for people to reach out and contact us! If only Alice could pin a key of some sort on that bulletin board, so that Bob can encrypt something and share it with Alice. That way, Alice wouldn't even have to meet Bob to exchange information privately!

The first algorithm that provided for just this is called the Diffie-Hellman Key Exchange (that some suggest should be called the Diffie-Hellman-Merkle key exchange, to recognize Merkle's role in laying the foundations -- which nonetheless puts aside that a British Intelligence team came up with the same algorithm several years before, but had to keep it classified until much later -- and who knows, maybe it will be found one day in one of the numerous works that Leonard Euler wrote, leading us to sigh and say "It's a good thing we didn't know about it, because otherwise half of mathematics would be named after him!"? -- there's a reason I simultaneously appreciate and don't worry about making sure everyone gets credit!).

The idea is relatively simple: Alice and Bob agree on a key $P_\infty$ (recall that the $\infty$ subscript is a reminder that the key is shared by everyone) to use as a basis for communication. Alice chooses a private key $A_0$ (recall that the $0$ subscript is a reminder to share the key with zero people), and combines this to create a key $A_0 P_\infty$ she publishes publicly; likewise, Bob can share $B_0 P_\infty$ with the world after creating his own private key $B_0$. To communicate, Alice and Bob combine these publicly shared keys with their private keys, $(A_0 (B_0 P)) = (B_0 (A_0 P)) = S_0$, and by the magic of modular arithmetic (ie, mathematics I don't want to delve into right now), things mix together to produce an $S_0$ that can then be used to share messages between Alice and Bob.

For what it's worth, Wikipedia has a more colorful explanation -- by literally using colors and color mixing to explain what's going on.

Ok, maybe it's not exactly simple -- and it relies on advanced mathematics to allow for things to cancel out nicely, so that the symmetric key is the same for Bob and Alice. But it gets the job done, and it's used internally in a lot of internet protocols where sharing messages, rather than confirming identity, is the primary concern. It's not quite a public-private key system -- but it's a bridge between symmetric keys and asymmetric ones!

Shortly after Diffie-Hellman was made public, Rivest, Shamir, and Adleman created a simpler algorithm: rather than having a public key that everyone uses as a basis for creating private shared secrets, each individual produces their own public and private keys. Hence, Alice creates $A_0$ for herself, and shares $A_\infty$ to the world, while Bob creates $B_0$ for himself and $B_\infty$ for the world. If Bob wishes to share a message $M$ with Alice, he encrypts it with Alice's public key $A_0(M)$ -- and if Alice wishes to read it, she applies her private key $\A_0 (A_\infty(M))$, which cancels out the encryption, leaving Alice (who, if she's careful, is the only one who has her private key!) the only person in the world besides Bob to be able to read the message.

Now, here's the fun thing about asymmetrical encryption: both keys can be used for encryption -- and the other key decrypts! If Alice wanted to, she could take a message $M$ and encrypt it with her private key, $A_\infty(M)$, and then share the result with the world. If Bob, or the President, or my sister and her darling dachshund, or anyone, really, wanted to read the message, they can -- they just have to apply the public key (also available to the public) to the message: $A_0(A_\infty(M)) = M$. But why would Alice want to do this, though, if the purpose of encryption is to keep unwanted people from reading messages? Well, when Alice does this, she isn't just sharing the message: she's reminding the world that, as the world's only holder of the private key $A_0$, she's the only person who could encrypt something that can be decrypted by $A_\infty$. Thus, you can be fairly certain the message came from her! This is the basis of cryptographic document signing.

Of course, if Alice wanted to, she could send Bob a signed message $A_0(M)$ -- and if it's only intended for Bob, she can further encrypt it with Bob's public key, via $B_\infty(A_0(M))$ -- thus, to read this message, Bob would use his private key to "unwrap" the message, $B_0(B_\infty($A_0(M)) = $A_0(M)$, which can then be further decrypted by $A_\infty$ to confirm that, not only is the message intended for Bob, but that it can only have been sent from Alice.

Besides RSA algorithms of various strengths, there are now algorithms based on elliptical curves, which (if I understand correctly) may be computationally as fast as symmetric keys, and can also be smaller while offering the same level of security -- because as fantastic as public/private key encryption may be, it's still computationally slow, so it still makes sense to use symmetric keys when you can, and transfer them via public/private key authentication, rather than using public/private keys directly.

As of right now, asymmetric keys have only three weaknesses, two real, and one theoretical.

The first weakness is that you have to make sure you never let other people know your key -- and that's a challenge, considering how many vulnerabilities have been found in our software! -- but there are schemes for rotating through keys that make this more manageable.

The second weakness is called "Man in the Middle" -- if Eve wanted to listen in to Bob's and Alice's conversation, and she can intercept their traffic, she can create her own public/private key pair $E_0$ and $E_\infty$, and when Bob tries to send a message to Alice, if he convinces Bob that $E_\infty$ is Alice's public key, then Bob would try to send a message to Alice via $E_\infty(M)$, which Eve would then decrypt with her private key and encrypt with Alice's public key -- $A_\infty(E_0(E_\infty(M))) = A_\infty(M))$ -- which Alice can now decrypt with her private key. And if Alice tries to respond, and Eve managed to convince Alice that $E_\infty$ is also Bob's public key, Eve can read all the traffic going back and forth. To be sure, this requires that Eve captures this stream at the beginning of the conversation, and that she is constantly there to be an intermediary between Alice and Bob -- but it is a risk nonetheless, and a real one where something public like the internet is concerned. There are also strategies to prevent this from happening; indeed, this is why "certificates" are so important for web browsers.

And the third weakness rests on the notion that the prime numbers used in these schemes are very difficult -- indeed, beyond-the-lifetime-of-the-universe difficult -- to factor, even with the fastest of computers. Mathematicians have been unable to prove, one way or another, that factoring like this is, indeed, hard -- so we may very well be a surprising, fantastic, and beautiful proof away from the entire security of the internet crumbling -- but mathematicians generally believe that there are no shortcuts to factoring numbers, and we may very well prove that, instead. Physicists have been hard at work creating quantum computers that can, in theory at least, go through lots of factors all at once -- but it's unclear if engineers will ever overcome the hurdle of noise that plagues quantum mechanics so much, and if so, whether engineers would be able to gather enough "qubits" to be able to carry out the large number of computations necessary to factor large numbers. Nonetheless, this threat is serious enough that researchers are working to develop "quantum-proof" algorithms for encryption -- and governments , for that matter, are sucking up as much current communication as they can, with the hopes that someday they'll be able to read everything!

Fun fact! This is the first blogpost where I formally use $\LaTeX$ to format things! I originally intended to keep it simple, but I discovered that I really wanted easy-to-format subscripts for the keys. Plain A_0 just looked ugly! I found a forum that directed me to https://koutuholi.blogspot.com/2021/04/mathjax.html, which provides a non-supported way to provide the magic of $\LaTeX$ to blogs.

For those not familiar with $\LaTeX$, it is a fantastic document layout system used by mathematically-oriented people to write papers; I personally find the creation of documents using the system to be fantastic, but when I get frustrated with the ASCII mathematical representation, I remind myself ... that $\LaTeX$ is the worst math system out there, except for all the others! (I particularly despise "equation editors"; they are surprisingly painful to use!)

Monday, January 20, 2025

Identity Management Atoms: Symmetric Keys

So far, nothing I have discussed actually encrypts data. At best, we have hashes, which takes a block of text and produces a short, seemingly random collection characters -- that is specifically designed to prevent discovering the data that produced it!

While all of this is called "cryptography", there is a major reason I like to call this "Identity Management": these are the tools that allow us to confirm each other's identities, which is a task that transcends the mere sharing of information.

At some point, however, we're going to want to share data with someone we trust, and we don't want anyone else to read what we send! To do this, we need some sort of way that scrambles data so that, once sent, it can be unscrambled. Perhaps the oldest of these is the "symmetric key", something shared between the two communicators beforehand, so that they can recover communication.

Perhaps the simplest example is called "Caesar's Cipher", which simply "rotates" letters by 13 -- A becomes "M", B becomes "N", and so forth -- which isn't a particularly difficult algorithm to crack. It's easy to imagine a more complicated version, where each letter is assigned to another random letter, but even then, the algorithm is simple enough to crack, it's offered in puzzle books as "cryptograms", to be broken for entertainment.

On the other side of this, there's the "one time pad", which is a pad of randomly generated numbers used for cryptography. For each "block" of a message, the sender uses a page, and the receiver needs to know what page is used. This method is mathematically proven to be impossible to crack -- if you can trust that your random number generator doesn't produce identifiable patterns, if you don't use a page more than once (because two pages of data that use the same encryption page can be used to decrypt each other), and if you can ensure that only you and your confidant have unique one-time pads that no one else can see.

And this brings us to the weakness of symmetric keys: how the heck do you get a symmetric key to the people you wish to communicate with, without anyone else getting their dirty little mittens on them, too? Well, besides meeting up face-to-face with each person you wish to communicate with, and make sure that each person has their own unique pad, and keep track of where you are in each pad in your communications .... well, this isn't exactly the best way to distribute keys when you're trying to reach out to a computer on the other side of the world.

Naturally, there are a number of schemes for generating these random keys, all essentially designed to create things akin to "one time pads" on the fly, AES being a particularly popular one. To the best of my knowledge, there aren't any concerns about these keys being weak against quantum computers -- they use algorithms that aren't susceptible to the type of parallel processing that quantum computers will theoretically offer.

Nope! To the degree that these keys are weak against quantum computers, it's because they have to be shared! And they are typically shared by asymmetrical public/private key cryptographic systems -- which are susceptible to quantum computer algorithms -- and which are also the cornerstone of both computer cryptography and identity management in general.

It seems like public/private key pairs would be better than symmetric keys for sharing data -- so why are symmetric keys still used? It so happens that symmetric keys are far less computationally intensive than asymmetric ones, so they are used to optimize our information sharing.

Monday, January 6, 2025

My Theme for 2025 and the State of the Blogger

Several years ago, I encountered a fantastic recommendation via Youtuber CGP Grey: Themes as an alternative to Resolutions. The idea is simple: resolutions are too specific and almost always fail, so why don't you choose a "theme" as a guide for your actions for the year? (Or better yet, the season, since seasons are shorter and more manageable).

For example, I made 2024 the year of "Taking Flight" -- both because I have a strong interest in aviation, and because I have been unemployed for a while, and I wanted be ready to "fly" again with whatever came my way. While I cannot say that I succeeded with employment (I'll get to that in "State of the Blogger"), I can nonetheless be happy that I actually flew a plane (it was very brief, and it was a little terrifying, but I also realize that I'd be less terrified if I had a few lessons under my belt), I got to ride on another small-ish airplane with three of my children (and their first flight), and I was able to attend several Experimental Aviation Association meetings. I'd like to think I did pretty well with "Taking Flight"!

In addition to that, I also picked up a couple of projects and carried them to completion -- because I like to make things, but I don't make that as much of a priority as I'd like. I've been meaning to create videos describing these projects, but nonetheless, these projects also represent attempts to "take flight" ... and they also inspired my theme for this year:

The Year of Creation

If there's anything I've come to realize about myself, it is that I enjoy creating things, whether it be designing things on paper, or actually making things with my hands. Indeed, the two projects I worked on -- a prototype for a "computer easel" and a model for an "armadillo trailer" -- are things I have designed and redesigned over and over again, usually doodling in Church or in other meetings. Since I have neglected this tendency somewhat over the years, I figure that 2025 would be a good year to lean into it!

Naturally, I hope that this expands into something interesting career-wise, but if not, I at least hope I can enjoy myself, even when things seem difficult .... which brings me to ....

The State of the Blogger

At the end of September, I accepted an internship at a company that produces user interfaces for command-line tools for simulations. Although it was part-time, had no benefits, and doesn't pay what I'm used to, I thought it would be prudent both to apply and to take the position, for a couple of reasons:

First, I wanted to see how well I could fit into such an environment. For many years, I have worked as a software engineer, primarily in web development, but with some data analysis as well; I wanted to see if I can handle work where the focus was in physics simulations. At the end of 2023, I had earned a certificate in Finite Element Analysis -- I took the class because, for years, I wondered if this would be an interesting direction -- but I came away thinking that, sure, I have fairly good computer programming instincts, and my mathematical foundations are sound, but I'm not entirely comfortable enough with physics or engineering to set up these models by myself. I wanted to know if there was room on an engineering team for someone who can run simulations with "hand-holding" from people who understand the modelling aspect.

Second, I wanted to know if I could work part-time without burning out. For many years, I have gone through cycles of looking for work, getting hired, starting out positions that seem exciting ... and then burning out. I have always attributed this to being a "poor fit" for the positions I held, and I often wondered if I just needed to find the "right career" -- but now that I better understand autism and ADHD, and have some idea of how these conditions affect my work, I wanted to see if I can handle limited work.

Third, I had hoped I could see how well I can handle things outside of work -- in particular, I wanted to pursue my own projects! -- but I also wanted to see how well extended free time would help prevent burnout.

So, it's been three months. What are the results? I am not one who enjoys saying an experiment failed because the results didn't come out as expected (which is a colloquial habit I have!) -- a "failed" experiment is a data point, an opportunity for learning, and a time to reflect on and revise our understanding of the world. It is nonetheless tempting to say that this particular experiment failed, however, because of confounding factors, that made it difficult to "read" whether I could handle such work.

Ever since I completed my last blog post on cryptography in October, I've been thinking about how I'm getting close to finishing the "atoms", and am almost ready to move on to "molecules" -- but I stalled out on this, procrastinating on taking the next steps, both because my energy was drawn in other directions, and because I got tired. While I may have gone silent during this time, I had a burst of creativity for the first three or four weeks, exploring several weird topics, and even thinking things like "hey, maybe these would be good blog posts!"

And then, at the end of October, the confounding event happened: we got notification that our income had increased enough that we no longer qualified for Medicaid, and thus needed to focus a lot of energy on the process of getting Marketplace insurance for November. I tried applying immediately, but each time, I got the message "Sorry, you qualify for Medicaid, you can't apply for a plan right now!" reinforced by the State responding "Yep, these folks qualify for Medicaid! Don't worry about plans!" After about a week of back and forth with this, a Marketplace Representative finally recommended I just apply for a plan on November 1st. I was desperate for insurance because I had an evaluation coming up!

And so I did apply on November 1st -- and was told "Yep, you qualify, and your plan starts December 1st!" -- which launched me into a month-long appeals process. By the end of the month, I got a weird message of "yep, you qualify for Medicaid in November after all", but this seems to be independent of the appeals process -- I now have a meeting scheduled for tomorrow, January 7th, to discuss this appeal.

I went ahead with the evaluation, even with the specter of potentially having to pay for it, because (in my mind at least) it's an important puzzle for what I'm trying to figure out! For the record, I have really high spatial reasoning, but my "active memory" is normal, and my "inhibition" is very low. And yes, I have ADHD and I'm autistic. I'm still waiting for the formal report, but I'm figuring that my next steps are to get an occupational therapy sensory evaluation, and to see if medicines for ADHD will help me focus more. (For years, I've been wary about medicating ADHD, but now that I understand how medication might help, I'm a lot more open to trying something -- but I'm going in with my eyes as open as I can make them, keeping in mind that these medications don't help everyone!)

Which brings me to December, the end of which I had an initial evaluation of my internship. The co-worker I've been working with said that the team is impressed with my logical skills, and can see I write good tests -- however, they are concerned about the time I took on one of the projects -- and thus decided to extend the internship by a month, to see how things go. On my end? I found myself already somewhat burned out, although I find that when I work for 5 hours a day, my ADHD tendencies are generally kept under control -- indeed, in the two days during the holiday weeks that I worked close to full-time (to make up for hours, somewhat, on the four days I didn't work), I found that it was much more difficult to focus on work -- but I also nonetheless concluded that my experience with 3D programming and Finite Element Analysis can be assets for a team trying to run physical simulations.

I had also hoped that finances would work out so that I could take a full two weeks off for Christmas and New Year's, but alas, it was not to be, so I cannot evaluate how an extended break may help with preventing burnout. Additionally, the insurance fiasco took its toll -- this is a confounding factor that makes me want to say this experiment failed, but then again, isn't it the case that no matter what work I do, I have to worry about how life may intrude on things? So, even to the degree this was a "confounding" factor, I should nonetheless consider it an important data point, too.

And thus, I am left with these conclusions:

I am still convinced I cannot work 8 hour days, and now fear I can barely handle 5 hour days; I nonetheless need to keep in mind that this may be a mental roadblock, and not an actual limitation;
I nonetheless need to remind myself of this: We often hear messages that basically say "Buck up and just deal with it!" and "Our ancestors had to just deal with their problems!" -- and while it is valuable to keep these kinds of things in mind, it's also important to remember that (1) "Just deal with it" includes figuring out your limitations, and accommodating them, and (2) our ancestors often dealt with these issues by laying down and dying, sometimes even by their own hand -- or by "handling" them via begging and kindness of others (and here I am imagining how, before wheelchairs and Braille were invented, the paralyzed had to rely on being carried everywhere, and the blind relied on people reading to them) -- and that, while I have enough understanding about family history to know that my ancestors did, indeed, just deal with their pain ... let's just say that there's plenty of room for improvement for how they could have handled some of their issues!;
That I can probably handle 3D and simulation work, particularly if I can figure out how to do these things in "small doses" (eg, contractual positions that last only three or four or six months);
Nonetheless, I don't think I can handle the networking and job-hunting required to find such positions (and no, I don't know how to square this circle just yet!);
That I really enjoy creating things, and that perhaps there's room in that direction to help me thrive;
While I understand the appeal that some have for getting away from home and going to the office, I nonetheless appreciate the privilege of working from home (a privilege not yet granted by my internship) -- and I also appreciate getting out of both the home and the office!;
It's a pity that pilot lessons are so expensive, and I'm almost certainly too old to pursue a career in flight anyway;
I don't know if I could pull it off, but I think I need to push myself to post on my blog daily, or at least three or four times a week ....

I'm sure there may be other conclusions I'm missing out on, but although I feel my situation is bleak (and it's likely a lot less bleak than I feel like it is right now!), I have some optimism that things can get better!

Regardless, I need to take things a day at a time, and hope for the best.

And, who knows? Maybe this will be the year I get my own computer easel and portable office, and have the opportunity to use both .... (I cannot help but reflect on how so much of my design has focused on portable things -- and how I have a strong desire to explore the world (likely driven by an ADHD-fueled need for novelty) but nonetheless bring with me a consistent environment I can easily retreat to (likely driven by an autistic need for order and routine).)