In Defense of Money Privacy

TL;DR. With the increasing popularity of privacy-preserving cryptocurrencies, opponents are redoubling their effort to curtail permissionless money, citing money laundering concerns. However, money laundering is a red herring: it is an ethically vacuous notion whose net effect is to keep entrenched powers entrenched.


One of the most common critiques of private money relates to its capability to launder money. According to this line of reasoning, privacy in the realm of money is bad because money laundering is bad. Serious ongoing efforts to eliminate private moneys such as cash and private cryptocurrencies are motivated by this belief.

However, humans have been using private means of payment since the dawn of civilization, namely in the form of untraceable coins and later bank notes. The enduring use and very long existence of these inherently private moneys suggests more than just convenience; it suggests a fundamental need for privacy that comparatively recent trends seem to be overlooking.

The rapid digitization of everything threatens to erase privacy in all walks of life. This erasure is partly organic: companies can serve their customers better the more they know about them. But it is also to a large degree driven by the state, for better or for worse. The on-going erasure of privacy is especially true in the case of money. However, this trend of digitization is incapable of erasing a fundamental human need for anonymous transactions.

Today we have the technologies that enable digitization of money while preserving users’ privacy: privacy-preserving cryptocurrencies. This note argues that these technologies should be celebrated rather than fought. Legislative efforts to curtail their use are misguided and run counter to essential civil liberties.

Illegal versus Immoral

It is important to separate the legal question from the ethical question in regards to private money. The legal question has to do with the laws that are enforced by the state, how those laws come about, how they are interpreted, and the mechanisms that enforce them. The ethical question exists purely in the context of dialectic, and is rather more subjective in the sense that there is no final arbiter of truth. People can and do disagree about moral questions.

An article in defense of private money (and indeed, as do the accusations and allegations it defends against) fall squarely in the category of moral questions. One cannot derive from the laws that are on the books a proposition about which laws ought to be on the books. Nor is it possible to derive a moral imperative from a ban.

The distinction may seem obvious when stated in the abstract, but all too often a debate regarding private money is framed in a way that presupposes the moral framework of the state. This fallacious premise is captured perfectly by the term “money laundering”. It is not in and of itself a moral vice; it is bad only insofar as it enables primary crimes. Not much remains of “money laundering” when stripped of the primary crimes it enables and when considered independently of the state’s moral perspective. It is merely the practice of presenting a sum of money as having a mundane origin. Every single monetary transaction satisfies this description.

In other words, money laundering is a purely legal notion with no inherent bad (or good) ethical character.

This characterization does not excuse crimes enabled by money laundering. The point is rather that these crimes are already illegal, regardless of whether the perpetrators launder the proceeds. The judiciary does not need a second legal ground to sentence them.

Ordinances in relation to the prevention of money laundering – these include know-your-customer regulations that require financial service providers to verify customer’s identity and residential status, reporting requirements that turn financial service providers into informants of the state, and throttling or otherwise limiting the volume of transactions intermediated – have no inherent justification in and of themselves; they are better characterized as tools in the arsenal of law enforcement. Enforcing these ordinances, i.e., penalizing individuals and institutions that violate them, enables law enforcement to track down primary crimes or disincentivize them by making them unprofitable.

However, the question is not whether the means used to combat money laundering are effective tools for law enforcement; the question is whether they are appropriate tools for law enforcement. By the same token, indiscriminate wiretapping might be an effective tool for law enforcement, but might not be an appropriate tool. This question can be answered in two ways. First, there is the argument from deontology. It involves arguing from the perspective of human rights and civil liberties. Second, there is the consequentialist argument. It involves analyzing the consequences of competing policies and judging them based on how the consequences compare. A third way would be to argue from law, for instance by showing that established protections on civil liberties are inconsistent with recent money laundering countermeasures. This third strategy, however, is a category error. It can show at best that there is an inconsistency in the law, not how it ought to be resolved.


The Right to Privacy

The individual’s right to privacy is affirmed by a litany of legal documents including the Fourth Amendment to the US Constitution, the Universal Declaration of Human Rights, and the European Declaration on Human Rights. These declarations are not mere legal fictions, but represent the best attempt by generations of war survivors to ensure that their sacrifices are not in vain. They did this by casting into legal effect timeless ethical principles, designed to serve as a bulwark for posterity against the crimes that defined their own times.

To deny individuals their right to privacy in the name of another, greater good is to reduce them to pawns on a utopian chess board. It is inhumane because it is inherently hierarchical: it makes the innocent individual subordinate to the plans of other individuals.

The position that individuals who have nothing to hide, have no need for privacy, is absurd for several reasons. It assumes that law enforcement is infallible and adheres to an impeccable moral standard. Even if that is true most of the time in most places, this absurd position asserts that it is true always and everywhere. More importantly, what constitutes “something to hide” is not an ethical question but a legal one. It can change at the behest of legislators and the executive branch, who are capable of making ethical mistakes which then cannot be appealed. Most absurdly, the assumption that a need for privacy can arise only from illicit behavior assumes that the individual is guilty unless proven innocent, without supporting evidence, and thus contrary to standard practice in criminal law.

Ownership Implies Untraceability

What does it mean to own something? The English language already makes a useful distinction between possession and ownership. Possession refers to actual control: someone possesses a scarce good if they are capable of employing it as means towards the accomplishment of their ends and capable of excluding others from doing the same.

The English language fails to make an equally clear distinction between two different meanings commonly captured by the term “ownership”. First is the legal concept, which might be more precisely denoted by the phrase legal ownership. It refers to the allocation of resources to persons that the state will enforce in case of dispute. Second is the ethical concept, which may be more precisely denoted by the phrase ethical ownership. It refers to the allocation that every person ought to respect, and by extension that the state ought to enforce even though it may sometimes erroneously undermine it.

It is important to stress that legal ownership and ethical ownership are distinct notions. Ethical ownership is a logically coherent and semantically solid notion independent of the state. Legal ownership is only relative to the state that enforces it, and distinct states often disagree about it.

In case of dispute, the principle for deciding ethical ownership of a scarce good is to trace its history across a sequence of transfers from consenting prior owners to consenting new ones. The chain of ethical ownership terminates at the point when the resource in question was last unowned, when the first owner acquired it from nature by mixing it with his labor.1 One might call this principle the Chain of Owners rule. No person can exercise a valid claim based on a broken chain.

To disagree with this principle is to provide a pathway for thieves to make their crime ethically acceptable. Whatever criterion or proviso overturns this principle is a target to be satisfied. For instance, if thefts that happen more than two years in the past should not be considered, then all the thief needs to do is to hold on to the loot for more than two years to become its ethical owner. If thefts that happen more than 10 transfers in the past should not be considered, then the first buyer only has 9 transfers left, and the next 8, and so on. The end-result of this process is ethically owned property, and every link in between the theft and the end-product has a monetary incentive to participate.

The Chain of Owners rule is certainly a good starting point, but it is unworkable in practice. In general, people have no idea about most of the historical ownership chains of the things they own. It is cumbersome to record a trail of ownership and even this record can be spoofed. As a result, law in practice must cut corners. This fact is embedded in the principle that possession is nine tenths of the law; according to this principle, the person in possession of an object of dispute is assumed to be its owner unless there is evidence pointing to the contrary.

If this Nine-Tenths principle were not in place, commerce and trade would be all but impossible. Both parties to an exchange would need to ascertain the traded goods’ histories in order to be capable of defending their new ownership claims in case of dispute. As a result, trades will only take place if the objects’ histories are available, or between the parties capable of tolerating the legal risk they incur if it is not. The legal risk is potentially losing the acquired goods to a third party claimant in a court of law whose guiding principle is more arbitrary because by assumption it does not favor the bearer.

This Nine-Tenths principle implies two things. It is not only practical for ownership to be untraceable, but necessary as well. It is practical because despite the untraceability, this principle offers a workable solution to resolve disputes via law. It is necessary because a documentable history is the one thing that allows the claimant to undermine the bearer’s claim, and simultaneously the one thing with which the bearer can refute the claimant’s challenge. Other things being equal, a difficult-to-trace object of contentious ownership induces a greater cost on the claimant because the threshold for evidence to overturn the Nine-Tenths principle is more difficult to reach. As a result, courts deciding ownership of easy-to-trace goods are biased not in favor of the ethical owner, but in favor of whoever employs the most resources to produce the more compelling history. Phrased concisely: traceability gives rise to an arms race of information to produce the stronger legal claim, whereas untraceability favors ethical ownership.

A premise in the above argument is that the ownership of the easy or difficult to trace object is in dispute. But the degradation in the capacity of the legal system to settle disputes fairly might be acceptable if there are fewer disputes to begin with. However, while traceability reduces the probability of a benign dispute originating from confusion about the ownership chain of an object, it increases the probability of a malicious dispute whereby the thief weaponizes disinformation about the ownership chain to trick the legal system into executing his theft for him. This type of legal attack is more likely because traceability makes it easier: every single link in the ownership chain is a potential point of divergence for the false branch to start from. In security terms, the wider attack surface benefits the attacker and puts the defender at a disadvantage.

The lack of support from a legal system that is at least systematically biased in favor of ethical owners strips the notion of “ownership” of a quintessential feature. Why would anyone acquire something valuable, only to let it pass to the hands of someone who is more adept at gaming the legal system? Why work at all beyond bare subsistence and immediate consumption, when there is no robust way to store the fruits of that labor? Without the support of the legal system, people have no incentive to own things whose possession they cannot personally defend. The feature that “ownership” loses is the very feature that sets it apart from “possession”.

The Right to Free Money

Money is the logical extension of one’s will, second only to conscious muscular movement. Every interaction is only a few hops downstream from some monetary interaction that enabled it. Money is the gateway through which individuals engage with society. What could be more personal than the profile of interactions of one individual with other members of society? If nothing, how can privacy have any meaning at all if it applies only to less personal things?

As I write this, I can think of two contending spheres of action and knowledge that might be comparably personal – although it should be noted that in both cases money is typically involved, and therefore both examples are typically contained by a person’s financial profile. The first example is the relationship between a client and his attorney. The second is the relationship between a patient and his doctor. In both cases the service provider has an ethical obligation, recognized by law, to respect the consumer’s privacy.

These relationships resemble those between a user and a financial service provider such as a bank or an investment platform. The user trusts the service provider to behave responsibly and in his best interest, and this trust is a precondition to the exchange. The ethical responsibility to protect the users’ privacy is implied by the power-of-attorney and fiduciary duty embedded in the service contract. This responsibility, however, is incompatible with anti-money-laundering ordinances which forbids financial intermediaries to serve insufficiently identified customers, and compels them to report their behavior to the state. Obviously, these ordinances go against the privileged banker-customer relationship. Its different status from the privileged client-attorney and patient-doctor relationships sets the worrying precedent for the latter two to be dismantled as well.

In the specific case of cryptocurrencies, the right to use privacy-preserving currencies is implied by the right to free speech. Participating in a cryptocurrency network amounts to downloading the software, installing and running it, and then sending and receiving messages to and from other participants in between local calculations. Aside from those local calculations, all steps are forms of communication over the internet. And just as free speech implies the right to critically assess the counterparty’s argumentation and evidence and to ponder the best argument in response, so too does it imply the right to use the adequate tool to aid in this computational task. Aside from the aid of computers, there is no categorical distinction between the critical thinking done by participants in a debate, and the verification-calculations done by participants in a cryptocurrency protocol. In short, to criminalize private cryptocurrencies is to criminalize some forms of communication or some forms of thought.

Against Free Money

Regardless of the classification of “money laundering” as denoting a purely legal and ethically void notion, ethical questions do remain in relation to enabling primary crimes. Specifically, the argument for the curtailment of the right to free money might be steelmanned into something like this:

  • Enablers of crimes are culpable for them.
  • The a) existence, b) legality, c) widespread use, and d) development and maintenance of private currencies, enable primary crimes by making them lucrative.
  • The curtailment of the right to free money is a proportionate response to the criminal actions of enablers.
  • The *ex ante* curtailment is a preventative countermeasure appropriate by virtue of its greater effectiveness than the *ex post* response.

It is a formidable ethical argument and a defense of private money would be incomplete without a rebuttal to it.

Enablers of crimes are culpable. To decide culpability we must look at the chain of causes and effects. The transporter who drives the bank robbers to and from the location of the crime, but who otherwise does not participate in it, may not be the proximate cause of the robbery but it is a sine qua non cause. Without the transporter, the crime would not have happened.

The problem with the above argument is that while culpability does propagate across a chain of causes and effects, it does not propagate well across a network of causes and effects. Elaborating on the above example: the taxi driver who serves the robbers in good faith and unknowingly enables the crime is not culpable. It could be true that without any taxis the crime could not have taken place. But culpability is an individual matter and not a collective one. If for whatever reason the particular taxi driver had declined the job, another one would have taken the fare instead.

It is unreasonable to charge the particular taxi driver with lack of due diligence unless there are obvious red flags indicating that the travelers are up to no good. If the taxi driver had practiced the due diligence that could have exposed the would-be robbers, he would be undermining his own business. In general, his clients will prefer the competing taxi driver who asks fewer questions.

To complete the analogy, criminalizing private moneys because they can enable crimes is like criminalizing taxis because they can enable them too. Charging the users of private currencies with partaking in an economy that enables crime is like charging taxi passengers with the same. Forbidding the development and maintenance of privacy coins is like forbidding the manufacturing and maintenance of taxis. Only individuals can be charged with enabling a crime, not classes of individuals, and only based on specific evidence pointing to a cause and effect relation that implicates them.

Contrary to what law enforcement might like to suggest, the mere fact that someone uses privacy enhancing technologies does not constitute evidence of wrongdoing or cover-up. The space of ethical uses of privacy-preserving technologies, including private money, is not constrained by the imagination of law enforcement officials – or by that of privacy advocates, for that matter.


An argument about the desirability of anti-money laundering ordinances based on consequences must be rooted not in idealism but in pragmatism. Policies should be judged based on their efficacy relative to a stated objective, as well as based on their cost-benefit profile. Ineffective policies should be rejected, as should policies whose costs outweigh benefits.

It is possible that efforts to combat money laundering generate more tax revenue than they cost. But the reverse is also possible, in which case the anti-money laundering efforts cost more than the additional tax revenue they generate. There is no central manager who needs to answer for this loss, no stockholders to explain it to, and no incentive to correct this seemingly irrational behavior.

Granted, the objective may be to reduce other crimes and not just tax evasion; primary crimes such as extortion and human trafficking that are enabled by money laundering. Relative to this objective, it may be justifiable to run a net loss in terms of government budget. The obvious questions then are a) how effective are these policies and activities at eliminating the targeted primary crimes; and b) how much budget does that effect justify?

What Amount of Crime is the Right Amount?

Fighting crime, not just primary crime but money laundering also, is a process of diminishing marginal returns. Doubling the resources allocated to the fight will not double the effect. It is conceivable and not unlikely that the complete eradication of the targeted primary crimes, whether through money laundering countermeasures or through more direct measures, costs more than the country’s gross domestic product. Complete eradication is an untenable objective; instead of irrationally hoping to achieve it, we must decide how much crime we are willing to tolerate in order to continue living in a prosperous (and free) society.

The war on drugs is an instructive example. Despite being illegal for the general population, hard drugs routinely find their way into prisons.2 Clearly both the demand and supply exist despite active measures from the prison guards and police to prevent the trade of drugs on their watch. By doubling their efforts, the guards can at best affect the supply but not the demand; and as a result the market will find a new, higher, market clearing price.

Perverse Consequences

The war on drugs is an instructive analogy in another important way: it exemplifies an argument showing how violent crime might increase as a result of criminalization. Government edicts cannot erase demand; at best they can affect supply and drive the market underground. In this underground market there is no quality control. Participation in this market is risky. There is no court that can settle disputes peacefully. And so when disputes do arise, the parties have every incentive to settle them with violence. Moreover, illicit drug dealers make a premium relative to a fully legalized market; a portion of this premium inevitably goes to fund the mechanisms of dispute resolution.

The analogy is not perfect because in the case of money laundering, the good or service being demanded is the state imprimatur that authorizes funds with obscure origin for use in settling debts. There are no non-state suppliers; the state has a monopoly on this good. Nevertheless, as demand persists, the market remains. The consequence is two-fold.

First: buyers pay the price, which they perceive to be filling out the right forms, jumping through the right hoops, wording the agreements in the right language, structuring the legal entities correctly, and of course paying expensive consultants to tell them how to do all this. The state, oblivious to market dynamics, and observing failure on its part, redoubles its efforts to make money laundering harder still. This interplay devolves into an arms race with ever more clever techniques to make money appear legitimate and ever more stringent countermeasures hoping to distinguish good money from bad.

Second: the end-result of this arms race is a firewall between white money and black money that is too expensive to overcome for small players, even if their funds have no link to the primary crimes that money laundering countermeasures are supposed to reduce. The financial institutions whose scale enables them to receive regulatory approval are isolated artificially from the smaller but otherwise more efficient competition. This regulatory approval reinforces the discrepancy in scale.

A lot of things fall into place when the discussion about money laundering is viewed from the perspective that large financial institutions are looking for a cudgel to beat smaller, otherwise more efficient upstarts down.

Foregone Prosperity

Know-your-customer regulations and other anti-money laundering ordinances represent a costly obstacle to be overcome. They prevent money from moving about freely, even when it has no ties to primary crimes. Individuals and institutions prefer to keep their capital passive rather than complying with the onerous requirements. As a result, less money is at work contributing information about supply and demand to the global pricing mechanism and thereby increasing the division of labor. Less capital is available to entrepreneurs who seek new and more efficient ways to make consumers happy. Reduced to one phrase: we are less prosperous as a result of anti-money laundering ordinances. And its corollary: private money will make us more prosperous.

It is difficult to quantify the magnitude of the lost opportunity because it is both abstract and unseen. But here is a thought experiment to make the argument a little more concrete and qualitative: imagine how much more money would be available for researching cancer cures, if investors were able to collect dividends anonymously from profitable pharmaceutical ventures.

Legitimate Uses

There are uncontroversial use cases for private money.

Privacy is a defense mechanism against theft. People who leave a trace can show up on the radar of thieves. Jameson Lopp maintains a database of news articles covering physical attacks on Bitcoin holders. The attackers in question were not random robbers but thieves with targets. Know-your-customer requirements will ensure that this list keeps getting extended by providing attackers with the names, home addresses, and copies of identity documents of unwitting targets. Even Ledger, one of the leading hardware wallet manufacturers, got hacked – resulting in the leakage of their customers’ names and addresses. If Ledger cannot keep their database safe, who can?

Charity organizations often receive anonymous donations. There are at least two reasons for this. First, the donor does not want to be on record, only to be approached again by the charity or by another charity for more donations later on. Second, true charity means not using the donation as a means to launder one’s reputation. Anti-money laundering ordinances attach a name to all charity donations, and will result in less of it.

Investigative journalism is subversive by nature. It sheds light on crimes and vices against the will of vested interests who would prefer to keep them in the dark. One of the ways these vested interests fight it is by going after the source of funding that supports either the investigative journalist or the publication venue. The effect is compounded when modern cancel culture is weaponized. This is not just a use case for journalists and news media to use private money, but for their supporters as well. Private money supports free speech in a very concrete way. Anti-money laundering ordinances expose donors who support free speech with their wallets to attacks by proxy.

Alternative to Fiat

Launched in the wake of the 07-08 financial crisis, Bitcoin was originally conceived of and popularized as an alternative to established financial intermediaries and central banks, and in protest to the system of fractional reserves, bail-outs, and government stimuli – the *fiat monetary system* for short. Bitcoin, as well as the long list of alternative cryptocurrencies that followed, represents an asset class that competes with fiat money. While this feature is not unique to private cryptocurrencies, it is one they inherit.

The use case of cryptocurrency that this section alludes to comes from its inherent monetary inflexibility. It protects the bearer against the trickle-down effects of a fiat monetary system without participating in it. It does this in the same way commodities do it, but without sacrificing liquidity. Cryptocurrencies can literally be sent at the speed of light without the need for trusted intermediaries.

The corollary of this use case is the fact that cryptocurrencies are in competition with fiat currencies. The more demand there is for cryptocurrencies, the less demand there is for fiat, and the less power central banks and financial players have over the economy. The existence of fiat currencies is an effective counterweight to the fiat monetary system.

Given the adversarial nature of the relationship between fiat money and cryptocurrency, the concern uttered by beneficiaries of the fiat monetary system about money laundering should not be mistaken for altruism.

Insulation from Legal Risk

By far the most compelling legitimate use case for private money is insulation from legal risk. Stolen assets should be returned to the proper owner. Traceable money can be proven more easily to have been stolen if it was, but it is also more conducive to supporting spurious claims of theft. What happens when an institution that holds traceable cryptocurrency on their balance sheets, discovers, based on information that came to light only after acquiring them, that the digital coins are actually downstream from a well-documented hack that happened years earlier? What happens when they are sued to return the stolen assets to their proper owner?

A legal defense based on having received the coins in good faith (bona fide) is comparatively easy to undermine by a claimant who pours resources into listing the many red flag indicators of theft that the institution allegedly chose to turn a blind eye to. Depending on your perspective, the other hand of this comparison can be one of two things. It could be a legal defense rooted in plausible deniability, which shifts the burden of proof from defendant to plaintiff. The plaintiff now has to prove that the coins in the defendant’s possession are the same ones that had been stolen earlier. No privacy-preserving currency can support such a claim. Alternatively, the other hand of the comparison is the absence of any need to defend anything at all in court because the claimant does not know whom to sue precisely because he cannot trace the stolen coins.

Anti-money laundering ordinances not only make it difficult for institutions to acquire and hold privacy-preserving currencies, they also render whatever privacy they do provide moot by supplementing them with a trace of ownership history. Complying institutions are incapable of insulating themselves from the legal risk of holding cryptocurrencies. As a result, they are deprived of the use of a politically neutral, internet-native medium for settling international debts.

Crawfurd v. the Royal Bank

The claim that money be returned to the proper owner has an interesting legal precedent in Crawfurd v. the Royal Bank. In this history, Mr Crawfurd had sent two 20 pound notes in the mail, but these had gone missing. Having recorded their serial numbers, he notified the Royal Bank with the request to return the notes if they should be found. Shortly after, the Royal Bank discovered one of the notes and informed Mr Crawfurd. However, the bank refused to return the note because in their eyes it belonged to the bearer, which in this case turned out to be the Bank of Scotland.

A court case ensued. Mr Crawfurd’s claim was that no-one can acquire a property title through theft; and that therefore the Bank of Scotland’s claim of ownership was invalid. The banks argued that this principle would undermine the whole point of paper money, which is to make commerce easier. If whoever bears a note and whoever owns it can be different persons, and if the bearer must return it to the proper owner, then everyone who comes into possession of bank notes in the course of commercial activities must first verify that they are receiving them from their proper owners. To do this, they must be made aware of the entire history of the notes since they were minted. This task is so expensive it would all but make commerce unviable.

In the end, the judge sided with the banks. This case and ruling set the stage for other European economies and eventually the rest of the world to adopt similar principles.

I draw two observations from this legal anecdote.

First: fungibility was not an inherent property of the goods in question: two bank notes of the same denomination were not interchangeable. The legal system was required to compensate for this deficiency by simulating through law a property that was understood at the time to be an essential quality of money: fungibility.

Second: a passage of Roman law cited in defense of Mr Crawfurd’s case sheds lights on how the Romans thought about private money and theft. From the same article:

“Should another’s coins be paid, without the knowledge or volition of their owner, they remain the property of him to whom they belonged; should they have been mixed, it is written in the books of Gaius [Cassius Longinus] that should the blending be such that they cannot be identified, they become the property of the recipient so that their [former] owner acquires an action for theft against the man who gave them.”

In other words, according to the Romans, a claim of ownership of stolen coins extends in the future only as long as they can be identified. After the point at which they can no longer be identified, the original owner has a claim of theft against the thief; and the coins belong to whoever bears them.

Geopolitical Schelling Point

There is no international rule of law. Between states there is only war or diplomacy, but no higher authority to appeal to. The world is adversarial and there are no supreme courts.

In order to prefer commerce over isolation or war, states and multinational corporations need a globally accepted bearer asset to settle debts with. This asset cannot be controlled by any one party, because then it could be weaponized.

Gold served this purpose for centuries, but it has drawbacks in today’s hyperconnected world economy. It is difficult to move and expensive to assay; and thus liable to confiscation, blockade, and fraud. Cryptocurrencies solve these issues, but the traceable ones throw out the baby with the bathwater by exposing the bearer to legal attack vectors. Privacy-preserving cryptocurrencies are the natural Schelling point for a financial backbone of a multipolar world order.

The technology has been achieved and cannot be unachieved. The genie is out of the bottle and the transition is underway. States that fight private money risk undermining their own geopolitical interests. States that embrace private money will see their financial sectors boom.

Jacobians of Hyperelliptic Curves

TLDR. Hyperelliptic curves are really cool and doubly so because they can potentially generate groups of unknown order. But how do they work, and how do we determine how secure they are?


In a recent IACR ePrint note 1, Samuel Dobson and Steven Galbraith proposed the use of the Jacobian group of a hyperelliptic curve of genus 3 as a candidate group of unknown order. The authors conjecture that at the same level of security, Jacobian groups of genus 3 hyperelliptic curves outperform the ideal or form class group in terms of both operational speed and representation size. Given the recent explosion of applications of groups of unknown order — verifiable delay functions, accumulators, trustless SNARKs, just to name a few — it is no wonder that this proposal was met with much enthusiasm. This note summarizes the mathematics involved in the hope to enable rapid deployment, but perhaps also to argue the case for caution.

For an engineer to deploy any group in practice, he must know:

  1. How to select public parameters for a target security level.
  2. How to represent group elements on a computer, and how to sample non-trivial group elements.
  3. How to apply the group law to pairs of group elements and, optionally, how to compute inverses.

This post summarizes the theory of hyperelliptic curves from an engineering point of view; that is to say, with an eye to answering these questions.


Let $ \mathbb{F} $ be a field and $\mathbb{F}[x,y]$ the ring of polynomials in two variables. A curve is the set of points satisfying $0 = C(x,y) \in \mathbb{F}[x,y]$, along with the designated point $\infty$ called the point at infinity. While the coefficients of $C$ must belong to $\mathbb{F}$, when we consider the points satisfying the curve equation, we include points drawn from any extension field of $\mathbb{F}$. Let $\mathbf{C}$ denote this set of points. Such a curve is singular when for some point $P$, $C(P) = \frac{\partial{}C}{\partial{}x} (P) = \frac{\partial{}C}{\partial{} y} (P) = 0.$ (Just use the same old analytical rules for computing partial differentials; there is a finite field analogue for the definition of differentials that does not rely on infinitesimal quantities.) We need a non-singular curve $C$.

Let $\mathbb{E}$ be some finite extension of $\mathbb{F}$. The coordinate ring of $C$ over $\mathbb{E}$ is the quotient ring $K_C(\mathbb{E}) = \frac{\mathbb{E}[x,y]}{\langle C \rangle}$. The elements of this ring are polynomials in $x$ and $y$, but two such polynomials are considered equivalent if they differ by a multiple of $C$. Equivalently, $K_C(\mathbb{E})$ is the space of functions $\mathbb{E}^2 \rightarrow \mathbb{E}$ where we ignore the values the functions take in points not on the curve (so $\{P | C(P)=0\} \rightarrow \mathbb{E}$ would be a more precise signature). Furthermore, the function field $L_C$ is the fraction field of the coordinate ring of $C$, or phrased differently, $L_C(\mathbb{E})$ is the field whose elements are fractions with numerator and denominator both in $K_C(\mathbb{E})$.

Let $f(x,y)$ be a function in the coordinate ring $K_C(\mathbb{E})$. The order of vanishing of $f$ at a point $P$, denoted $\mathsf{ord}_f(P)$, is zero if $f(P) \neq 0$, and otherwise the greatest possible $r$ such that $f(x,y) = u(x,y)^r g(x,y)$ for some $g(x,y)$ with $g(P) \neq 0$ and for some uniformizer $u(x,y)$. The univariate analogue is when a polynomial $f(x)$ has a root of multiplicity $r$ at $P$, because in this case $f(x) = (x-P)^r g(x)$ for some $g(x)$ with $g(P) \neq 0$. Let $h(x,y)$ be a rational function from the function field of $L_C(\mathbb{E})$ of $C$, meaning that $h(x,y) = \frac{f(x,y)}{g(x,y)}$ for some $f(x,y), g(x,y) \in K_C(\mathbb{E})$. Then define the order of vanishing of $h$ in $P$ to be $\mathsf{ord}_h(P) = \mathsf{ord}_f(P) – \mathsf{ord}_g(P)$. When $f(P) = 0$, we refer to $P$ as a zero, and when $g(P) = 0$ it is a pole.

A divisor of $C$ is a formal sum of points, which is to say, we use the summation symbol but use the resulting expression as a standalone object without ever computing any additions. This formal sum assigns an integer weight to every point on the curve, and has a finite number of nonzero weights. Therefore, any divisor $D$ can be expressed as
$$ D = \sum_{P \in \mathbf{C}} c_P [P] \enspace ,$$ where all weights $c_P \in \mathbb{Z}$, and where the notation $[P]$ serves to identify the point $P$ and to indicate that it is not actually added to any other points.

Given two or more divisors, it is straightforward to compute their sum — just compute the pointwise sum of weights. This means that the set of divisors of $C$, denoted $\mathsf{Div}_C(\mathbb{E})$, is actually a group. Furthermore, define the degree of a divisor to be $\mathsf{deg}(D) = \sum_{P \in \mathbf{C}} c_P$. Then the set of divisors of degree zero is a subgroup: $\mathsf{Div}^0_C(\mathbb{E}) < \mathsf{Div}_C(\mathbb{E})$.

A principal divisor is a divisor $D$ that is determined by a rational function $h(x,y) = \frac{f(x,y)}{g(x,y)} \in L_C(\bar{\mathbb{F}})$, where $\bar{\mathbb{F}}$ is the field closure of $\mathbb{F}$, via
$$ D = \mathsf{div}(h) = \sum_{P \in \mathbf{C}} \mathsf{ord}_h(P) [P] \enspace .$$ Principal divisors always have degree zero. (This fact is rather counterintuitive. It is important to take the sum over all points in the field closure satisfying the curve equation, as well as the point at infinity.) Moreover, the set of principal divisors is denoted by $P_C(\bar{\mathbb{F}})$. It is a subgroup of $\mathsf{Div}_C^0(\bar{\mathbb{F}})$ and the restriction $P_C(\mathbb{E}) = P_C(\bar{\mathbb{F}}) \cap \mathsf{Div}_C^0(\mathbb{E})$ is a subgroup of $\mathsf{Div}_C^0(\mathbb{E})$.

We now have the tools to define the group we will be working with. The group of $\mathbb{E}$-rational points of the Jacobian of $C$ is $J_C(\mathbb{E}) = \frac{\mathsf{Div}_C^0(\mathbb{E})}{P_C(\mathbb{E})}$. Specifically, its elements are equivalence classes of divisors, with two members of the same class being considered equivalent if their difference is principal, or symbolically:
$$D_1 \sim D_2 \quad \Leftrightarrow$$
$$\exists f(x,y), g(x,y) \in K_C(\mathbb{E}) \, : \, D_1-D_2 = \sum_{P \in \mathbf{C}} (\mathsf{ord}_f(P) – \mathsf{ord}_g(P)) [P] \enspace .$$

Addition in this group corresponds to addition of divisors. However, there is no obvious way to choose the smallest (in terms of representation size) element from the resulting equivalence class when representing divisors as dictionaries mapping points to integers. For this we need to switch to a computationally useful representation of group elements.

Mumford Representation

The previous definitions hold for any generic curve $C$. Now we restrict attention to curves of the form $C(x,y) = f(x) – y^2$, where $f(x,y) \in \mathbb{F}[x]$ has degree $2g + 1$ and where $\mathbb{F}$ is a large prime field. This corresponds to a hyperelliptic curve and the number $g$ is referred to as the curve’s genus.

A divisor $D$ is called reduced if it satisfies all the following conditions:

  • It is of the form $\sum_{P \in \mathbf{C} \backslash \{ \infty \}} c_P([P] – [\infty])$.
  • All $c_P >= 0$.
  • Let $P = (x,y)$, then $y = 0$ implies $c_P \in \{0,1\}$.
  • Let $P = (x,y)$ and $\bar{P} = (x,-y)$ and $y \neq 0$, then either $c_P = 0$ or $c_{\bar{P}} = 0$ (or both).
  • $\sum_{P \in \mathbf{C} \backslash \{ \infty \}} c_P \leq g$.

There is exactly one reduced divisor in every equivalence class in $J_C$, and every reduced divisor corresponds to exactly one equivalence class in $J_C$. Therefore, we could have defined the Jacobian of $C$ to be the set of reduced divisors, except that the group law does not correspond with addition of divisors any more: the sum of two reduced divisors is not reduced. One could start from the addition rule for divisors and follow that up with a reduction procedure derived from the curve equation and the definition of principal divisors. However, it is by no means clear how this reduction procedure would work.

Mumford came up with a representation of reduced divisors that is conducive to finding the reduced representative of a divisor equivalence class. This representation consists of two polynomials, $U(x), V(x)$, such that all the following are satisfied.

  • $U(x)$ is monic.
  • $U(x)$ divides $f(x) – V(x)^2$.
  • $\mathsf{deg}(V(x)) < deg(U(x)) \leq g$.

The polynomial $U(x)$ is simply the polynomial whose roots are the $x$-coordinates of all finite points in the reduced divisor: $U(x) = \prod_{i=0}^{d-1}(x-x_i)$. The polynomial $V(x)$ interpolates between all finite points on the reduced divisor. It takes the value (or rather: one of two possible options) of the curve at all $x_i$. The divisor associated with $(U(x), V(x))$ is therefore $D = \sum_{i=0}^{d-1}([(x_i, V(x_i))] – [\infty])$. To find the Mumford representation of a divisor whose finite points are given by $\{P_i = (x_i, y_i)\}_{i=0}^{d-1}$, simply set $U(x)$ to the product as above, and determine $V(x)$ via Lagrange interpolation: $V(x) = \sum_{i=0}^{d-1}y_i \prod_{j \neq i} \frac{x-x_j}{x_i-x_j}$.

The cool thing about representing divisors as polynomials is their suitability for plots. Of course, to draw an elliptic or hyperelliptic curve we need to pretend that the field over which they are considered is continuous. However, many of the geometric intuitions drawn from continuous plots carry over to the discrete case.

Consider the elliptic curve $y^2 = x^3 -x + 1$, plotted below. Also plotted are the sets of intersection points of the lines $U(x) = 0$ and $y – V(x) = 0$ (dashed lines) for the following group elements presented here in Mumford representation:

  • $A: U(x) = x+1.2$ and $V(x) = 0.678$
  • $B: U(x) = x$ and $V(x) = 1$
  • $C: U(x) = x-1.27$ and $V(x) = -1.33$.

All these intersections do lie on the curve and therefore these polynomial pairs do represent valid group elements. The fact that $U(x)$ is linear and $V(x)$ is constant corresponds to the curve having genus 1, and also to the collapse of the set into just one intersection point for each group element. So we can use $A$, $B$, and $C$ simultaneously to denote the group element, as well as its representative as a point on the curve.

Let’s compute the group operation. The reduced divisor of the group element $A$ is $[A] – [\infty]$ and that of $B$ is $[B] – [\infty]$. Their divisor sum is $[A]+[B]-2[\infty]$. In order to find the reduced divisor from the same equivalence class, we must find a principal divisor that upon addition with this sum sends the two finite points to just one and decrements by one the weight of the point at infinity. Phrased differently, we must find a rational function $h(x,y) = f(x,y) / g(x,y)$ such that $[A] + [B] -2[\infty] + div(h) = [A+B] – [\infty]$, for some curve point which we denote with abusive additive notation as $A+B$.

The plot below shows one such option, plotting $f(x,y)$ in blue and $g(x,y)$ in red. Since $f$ and $g$ are themselves rational functions, their divisors must have degree zero. Indeed, $f$ has a pole of order 2 in $\infty$, and $g$ has a pole of order 3 there. Note that the finite intersection point between the red and blue lines does not appear in this formal sum of points: this absence corresponds with $g(x,y)$ and $1/f(x,y)$ having equal and opposite orders of vanishing in this point. The same phenomenon occurs at infinity, where $1/f(x,y)$ subtracts three from that point’s weight and $g(x,y)$ adds two back.

In other words, the chord-and-tangent rule for elliptic curves is just a special case of the Jacobian group law!

Let’s move on to a more complicated example. Below we have a plot of the genus 2 hyperelliptic curve $y^2 = x^5 -2x^4 -7x^3 +8x^2 + 12x$, with group elements $A$, $B$, and $C$ given by Mumford polynomials (dashed lines)

  • $A: U(x) = (x+1.96)(x+1.5)$ and $V(x) = 7.926x + 14.320$
  • $B: U(x) = (x-3.05)(x-5.03)$ and $V(x) = 19.204x – 60.383$
  • $C: U(x) = (x-1.467)(x-0.263)$ and $V(x) = 4.230x – 3.003$.

For each of these group elements, the lines $U(x) = 0$ and $V(x) = y$ intersect the curve in two points. In fact, this is a property of genus 2 curves, meaning that one can represent any group element by its two intersection points.

Since every group element corresponds to two elements on the curve, we have $\mathsf{div}(A) = [A_1] + [A_2] – 2[\infty]$, for the two points that represent $A$; and similarly for $\mathsf{div}(B)$ and $\mathsf{div}(C)$. To compute the group operation, we start from $\mathsf{div}(A) + \mathsf{div}(B) = [A_1] + [A_2] + [B_1] + [B_2] – 4[\infty]$ and search for a principal divisor $\mathsf{div}(h)$ such that sends the four finite points to two. One could start by finding the lowest degree univariate interpolating polynomial between the four points; this gives $f(x,y)$ which is plotted below in red. Note that $f(x,y)=0$ intersects the curve in six points $(A_1, A_2, B_1, B_2, \bar{C_1}, \bar{C_2})$, of which five are depicted in the plot. Furthermore, $f(x,y)$ has a pole of order 6 at infinity. Likewise, $g(x,y)$ intersects the curve in four points $(C1, C2, \bar{C1}, \bar{C2})$ and has a pole of order 4 at infinity. Therefore, the divisor equation
$$\mathsf{div}(A) + \mathsf{div}(B) – \mathsf{div}(C)$$
$$= [A1]+[A2]+[B1]+[B2]-4[\infty]-[C1]-[C2]+2[\infty]$$
$$= [A1]+[A2]+[B1]+[B2]+[\bar{C1}]+[\bar{C2}]-6[\infty]$$
$$=\mathsf{div}(f) – \mathsf{div}(g)$$ shows that as divisors, $A+B$ and $C$ are indeed apart by a principal divisor.

The two plots shown so far suggest a shortcut for representing group elements and computing the group operation thereon. Simply:

  • Represent group elements as points or sets of points on the curve.
  • When adding two group elements, fit a polynomial through all points and find the new points where it intersects the curve.
  • Flip the $y$-coordinates of these new points; this set is the new group element.

A natural question to ask is whether this intuition extends to curves of higher genus. That might be the case for all I know, but my intuition says “no”. Indeed, for curves of genus $\geq$ 3 no explicit point addition formulae are known and the preferred modus operandi for representing elements and operating on them is via their Mumford representations.

So how do we perform the group operation on Mumford pairs? That’s exactly what Cantor’s algorithm does. (Due to David Cantor and not Georg.)

Cantor’s Algorithm

Computes the composition of elements in the Jacobian group of the curve $y^2 = f(x)$.

  • Input: $(U1, V1), (U2, V2) \in (\mathbb{F}[x])^2$
  • Output: $(U, V) \in (\mathbb{F}[x])^2$
  1. Use the extended Euclidean algorithm to find the Bezout coefficients $h_1, h_2, h_3 \in \mathbb{F}[x]$ and $d \in \mathbb{F}[x]$ such that $d = \mathsf{gcd}(U_1, U_2, V_1 + V_2) = U_1h_1 + U_2h_2 + (V_1+V_2)h_3$.
  2. $V_0 \leftarrow (U_1V_2h_1 + U_2V_1h_2 + (V_1V_2 + f)h_3) / d$
  3. $U \leftarrow U_1U_2 / d^2$ and $V \leftarrow V_0 \, \mathsf{mod} \, U$
  4. $U’ \leftarrow (f-V^2)/U$ and $V’ \leftarrow -V \, \mathsf{mod} \, U’$
  5. $(U, V) \leftarrow (U’ / \mathsf{lc}(U’), V’)$
  6. If $\mathsf{deg}(U) > g$ go back to step 4
  7. Return $(U,V)$

The intuition behind the algorithm is that the polynomial $V_0$ is constructed to represent the divisor $\mathsf{div}(A) + \mathsf{div}(B)$. This polynomial is then reduced using the curve equation such that the degree decreases but the equivalence class remains the same. After reduction, the output is another Mumford pair.

Note that the polynomials considered all have coefficients drawn from $\mathbb{F}$, the plain old base field. This corresponds to restricting the Jacobian group to only elements defined over $\mathbb{F}$. Formally, let $\phi$ be the Frobenius map sending points $(x,y)$ to $(x^p,y^p)$ and $\infty$ to $\infty$, where $p$ is the order of the field $\mathbb{F}$. Then $\phi$ sends a divisor $D = \sum_{P \in \mathbf{C}} c_P [P]$ to $\phi(D) = \sum_{P \in \mathbf{C}} c_P [\phi(P)]$. A Jacobian group element (i.e., an equivalence class of divisors) is defined over $\mathbb{F}$ iff $\phi(D)-D$ is a principal divisor. In fact, by selecting the polynomials from the ring of polynomials over the base field, we guarantee that the Mumford pair determines a particular reduced divisor — the representative of its equivalence class — that remains unchanged under $\phi$. This implies that we can straightforwardly sample a non-trivial group element simply by sampling a Mumford representative; it is guaranteed to represent an element that is defined over $\mathbb{F}$.

Finally, the inverse of a group element $(U, V)$ is $(U, -V)$ and the identity is (1, 0).

Hyperelliptic Jacobians as Groups of Unknown Order

In the case of hyperelliptic Jacobians, the public parameters boil down to the curve equation and really, to the right hand side of $y^2 = f(x)$. Dobson and Galbraith recommend using an hyperelliptic curve of genus $g=3$, such that $f(x)$ has degree $2g+1=7$. Without loss of generality, $f(x)$ can be chosen to be monic, so there are only 7 coefficients left to determine. These should be drawn uniformly at random but such that $f(x)$ is irreducible.

The group is to be defined over a large enough prime field. In this case, an adaptation of Hasse’s theorem due to André Weil bounds the order of the group as

$$ (\sqrt{p}-1)^{2g} \leq #J_C(\mathbb{F}) \leq (\sqrt{p}+1)^{2g} \enspace .$$

Obviously we can’t determine the cardinality exactly because the whole point is that it should be unknown! However, the order must be sufficiently large because otherwise the discrete logarithm problem wouldn’t be hard.

The cheapest way to determine the order of the group is to determine the number points over $\mathbb{F}$ on the curve. For elliptic curves this can be accomplished using Schoof’s algorithm. There is an adaptation of this algorithm for genus 2 with complexity $O((\mathsf{log} \, p)^7)$. Dobson and Galbraith are unclear about what happens for genus 3, but another recent ePrint note 2 refers to work by Abelard for point counting in genus 3 curves that runs in $\tilde{O}((\mathsf{log} \, p)^{14})$ time.

Hyperelliptic curves of high genus admit index calculus attacks that are subexponential. For low genus $g \geq 3$, there is an attack in expected time $\tilde{O}(p^{2-2/g})$, which outperforms generic square root algorithms, whose complexity is $O(p^{g/2})$. For genus 2 curves the generic square root algorithms are faster.

There is a reduction due to Smith for translating the discrete logarithm problem on a genus 3 hyperelliptic curve to an elliptic one that works a sizable proportion of the time. After that translation, there is an algorithm due to Diem with estimated running time $O(p (\mathsf{log} \, p)^2)$.

The complexity of these attacks are plotted as a function of the number of bits of $p$ in the next figure.

The orange line, which plots the complexity of the Schoof-type algorithm, is alarming. While it does cross the dotted line indicating 128 bit security (at $\mathsf{log}_2 \, p = 540$) it only crosses the 192 and 256 bit security lines for impractically large field sizes. The point of targeting 192 or 256 bits of security is not to hedge against improvements in the attacker’s computing power, because $2^{128}$ elementary operations is impossible within the lifetime of the universe according to our current understanding of its physical laws. Rather, the point of targeting $192$ or $256$ bits of security is to hedge against algorithmic improvements that cause the attack to require less computing work than anticipated. With respect to this objective, even a relatively minor improvement to the point counting algorithm would break the hedge as it decreases the actual security of conservative parameter choices by a large margin and massively increases the size of the base field required to provide the same target security level. In other words, it is not possible to err on the side of paranoia. Anyone looking to deploy genus 3 hyperelliptic curves for groups of unknown order must therefore be absolutely confident in their understanding of the best possible attack.

The exact complexity of point counting in curves of genus 3 remains a major open question with, until now, little practical relevance. However, as an alternative to understanding the complexity of point counting more exactly, it may be possible to generate groups of unknown order from similar mathematics but such that point counting does have the requisite complexity. For instance, we should not discount higher genera than 3, nor more generic abelian varieties.

Lastly, Dobson and Galbraith note that it is often easy to sample elements of small but known order. The capability to sample elements of known order violates the adaptive root assumption. The proposed solution is to instead use to the group $[s!] J_C(\mathbb{F}) = \{s! \, \mathbf{e} \, | \, \mathbf{e} \in J_C(\mathbb{F})\}$ for some large enough integer $s$ determined in the public parameters. This restriction kills off all elements of order up to $s$. When relying on the adaptive root assumption, for instance because Wesolowski’s proof of correct exponentiation is being used, it pays to represent the element $s! \, \mathbf{e}$ as $\mathbf{e}$, so that the verifier can verify that $s! \, \mathbf{e}$ is indeed a multiple of $s$ simply by performing the multiplication. Dobson and Galbraith argue that choosing $s = 60$ should guarantee a reasonable level of security, with $s = 70$ being the option of choice for paranoiacs.

To be honest, I am not sure I understand the argument by which the recommendation $s = 60$ is derived. It is something along the following lines. In Schoof’s algorithm (and derivatives) for point counting, an important step is to find points of order $\ell$. This translates to determining the order of the group modulo $\ell$, and via the Chinese Remainder Theorem the order of the group as an integer without modular reduction. Therefore, when we assume that determining the order of the group is hard, then there must be an $s$ such that constructing points of order $\ell > s$ is hard. The time complexity of this step of Schoof’s algorithm is $\tilde{O}(\ell^6 \mathsf{log} \, p)$ whereas the memory complexity is only $\tilde{O}(\ell^4 \mathsf{log}\, p)$, meaning that for large $\ell$, the running time will be the limiting factor. Extrapolating from implementation results reported on by Abelard in his thesis, setting $s = 60$ should be well beyond the capacity of an adversary running in a reasonable amount of time.

Personally, I prefer to draw the $\tilde{O}(\ell^6 \mathsf{log} \, p)$ complexity curve and set parameters depending on where it intersects with the target security level. The graph plotted below assumes $p \approx 2^{540}$ and pretends as though the polylogarithmic factor hidden by the $\tilde{O}$ notation is one. Note that the horizontal axis is the value of $\ell$ itself, and not its logarithm. For good measure I include the memory complexity (dashed orange line), in addition to the computational complexity (full blue).

Based on this graph, I disagree with Dobson and Galbraith and recommend against using the Jacobian of a hyperelliptic curve for applications where the adaptive root assumption is supposed to be hard — unless with a solution that is different from restricting the group to $[s!] J_C(\mathbb{F})$.


Algebraic geometry, which is the field of mathematics that studies elliptic and hyperelliptic curves, is a powerful and versatile tool for generating cryptographic primitives. The recent proposal for generating groups of unknown order from hyperelliptic curves of genus 3, while exciting, is not without concerns. Specifically, a variant of Schoof’s point counting algorithm determines the group’s order in polynomial time, albeit a large degree polynomial. This complexity makes the selection of parameters to err on the side of safety nearly impossible and as a result, an accurate understanding of the best performing algorithm for this task is of paramount importance to anyone looking to deploy these groups in practice. Furthermore, the are algorithms that compute group elements with small but known order, violating the adaptive root assumption. These groups should not be used in constructions that require this assumption to hold, even if computing the order of the whole group is hard.

Nevertheless, the caution argued for in this article derives from a rather simplistic algorithm for determining the appropriate parameters: plot the computational complexity of the attack as a function of those parameters, and determine where that curve crosses the $2^{128}$ threshold. In reality, the attacker may require other resources as well — for instance, time, memory, parallel CPUs, or communication bandwidth between those CPUs. A more refined analysis may conclude that an assumed bound on the availability of these secondary resources will prohibit an attack long before it reaches $2^{128}$ elementary computational steps. Dobson and Galbraith are certainly not ignorant of the attacks on hyperelliptic curves nor of the standard simplistic methodology for deriving appropriate parameters. Therefore, I expect them to provide a more refined analysis in support of their proposal, perhaps based on other resource constraints. I will read that elaboration with much excitement when it appears.

Further Reading

  1. Samuel Dobson and Steven Galbraith: “Trustless Groups of Unknown Order with Hyperelliptic Curves” [IACR ePrint]
  2. Jonathan Lee: “The security of Groups of Unknown Order based on Jacobians of Hyperelliptic Curves” [IACR ePrint]
  3. Alfred J. Menezes and Ji-Hong Wu and Robert J. Zuccherato: “An elementary introduction to hyperelliptic curves” [link]
  4. Jasper Scholten and Frederik Vercauteren: “An Introduction to Elliptic and Hyperelliptic Curve Cryptography and the NTRU Cryptosystem” [link]
  5. Lawrence C. Washington: “Elliptic Curves: Number Theory and Cryptography, second edition” [home page]
  6. A straightforward implementation in Sage of hyperelliptic curves over prime fields [github repository]

On Nonlinear Noisy Key Agreement

TL;DR. A large number of post-quantum key encapsulation mechanisms (KEMs) and public key encryption schemes (PKEs) rely on noisy linear algebra problems. Interestingly, the addition of noise to make otherwise easy problems hard, is a strategy that remains restricted to linear algebra and fails to extend to nonlinear operations. This article explores why.

Noisy key agreement

Key agreement is a protocol by which Alice and Bob each send one message to the other and end up agreeing on a shared secret key. The eavesdropper Eve, who observes all messages in transit (but can’t modify them) remains incapable of computing this secret. The first such protocol was introduced by Diffie and Hellman and bears their names, but the general principle extends to generic algebras and not just commutative group theory.

For instance, let Alice and Bob agree on a common random integer G from a finite ring R, such as e.g. the set of nn matrices of integers modulo some prime p. Moreover, let Alice and Bob each sample their secret, a and b respectively, from this structure as well. They then exchange â = aG and b̂ = Gb, allowing both to agree on the shared key k = ab̂ = âb = aGb. Note that while the order of multiplication is important for matrices, by agreeing beforehand whose secret will be multiplied on which side of G, Alice and Bob circumvent this complication entirely.

Unfortunately, this protocol is completely insecure. Eve, who sees Alice and Bob agree on G before sending â = aG and b̂ = Gb, can compute G-1 and recover both Alice’s and Bob’s secrets, not to mention the shared secret key. Even if the ring disallows efficient computation of an element’s inverse, it remains extremely likely that there is a way to find the solution b to the system of linear equations Gb = b̂ and symmetrically for a.

The solution that makes the protocol a noisy key agreement protocol is to transmit only an approximation of aG and Gb. To see why this makes Eve’s task hard, observe how the error term 𝝐b = b̂ – Gb explodes: G-1b̂ = G-1(Gb + 𝝐b) = G-1Gb + G-1𝝐b = b + G-1𝝐b . Since G is a matrix with uniformly random coefficients, so is G-1 and multiplying that by another matrix 𝝐b — even if it has small coefficients — yields another random ring element that hides b much like a one-time pad.

However, the addition of small noise makes it difficult for Alice and Bob to agree on the same secret. Observe that Alice computes ka = a(Gb + 𝝐b) whereas Bob computes kb = (aG + 𝝐a)b. The trick is implied by the symbols’ case: instead of sampling uniformly random a and b, Alice and Bob sample a and b with small coefficients. If a, b, 𝝐a, and 𝝐b have small enough coefficients, then Alice’s view ka = aGb + a𝝐b is approximately the same as Bob’s view kb = aGb + 𝝐ab. As long as the difference a𝝐b – 𝝐ab is small enough, they can proceed to agree on an exact key with one additional message which either reconciles the two views or uses them in combination with error-correcting codes to transmit a wholly new message. In this last case, I like to refer the views ka and kb as shared noisy one-time pads or “snow-tipis”.

So how small should the secret elements a, b, 𝝐a, 𝝐b be? On the one hand, the secrets should not be too small because that reduces Eve’s search space. On the other hand, the secrets cannot be too large because then the difference a𝝐b – 𝝐ab is too large to enable either the reconciliation or transmission strategy. The situation is best described visually. While the unknown bits of the secrets do spread and multiply — and obscure Eve’s view — they also leave some bits of aGb intact; these bits can then be used as secret key material.

Incidentally, Ramstake, my own submission to the NIST PQC Project, does not quite follow this “intact bits” strategy of establishing common secret key material. Instead of having a few unknown bits at fixed locations, the secrets now have a few flipped bits at unknown locations. As long as the difference a𝝐b – 𝝐ab is not too dense, an error correcting code can help extract or transmit secret key material. Interpreting a darker shade of grey as representing a denser error distribution, this gives rise to the following analogous diagram.


Nonlinear Noisy Key Agreement

So why are there no nonlinear noisy key agreement protocols, or cryptosystems based thereon? Actually, that premise is not true. There is a submission to the NIST PQC project by the name of CFPKM whose underlying hard problem is polynomial system solving with noise (“PoSSoWN”). Alice and Bob compute their protocol contributions by evaluating a quadratic function f, which has small coefficients, in their secret vectors sa and sb, also with small coefficients, and by adding another small noise term. The underlying protocol is shown in the next figure. Unfortunately, despite the security proof, the cryptosystem was broken within weeks of the submissions’ publication.

The cryptanalysis exploits the observation that the keys computed by Alice and Bob differ only by the difference of element-wise products f(sa) ⨀ e2f(sb) ⨀ e1, which affects only the lower bits; whereas the high bits of both views are used for the session key. Importantly, these high bits are the same in b1b2, which is a value the passive adversary can compute as well.

So why is there no successful cryptosystem based on noisy nonlinear key agreement? The first observation is that the term nonlinear is really only relative to what the function’s arguments are. For instance, the expression x12 + 2x1x2x2 is nonlinear as a function of (x1, x2) but linear as a function of (x12, x1x2, x22, x1, x2, 1). By extending as we did here the vector of arguments of a function to a vector of all monomials occurring in that expression, any expression can be regarded as a linear function. In particular, both Alice’s and Bob’s computation of their proper views of the noisy secret key may be considered as linear transforms on some extended vector of monomials. This observation suggests a two-step approach to the diagrams above that indicate the source of secret key material: the second step captures the familiar linear noisy key agreement. The first step captures the extension of the original arguments into a vector of monomials.

This diagram highlights the origin of the problem: in order for there to be usable secret key material left at the end, the unknown bits in the extended vector of monomials must not be too many. In order for those unknown bits to not be too many, the unknown bits in the original arguments must be even fewer. However, this very salient feature makes these original arguments a vulnerable target for attack.


Why are there so few cryptosystems based on nonlinear noisy key agreement? My answer is twofold:

  1. Because any such protocol implies a linear noisy key agreement protocol.
  2. Adding nonlinearity to a linear noisy key agreement protocol makes it less secure.


On Catastrophic Anthropogenic Global Warming Theory

TL;DR. Skepticism is a virtue. But questioning catastrophic anthropogenic global warming theory seems to be a vice. We are told to believe that the debate is settled; there is scientific consensus that humans are the driving cause of global warming. Any skepticism at this point only serves to confuse policymakers and delay urgent political action. To the contrary, I contend that there is just cause for skepticism.

1. Introduction

Declaring any domain of knowledge as settled science is a characteristic result of the most anti-scientific attitude imaginable. It is the pinnacle of arrogance to claim any knowledge with absolute certainty; an intellectual offense surpassed only by the all-too-often following denouncement of all skepsis as anti-scientific bigotry. In contrast, science is exactly about challenging — and overturning, where appropriate — false beliefs. In the process of scientific investigation, some beliefs may wind up being reinforced rather than overturned, which is why all parties should welcome skepticism with open arms. Our confidence in the truth of scientific propositions comes precisely from our ability to question them. To hold a class of statements or ideas immune to scrutiny is not just akin to religion superficially; it shares its most fundamental tenet, namely the required leap of faith.

But a different standard seems to apply in the global warming discussion. The science is settled because there is 97% consensus among scientists who express opinion on the matter. A panel of experts has concluded that humans are the driving cause of climate change with a whopping 95% confidence1. The remaining skeptics serve only to delay urgently needed political action. In fact, since this delay will certainly cause catastrophe, the spreading of unerringly unreasonable doubt constitutes a prelude to crime. The skeptics who cannot muster the good graces to remain silent, should be put in jail in anticipation of their share of the responsibility.

Well, I am a persistent skeptic. And at the risk of social ostracism, of being associated with the other type of denier2, even of jail time, let me try to convince you that there is something wrong with this attitude. Starting with the philosophical foundations, and continuing first with the scientific theory and then discussing ideological bias, I think there is plenty to criticize and more than just cause for skepticism.

Disclaimer: while I am a scientist, I do not do climate science. My opinion is not that of an expert and if you believe I am factually incorrect somewhere or that you know an adequate response to some of the points I raise, please feel free to leave a comment or drop me an email. I do my best to weed out incorrect beliefs whenever possible.

2. Scientificity

Scientificity is the property of a theory that makes it suitable for scientific investigation. Informally, scientificity requires that the world in which the theory is true is different from the world in which it is false, and that by interacting with the world we can increase our confidence in the truth (or falsity) of that theorem. Falsifiability is a necessary requirement: an unfalsifiable explanation is one that is compatible with any phenomenon. Paradoxically, a good explanation is one that is not capable of explaining anything, but rather one that rules out particular phenomena. The notion is linked with information theory: a scientific theory is part of a model of the universe, and by interacting with the universe we extract information from it and incorporate it into the model. An unscientific theory is one that does not contribute to the model for being devoid of information about the world.

Scientificity is a binary variable, but falsifying is a process that can be easy or difficult. Among scientific theories there is therefore a spectrum of falsifiability difficulty, matching the effort required to test the theory in question. On the one end of the spectrum there are Newtonian postulates, which can almost be tested from the philosopher’s armchair. On the other end there are theories for instance about the inside of a black hole. It is difficult to test these theories, and consequently it is equally difficult to become confident about their truth value.

How does this relate to the climate change debate? Well for starters, consensus is immaterial. Assuming the existence of an accurate distinguisher for telling experts from non-experts, assuming the experts are doing science honestly, and assuming they are free of systemic bias, even then their consensus at best correlates positively with the truth value of the theory in question.

Also, note that “climate change” is the slippiest possible term to frame the debate with. Climate is by any reasonable definition the average weather over a suitably large time period. If this time period is large enough, then the climate is fixed by definition and any change is impossible. If the time period is short enough to be meaningful, then the average changes with the window over which it is computed, and then climate change is an immediate consequence of weather change. In other words, climate change being true or false is determined by how the term is defined rather than a reflection of the world we live in. Nevertheless, the presentation of the term “climate” as though not scientifically vacuous suggests a description of weather as a random noise signal added to an underlying steady state, which is then purported to be disturbed by human activity. This steady state theory of climate may be appealing to our mammal brains but is nevertheless assumed without justification and indeed, in contradiction to the prevalent creation and destruction theories of the Earth itself.

I much prefer the term “global warming” because it, at least, implies one bit of information about the world. If average temperature is observed to drop, then clearly global warming theory is false. However, this term is still troublesome because it captures wildly different scenarios in some of which the average temperature rises by a negligible amount and in others of which the temperature rise is catastrophic to all life on Earth. Phrased in terms of information theory: one bit is not enough. A meaningful debate on global warming must concern theories that explicitly state quantities. By how much will global average temperature increase one year from now? An answer to the same question except “one hundred years from now” is less useful because it is effectively unfalsifiable — especially if the implied political action must be taken before then. To be fair though, the quantity-free discussion is limited to public discourse; scientific reports, such as the IPCC assessment reports, are quite explicit in their quantities, as they should be.

Nor is discussion about the human component exempt from the requirement of being quantitative rather than qualitative. The theory “the globe is warming and humans are causing it” implies at most two bits of information about the world and is equally untenable in a meaningful debate. A proper theory must address to which degree humans are causing global warming and even answer hypothetical questions like how much the global average temperature would have risen if humans had not discovered fossil fuels. To its credit, the IPCC assessment report does make a claim that is falsifiable in principle3: an estimation of the temperature increase with and without mitigating action (among other climate-related effects). However, this theory and a complete causation theory are very difficult to falsify, chiefly because of the size of the time span that the predictions cover. To test them properly, we must compare observations far enough apart in time. And unless we go through this laborious and error-prone process of testing them we should remain accordingly unconfident about their truth values.

Nevertheless, the argument for causation does not derive from counterfactual data for the whole chain but from evidence supporting the strength of each link individually. While this stepwise approach is a sound methodology, it is easy to lose track of the forest for the trees and take evidence of strength in one link as evidence of strength in the entire chain. The situation is quite the reverse: one weak link can break the chain.

3. The Argument

The basic argument in support of anthropogenic global warming goes something like this:

  1. Since the industrial revolution, human activity has put tremendous amounts of $\mathrm{CO}_2$ into the atmosphere. $\mathrm{CO}_2$ levels are rising faster than they ever have before.
  2. There are quantum-scale simulations, laboratory-scale experiments, as well as city-scale observations indicating that $\mathrm{CO}_2$ behaves like a greenhouse gas, i.e., that it traps heat by absorbing infrared light but not higher wavelength radiation.
  3. There is pre-historical evidence that $\mathrm{CO}_2$ correlates positively with global average temperature on geological time scales.
  4. More greenhouse gases in the atmosphere means more heat from the sun will be trapped, thus increasing global average temperature.
  5. We are currently observing rising global average temperature. The temperature is changing faster than it ever has before.
  6. Therefore, human activity is causing this rise in global average temperature.

Strictly speaking, the argument is not logically valid, although it does seem convincing somehow. Let us dissect it properly, starting with premise 1.

  1. Since the industrial revolution, human activity has put tremendous amounts of $\mathit{CO}_2$ into the atmosphere. $\mathit{CO}_2$ levels are rising faster than they ever have before.

It is certainly true that human activity since the industrial revolution has put enormous quantities of carbon dioxide into the atmosphere, as the following graph shows. (source, script)

Confused? Well, the graph you might be familiar with uses the same data but rescales the vertical axis to focus on the 0-500 parts per million range. Here it is, for reference.Both graphs describe the same thing: the increase in atmospheric $\mathrm{CO}_2$ content, which is (presumably) driven primarily by human industrial activity. One graph is useful for illustrating the relative increase of $\mathrm{CO}_2$, i.e., 140% increase since 1850. The other graph is useful for illustrating the absolute increase — or properly speaking relative to the level of oxygen, which is after all what the carbon dioxide is displacing when it enters the atmosphere as a result of burning fossil fuels.

The point of this graph trickery is that there is no objective way to decide beforehand what does and does not constitute “tremendous” amounts of added CO$_2$, as “tremendous” is a relative term and thus requires a benchmark. The only way to decide whether this 140% increase is massive or insignificant is after determining the effects caused by this increase. Even a 1000% increase can be judged to be mild if the resulting effects are barely noticeable.

More generally, the presentation of the premise as saying that the $\mathrm{CO}_2$ increase is tremendous and faster than ever before is a bit of a straw man as neither fact is necessary for the argument to work. This point addresses only the alarming quality that is absent from the minimal formulation, “Human activity has put measurable amounts of $\mathrm{CO}_2$ into the atmosphere.”

  1. There are quantum-scale simulations, laboratory-scale experiments, as well as city-scale observations indicating that $\mathit{CO}_2$ behaves like a greenhouse gas, i.e., that it traps heat by absorbing infrared light but not higher wavelength radiation.

I do not dispute the individual statements made in the premise. Nevertheless I would like to point out that the implied conclusion, that $\mathrm{CO}_2$ is a greenhouse gas on a global scale, does not follow. $\mathrm{CO}_2$ has many subtle interactions with the complex biological and geological ecosystems that it is a part of. The focus on the heat-trapping properties and effects of the gas in isolation ignores the many terms of the equation that are introduced by its interaction with its environment. For instance, according to current understanding, both the ocean and vegetation on land absorb $\mathrm{CO}_2$. How does this absorption affect trapped heat? It is easy to come up with plausible mechanisms by which the carbon dioxide based heat trap is exacerbated or ameliorated, and whose truth cannot be determined beyond a shadow of a doubt from laboratory experiments alone.

  1. There is pre-historical evidence that $\mathit{CO}_2$ correlates positively with global average temperature on geological time scales.

Indeed there is. A clever piece of science in action — several pieces, actually — have enabled researchers to dig into polar ice and determine the temperature as well as carbon dioxide levels of the past, ranging from yesterday to 400 000 000 years ago. The near exact match spurred Al Gore to mock in his film about truth, “did they ever fit together?”, as though the point is contentious. Here’s a graph. They do fit together. (source 1, 2, script)It has become a cliché to point out that correlation does not equal causation, but unfortunately that task remains necessary. In fact, there is a very good reason why the “$\mathrm{CO}_2$-causes-temperature to rise and fall” theory is a particularly uncompelling one in light of this data. It is because the $\mathrm{CO}_2$ graph lags behind the temperature graph by 900 years or so, as the next cross-correlation plot shows4 (same script). That time lag is short enough to be unnoticeable on the 400 million year scale, but long enough to seriously reconsider the theory. The position that the pre-historical temperature and $\mathrm{CO}_2$ record supports the $\mathrm{CO}_2$-causes-temperature theory, is untenable. If anything, it supports the opposite temperature-causes-$\mathrm{CO}_2$ theory.Despite the minor inconvenience of having a time mismatch, the $\mathrm{CO}_2$-causes-temperature theory survives. The adapted argument is that $\mathrm{CO}_2$ level and temperature are both causes and effects, locked in a positive feedback loop. Temperature affects $\mathrm{CO}_2$ but $\mathrm{CO}_2$ also affects temperature. The mockery5 continues on “Chickens do not lay eggs, because they have been observed to hatch from them.”

A positive feedback loop is possible but it would be highly surprising. Very few natural processes actually have positive feedback loops. It is the same mechanics as that of bombs: the combustion rate increases the pressure, which then increases the combustion rate. When positive feedback loops do occur in nature, for example in population dynamics, their extent tends to be limited due to natural stabilizing mechanisms such as disease or predators.

What is more likely to be the case, is that $\mathrm{CO}_2$ and temperature are in a negative feedback loop. $\mathrm{CO}_2$ causes temperature to rise (or fall), and the resulting increase (decrease) in temperature affects $\mathrm{CO}_2$ in turn, but the magnitude of these effects dies out exponentially. In this scenario, it would be true that some amount $x$ of added $\mathrm{CO}_2$ would cause another amount $y$ of temperature increase; but an additional $x$ of $\mathrm{CO}_2$ would cause strictly less than $y$ temperature increase. The two are in an equilibrium which can be moved by a perturbation in either input; but the system responds by making another shift of the equilibrium that much more difficult. In chemical systems, this mechanism is known as Le Chatelier’s principle.

The point of this discussion is not to debunk the $\mathrm{CO}_2$-causes-temperature theory; Le Chatelier’s principle probably is at work and if so, the $\mathrm{CO}_2$-causes-temperature theory is true in a literal sense despite being dominated by the temperature-causes-$\mathrm{CO}_2$ component. The point is rather that this theory is firstly not supported by the ice core data and secondly limited as a tool for prediction — as it certainly flies in the face of catastrophic predictions. Nevertheless, the bomb analogy, though it is erroneous, is certainly a far more effective tool of communication; and presumably that is the reason why features a Hiroshima counter so prominently on its sidebar.

Criticism of delivery aside, it is worth addressing a common counter-argument to the $\mathrm{CO}_2$ lag objection, namely that “about 90% of the global warming followed the $\mathrm{CO}_2$ increase.” If that argument is valid, then surely so is, “100% of the $\mathrm{CO}_2$ increase followed the global warming.”

  1. More greenhouse gases in the atmosphere means more heat from the sun will be trapped, thus increasing global average temperature.

No counter-argument here beyond criticizing the triviality of this truism. Trapping solar heat is precisely the defining property of greenhouse gases. As raised in the counter-argument to premise 2, the question is whether $\mathrm{CO}_2$ satisfies this definition, something that cannot be inferred from small-scale experiments alone.

  1. We are currently observing rising global average temperature. The temperature is changing faster than it ever has before.

Unless you distrust the data, the observation that we are currently observing a warming trend is quite inescapable. A simple web search churned out the following surface air, surface sea, and satellite data. (source 1, 2, 3, script)However, the second part of the premise follows neither from the first part nor from the plot and is in need of a citation. In fact, the plot illustrates precisely why the proposition “the rate of change is faster than ever” is very difficult to defend.

For starters, the “rate of change” is not explicitly present in the data. One has to infer it by dividing the temperature difference by the time difference associated with two samples. While rate or velocity in physics is defined as the limit of this fraction for time difference going to zero, computing this ratio from the data inevitably magnifies the measurement noise. The best you can do is consider trend lines over a time interval large enough to average out the noise. Make the interval too short, and your trendline reflects only noise; but make it too large and any human effect will be averaged out with the noise. There is no objectively right way to choose interval size. This paradox suggests the philosophical point that maybe “rate of change” is not the right way to think about temperature change to begin with. The notion is not practically usable and really reflects an unjustified ontological presupposition: the “rate of temperature change” exists, has a definite value, and produces different measurement outcomes depending on this value. Nevertheless, this ontological criticism merely reflects the difficulty of defining in precise terms what the current “global temperature” is.

Second, the data reaches back only so far, and is less fine-grained the further back you go. We only have satellite data from 1980 onward; weather balloons since the end of the 19th Century; thermometers since the 1720’s. However, a compelling argument for the temperature change being faster than ever should present an accurate temperature graph spanning a large stretch of history. The requisite data simply does not exist.

There are secondary, indirect records that do reach further than the invention of the thermometer. Clever scientists have attempted to reconstruct earlier temperatures from ice cores (i.e.,  isotope ratios of air bubbles trapped in ice), tree rings, lake and ocean sediments, and so on. However, these proxy sources require careful modeling and calibration of whatever natural process records the temperature or temperature change and stores this information until readout. The accuracy of this data is limited by the degree to which the models approximate these natural processes, which is by nature very difficult to falsify. Moreover, the further back in time you go, the coarser the data becomes. The question then arises, to which degree can the sharpness of the observed recent temperature rise be explained as the by-product of the resolution mismatch? Joining together recent thermometer data with biological or geological proxy data to produce a graph resembling a hockey stick, suggests that the data’s accuracy is roughly uniform across time. The addition of error bars or an uncertainty range reflects the graph makers’ optimism that the inaccuracy is quantifiable to begin with.

  1. Therefore, human activity is causing this rise in global average temperature.

Even if you accept all the premises and pretend that the conclusion follows syllogistically from them, it is worth noting how little this conclusion actually says. Human activity is contributing to a global temperature increase. It does not follow that this temperature increase is catastrophic, will raise sea levels, will kill polar bears, will cause crop failures, draughts, monsoons, or even effect the weather one iota beyond the slight temperature change. All these projected secondary effects require separate arguments that can be questioned independently of the first. And yet by some sort of unspoken agreement, the entire disagreement about global warming centers around the first argument. The motte-and-bailey technique of sophistry comes to mind to describe the situation: by only defending a small but more defensible premise, the alarmist can get away with claiming a far larger conclusion.

The catastrophic effects is only one implied consequence of the anthropogenic global warming argument. The second implied conclusion is the mandate for political action. However, even if we accept a list of projected catastrophes as being the consequence of burning fossil fuels, then we must still weigh the benefits against the drawbacks before such a political mandate can be justifiable6. The obvious and under-emphasized benefit of fossil fuels is its enabling of an industrialization and market economy that has lifted more people from the clutches of grinding poverty than any other object or idea throughout human history. This achievement puts the discovery of fossil fuels on par with extinction level events in terms of importance on geological time scales. If global warming does not pose a threat of equal or greater magnitude, and if its solution does not present an alternative to fossil fuels that enables us to maintain our present living standards, who is to say climate neutrality is preferable to affluence? An affluent society might be better off dealing with the consequences of climate change than an impoverished one dealing with adverse weather conditions.

4. Political Bias

4.1 Libertarianism

People often accuse me of mixing ideology with reason, in particular with respect to the man-made climate change debate. Being a libertarian, I favor free markets and condemn government intervention. The scientific consensus on global warming unequivocally mandates immediate political intervention, and as such conflicts with my libertarian views. Rather than re-evaluating my political ideology, I choose to ignore the scientific facts. Or so the accusers would have me believe.

This accusation fails to convince because it is predicated on a misconception of libertarian legal theory. In fact, assuming the correctness of catastrophic anthropogenic climate change, there is a justification for political action7 in response to carbon emissions. And reviewing this libertarian basis presents an opportunity for providing much-needed focus for the scientific questions whose answers are supposed to justify violence.

In the libertarian tradition, violence is only justifiable in response to prior aggression, on behalf of the victim and against the perpetrator of said aggression. The purpose of this violent response is not retribution but restitution: to reinstate the state of affairs prior to the aggression; to make the aftermath independent of whether the initial aggression had or had not taken place. Also, the crime and responsive violence are committed by individuals; not by communities or societies. No group of individuals has rights that the individuals that make up the group do not, and therefore class guilt and class indemnification (that does not reduce to individual guilt and indemnification) are intolerable. The victim must be able to demonstrate ownership of the object of aggression as well as deleterious effects on said object. Lastly, the chain of cause and effect from aggressor to deleterious effect on the object must be demonstrably true.

In the context of global warming, the object of aggression might be crops, a house on the shore, or snowy ski slopes, just to name a few. The deleterious effects might be draught, a sea level rise or a hurricane, melting snow. The aggressor would be every individual who emits carbon dioxide; and they would be responsible in proportion to the quantity of their emissions. The task of the global warming scientist would be to demonstrate the chain of cause and effect from $\mathrm{CO}_2$ emissions to the aforementioned deleterious effects. Alleged perpetrator and self-declared victim would present their cases before an independent arbitrator and all parties would be allowed to question the opposition’s arguments and evidence. The validity of the scientific argument would not be decided, as it is now, in the court of public opinion; but rather in the court of a professional judge, or group of judges, who stand to lose both reputation and livelihood if their ruling is not convincing and fair. Moreover, if this ruling is later overturned on the grounds of a bad court procedure or ignored evidence, this group of judges gains complicity in the perpetuation of the crime. In contrast, in today’s society, the validity of the scientific argument is decided by popular vote, and altogether by individuals who do not personally suffer the consequences of an incorrect determination.

I would be remiss to neglect modifying the accusation at the onset of this section in a way that does make sense. As a proper libertarian, I recognize bullshit arguments for state expansion for what they are. With this perspective in mind, what is the likelihood that I would be overzealous in my determination of logical fallacies in an argument that is easy to misconstrue as supporting state expansion? My honest answer is “quite high”. However, I write this essay while consciously aware of this answer, and I invite all corrections mandated by an honest pursuit of truth.

4.2. Other Ideologies

If the determination of validity of a complex scientific theory is a probabilistic process, then one would expect the proportion of believers to non-believers to reflect the strength of the argument. If the determinators and propagators of the scientific consensus reports are correct, then this consensus itself constitutes a strong argument in favor of the theory’s validity. This argument fails, however, if the determination of validity is systematically biased. If it is possible for my political ideology to influence my determination of validity, then certainly people of other political ideologies are not exempt, especially when they are not consciously aware of their biases.

Anti-market bias is a documented phenomenon even among people who do not openly advocate the abolition of capitalism. Individuals with this bias will be predisposed to the belief that industrial activity is harmful, and that government intervention is necessary to curb its harmful effects. It goes without saying that the opposite is true: industry is overwhelmingly positive for human well-being and in those cases where it is harmful, the adverse effects of government mitigation inevitably outweigh the benefits.

Mother Nature is a human archetype present in a wide array of cultures throughout history. The pre-historic human tribes who were predisposed to the belief in the spirit of the environment no doubt had an evolutionary advantage over those who were not. Early humans who avoided over-hunting or over-burning because that would anger the Earth-goddess were inadvertently improving the conditions for life in their environment, thus benefiting them indirectly because they were in symbiosis with it. Modern-day environmentalists likely tap in to this archetype, even when they don’t explicitly worship Gaia. Nevertheless, the existence of this bias does not void all environmental concerns.

Sponsorship Bias is the tendency for science to support the agenda of whoever paid for it. It is the reason why published papers are required to disclose its funding sources, so that critics know when to receive strong claims with more or fewer grains of salt. Sponsorship bias is frequently attributed to institutes that are critical of global warming alarmism such as the Heartland Institute and Prager University, owing to their funding coming in part from oil companies. However, the same argument works in reverse as well: if being funded by oil money skews the science towards supporting oil interests, then so does being funded by government programs skew the science towards supporting government programs.

5. Conclusion

Some time before leveling the accusation of ideological investment, people ask whether I believe in global warming, usually with negated-question grammar. I find the question particularly telling because the choice of words highlights the distinction between religion and science. On the one hand, “belief” refers to an unconscious worldview or a conscious leap of faith. On the other hand, a “belief” can be a working model of the universe and source for testable hypotheses. Only the second sense is meaningful8 in a scientific context.

The catastrophic anthropogenic global warming theory is just that — a theory, looking to be falsified or borne out by the evidence. An admittedly cursory examination of this evidence raises more questions than it answers, and chiefly of an epistemological nature. Rather than welcoming the skepticism and criticism as a means with which to refine the science, the alarmists dismiss the skeptics and critics as dangerous ideologues and their arguments as religious superstition. However, it is precisely the orthodoxy, the irrational confidence of believers, the call to sacrifice, the state sponsorship, the demonization of heretics and the call to jail them, that have more in common with the ugly end of religion than with open discussion and an honest search for truth. Climate change is not a question for religion. Let’s return to science.

Spooky Security at a Distance: The Controversy of Quantum Key Distribution*

*: An alternative title is obviously: Safe By The Bell.

TL;DR. Quantum cryptography offers the best of both worlds: security and quantum weirdness. In particular, quantum key distribution (QKD) is often claimed to offer “unconditional security based on the laws of physics”, a claim which is easily seen to be false. However, QKD does seem to be qualitatively more powerful than anything classical cryptosystems have to offer. This essay takes a critical look at the interplay between QKD and traditional cryptography by visiting the necessary background and summarizing the relevant concepts and context from a layman’s point of view.

1. Introduction

In the modern information age where computers are all around us, the need for computer security is greater than ever. It is no exaggeration to say that just about all our communication and financial infrastructure is protected by cryptography, the branch of computer security that deals specifically with protecting information. Calls to conduct government elections and identity management electronically should take their computer security requirements into careful consideration, or risk sacrificing national sovereignty and personal freedom to the whims of sufficiently sophisticated attackers — attackers who are sure to keep their algorithmic and technological advantages secret, thus making the estimation of security a very subtle game indeed.

Quantum technologies, i.e., devices that exploit quantum mechanical properties in a way that classical devices cannot mimic, are one recent development that is bound to dramatically affect the cryptographic landscape. While the end-goal of large-scale quantum computers is, despite significant resources devoted to the project, (presumably) not yet technologically feasible, detectors that measure the polarity of individual photons are already commercially available. Perhaps surprisingly, this on-going proliferation of quantum technology is causing a rift in the cryptographic community. On the one hand, the physicists are hailing the advent of photon detectors as enabling quantum key distribution and, by proxy, as the key to generating unconditional security — security beyond the traditional computational problems that are merely assumed, without proof, to be intractable. On the other hand, the mathematicians reject this notion of security guaranteed by physics; instead they prefer to stick to traditional computing hardware and design classical cryptographic algorithms to resist the end-game attacks by large-scale quantum computers.

Which side is right? The computer scientists, of course, because only they offer the proper computational perspective on the interplay between quantum mechanics and hard mathematical problems. More importantly, it is computer science and its parent, information theory, that offer the only rigorous definitions of security, namely in terms of confidentiality and authenticity. It makes sense then, to take a computer-scientific approach to assess the physicists’ and mathematicians’ claims. This essay does just that — it considers quantum key distribution from the point of view of theoretical computer science and cryptography by offering the layman reader an introduction to the subject matter and the necessary background. In the process we cover security-by-assumption; the strong Church-Turing hypothesis; quantum computation and entanglement; non-local-realism; Bell inequalities; and many more violations of common sense.

2. Cryptography

Cryptography is the science of protecting sensitive information against being read, modified, or otherwise used for nefarious purposes. While the use of cryptography dates back to the Ancient Greeks and beyond, the scientific investigation into this field of study is much newer, coinciding in large part with the information theory and computer science revolutions of the Twentieth Century. This coincidence is no accident as computers are experts at rapid information processing and are consequently the natural allies both of those who routinely generate and use sensitive information, but also — especially — of those who would attack its cryptographic safeguards.

2.1. One-Time Pad and Computational Security

One major result at the onset of this revolution is the proof by Claude Shannon — inventor of the eponymous information theory — that the one-time pad offers security against computationally unbounded adversaries1. Informally, by adding enough noise to a message, it becomes completely indecipherable to the eavesdropper, even though the intended receiver might be capable of reproducing the exact same stream of noise and thus recover the message. The label “unconditional security” is often applied when it is implicitly understood that the attacker fits the mathematical model and sees only the ciphertext in transit. By contrast, no such guarantee is offered against the attacker who violates this model by having access not only to the ciphertext in transit but also to another channel on the side — such as a watchful eye over the sender’s shoulder when the noise is added, or its equivalent in terms of a power consumption trace.

Unfortunately, unconditional security comes at the rather cumbersome cost of secret keys that must be at least as large as the message. Moreover, these keys must be distributed ahead of time, oblivious to the length of the message that is only chosen afterwards. In response, cryptographers have designed ciphers that mimic the one-time pad except for requiring only a relatively small key, independent of the message length. These ciphers do not offer unconditional security but computational security. That is to say, security only holds under an additional assumption to the effect that certain computational problems are hard to solve. This strategy of security by assumption may seem odd at first sight. However, considering that since the very successful standardization of the Belgian-designed AES algorithm2, the worldwide effort by cryptanalysts to break it have led essentially nowhere, it is fair to say that the entire computer security community is on board with this assumption. Moreover, any meaningful result on computational hardness would imply $\mathbf{P} \neq \mathbf{NP}$, the biggest unproven conjecture in all of computer science. This result would not only prove one of the seven millennium problems; it would also confirm mathematician’s suspicions that the other six are actually hard. Requiring a mathematical development of this magnitude seems like an unreasonably high bar for secure cryptosystems to pass.

2.2. Diffie-Hellman Key Establishment

Unfortunately, the shift towards computational security does not solve everything. Two parties wishing to communicate securely must still agree on a key beforehand, or else the eavesdropper will intercept the key and decrypt all subsequent traffic. Moreover, suppose $n$ parties wish to communicate; then there must be $n(n-1)$ shared keys for a complete graph. This strategy does not scale well.

A revolutionary solution to this problem was proposed by Diffie and Hellman in 19763, and for which they since won the Turing award. Their protocol, now called Diffie-Hellman key agreement, relies on the algebraic properties of groups as well as on the computational difficulty of computing discrete logarithms in them.

Consider for example $\left(\mathbb{Z}/p\mathbb{Z}\right)^*, \times$, the multiplicative group of integers modulo a large prime $p$. The discrete logarithm problem asks to compute $x$ from $g$ and $g^x \,\mathsf{mod}\, p$; there is no known efficient algorithm to perform this task on regular computers. Two parties, Alice and Bob, can use this group to establish a shared secret key by sending messages over an insecure channel; the eavesdropper cannot obtain this secret key.

The protocol proceeds as follows. First, Alice and Bob agree on a group element $g$ which will serve as the base number. Alice chooses a random integer $a \in \{0,…,p-1\}$ and sends $g^a \,\mathsf{mod}\, p$ to Bob; Bob mirrors this action by choosing a random integer $b \in \{0,…,p-1\}$ and sends $g^b \,\mathsf{mod}\,p$ to Alice. The group’s associative property guarantees that Alice and Bob can combine their own secret information with the message from the other to obtain a new group element $k=(g^a)^b=(g^b)^a \,\mathsf{mod}\,p$ which they use as the secret key for subsequent communication. On the other hand, the passive eavesdropper sees $g, g^a \,\mathsf{mod}\, p, g^b \,\mathsf{mod}\,p$ but this is not enough information to find $k$ efficiently. While there is no proof that obtaining $k$ from these values requires as much work as solving the discrete logarithm problem, in practice only groups are used in which this is widely believed to be the case.

Unfortunately, the Diffie-Hellman key agreement protocol only protects users from passive adversaries, i.e., adversaries who are content to only eavesdrop. By contrast, active adversaries who are capable of blocking messages and injecting them, are also capable of undermining the security of the protocol using a so-called man-in-the-middle attack. In short, the man-in-the-middle masquerades as Bob to establish a key with Alice; and masquerades as Alice to establish a key with Bob. Alice and Bob both think they have established a secret key with each other, but in reality they have both only established a secret key with the adversary. Any subsequent messages that are encrypted under one key are first decrypted by the adversary and then encrypted again under the other key before they are passed on.

The way security proofs get around this problem is by assuming it away. In particular, the authenticated links model explicitly states that the adversary is only passively observing and not blocking or modifying traffic4. The way this is solved in practice is by pre-distributing keys used for signature verification. Alice and Bob sign all their outgoing messages; they verify the authenticity of the incoming messages by verifying the attached signatures. The adversary cannot forge signatures on new messages because he is ignorant of the secret key. However, this solution requires that keys be distributed before communication begins, defeating the purpose of requiring no pre-shared information in the first place.

It is possible to separate signature verification from signature generation by requiring different keys for these operations. The private key, kept secret, is necessary for generating signatures, whereas the public key, broadcast to the world, is necessary for verifying them. The public keys themselves may be signed by yet other private keys and through a sequence of hierarchical hops reach a central authority. This strategy, called public key infrastructure, at least solves the scaling problem by requiring only a constant number of authority keys to be shared (as opposed to $O(n^2)$), although this solution comes at the cost of introducing a single point of failure.

2.3. The Quantum Revolution

Of course, any proposition about security that simultaneously reduces to computational hardness assumptions and claims to offer security in the real world, implicitly relies on a notion of computations that are physically realizable and at an acceptable cost. The first headway into answering this question was made by computer science pioneers Alonzo Church’s and Alan Turing’s formalizations of computation5 6 and the subsequent formulation of the Church-Turing hypothesis. Properly interpreted as a qualitative proposed law of nature, this hypothesis states that any process occurring in nature can be simulated by a Turing machine, a mathematical abstraction of what it means to compute due to Turing and inspired by Church’s lambda calculus. No physical experiments conducted thus far have indicated that the hypothesis as stated is false. Consequently, this has led computer scientists and physicists to pose a stronger version of this hypothesis, stating that all natural processes can be simulated efficiently 7 By contrast, this strong Church-Turing hypothesis seems to be — most emphatically — probably false.

In the 1990’s a series of results by pioneers in the field of quantum computation give strong evidence that quantum computers — computers that exploit the peculiar properties of quantum particles — are capable of solving some computational problems asymptotically more efficiently than classical computers. This string of results on quantum algorithms culminated in Shor’s celebrated work, which shows that the integer factorization and discrete logarithm problems, while difficult on classical computers, are in fact easy on quantum computers8. Not only is Shor’s algorithm strong evidence that the strong Church-Turing hypothesis is false; it is also practically relevant as it breaks the security of the Diffie-Hellman protocol described above. The situation is even worse: switching to RSA or to elliptic curve cryptography (ECC) will not help as RSA crucially relies on the difficulty of the integer factorization problem and elliptic curve cryptography on the general formulation of the discrete logarithm problem — both of which are still susceptible to Shor’s attack. In fact, in the foreseeable future when large-scale quantum computers exist, most public-key cryptography widely deployed today will become insecure. More importantly, information encrypted today can be stored for the future at very low cost until a point at which quantum computers do exist; from this point of view, Diffie-Hellman, RSA and ECC are already insecure.

In response to this threat, researchers are designing and developing post-quantum cryptosystems — cryptographic algorithms that can be executed on traditional computers but promise to offer security even against quantum computers9. The way these cryptosystems accomplish this feat is by reducing their security properties to other computational hardness assumptions, notably different from the integer factorization and discrete logarithm problems and hence very arguably immune to Shor’s attack. While the selection of post-quantum cryptosystems is large enough to sustain a scientific discipline in and of itself, they suffer from two significant disadvantages. One, they are inefficient in one way or another: either the public key, message size, or computational requirements are rather large, thus making their adoption an unattractive course of action. Two, they rely on relatively under-studied cryptographic hardness assumptions; anyone who uses a post-quantum cryptosystem over RSA or ECC is consequently making a larger gamble with respect to security. Nevertheless, in some cases such as hash-based signatures, the security can be reduced to assumptions which are already commonplace; cryptographic assumptions so minimalistic that if they turn out to be false, no computationally-secure cryptography whatsoever would be possible in the first place.

3. Quantumness

Quantum particles behave in undeniably peculiar ways. For instance, the complete description of a system of $n$ qubits — i.e., $n$ independent binary properties of quantum particles — requires a vector of $2^n$ complex numbers with Euclidean length one; we refer to this vector as the system’s state and denote it using Dirac ket notation: $|a\rangle$. By contrast, the complete description of n classical binary variables requires $n$ bits. In this sense, a quantum system is much more akin to a probability distribution over strings of $n$ bits; a complete description of such a probability distribution requires $2^n$ real numbers between zero and one and whose sum is one (as opposed to its sum-of-squares).

This comparison of quantum states to probability distributions is no accident. Every quantum state associates a complex-valued amplitude to each observable event. By squaring the modulus of this number, one obtains the probability of measuring this outcome. However, upon employing measurement, the quantum state collapses; it assumes amplitude one in the component associated with the observed event and amplitude zero in all other components. While this sounds familiar to sampling classical probability distributions, the surprising fact is that quantum states exist — it is possible to define and perform experiments whose observations cannot be explained without recourse to this exponentially-large complex-valued state vector. By contrast, classical probability distributions are merely a method invented by humans to cope with hidden variables that do have a definite but unknown value.

In the terminology of quantum physicists and quantum computer scientists, an impure quantum state constitutes a superposition of values. Moreover, by manipulating the particles used to represent these qubits it is possible to generate constructive or destructive interference i.e., cause the amplitudes add or cancel out. Moreover, it is possible to generate quantum states where measuring one particle only partially collapses the state, because the other particles still remain unmeasured. This phenomenon is known as entanglement and has generated much controversy in the past.

3.1. The EPR Paradox and the Bell Inequality

Entanglement means that measuring one particle can influence the probability distribution associated with measuring another particle. In other words, one cannot reason meaningfully about counterfactual observations because the world in which the experiment is performed is fundamentally different from the world in which it isn’t. If this idea makes you uncomfortable, you are in good company. Albert Einstein famously rejected this notion, insisting that Nature had to follow the principle of realism: reality does not change depending on whether you observe it or not. Phrased differently, the moon does not pop into existence the second you decide to look at it.

Together with co-authors Podolsky and Rosen, Einstein formulated a seemingly devastating blow to the theory of quantum mechanics10. The EPR thought experiment takes two entangled particles and separates them in space by a large enough distance. Then quantum mechanics predicts that the act of measuring one particle will exert an influence on the other particle, as borne out by a different probability distribution associated with measuring it, faster than the speed of causality. While Einstein understood that this principle could not be used to transmit information — thus not violating the second fundamental postulate of special (and general) relativity outright — this sense of influence-faster-than-causality certainly violates the spirit of relativity, and gave rise to the fantastically playable phrase “spooky action at a distance”.

The EPR paradox subtly sneaks in a second assumption about Nature, in addition to that of realism. In order for this “spooky action” to have to travel in the first place, the information describing one particle’s state, before and after measurement, has to be localized — independent of other events elsewhere. Phrased differently, the moon exists whether or not the sun is shining. This principle of locality, in conjunction with its brother realism, is known as local-realism; the contradiction predicted by quantum mechanics is known as non-local-realism.

Twenty-nine years after the publication of the EPR paradox, a physicist by the name of John Stewart Bell showed that local realism is not just a philosophical ponderance; it is a falsifiable hypothesis about nature11. In other words, it is possible to perform experiments whose measurement results will indicate whether we live in a local-realist world or not. The intuition is as follows. If Einstein’s conception of quantum mechanics is correct, then there exists information hidden inside a quantum system that determines the measurement outcome. By preparing the system in a controlled manner, this hidden information is guaranteed to follow a probability distribution, and by performing the experiment many times the observed variables are guaranteed to follow that probability distribution, even if these observables measure in large part the same property.

By contrast, quantum mechanics precludes any such probability distribution where the same property can be independently sampled by two different observables. The first measurement will influence the state and the second measurement measures a different state, hence giving rise to other borne probabilities. Unfortunately, this state collapse makes the system look as though it was behaving conformant to local-realism the entire time and any measurement following the collapse cannot decisively indicate non-local-realism. Bell’s crucial insight was that the world-distinguishing information is not located in individual measurement variables, but rather their correlation, or more generally, their mutual relations.

Consider this excellent example due to Sakurai12, of a quantum system consisting of two perfectly entangled photons having an unknown but equal polarization. The photons are sent to Alice and Bob, at opposite ends of the universe. Their polarizations are measured along one of three axes, $x$, $y$ and $z$, each $120^\circ$ apart and in the plane but such Alice’s set of axes coincides with Bob’s. Obviously, if they choose to measure along the same axis, they are guaranteed to obtain the same result, 1 (the photon detector fires) or 0 (no activity is registered).

If it is true that the photons’ polarization is completely fixed and independent of the measurement at either end of the universe, then whatever preparation device that produces the photons follows a probability distribution $p(x,y,z)$ describing the probability of observing the photon at any of the three axes. Being a probability distribution, the sum over all events of that event’s probability equals one:

$$ \sum_{x \in \{0,1\}} \sum_{y \in \{0,1\}} \sum_{z \in \{0,1\}} p(x,y,z) = 1 \enspace .$$

Moreover, Alice and Bob’s measurements don’t influence the state of the quantum system; they merely obtain information about it. Consequently, their joint statistics may be used to qualify this probability distribution, for example in the following way.

$$ {\rm Pr}[x=y] = p(0,0,0) + p(0,0,1) + p(1,1,0) + p(1,1,1) $$
$$ {\rm Pr}[x=z] = p(0,0,0) + p(0,1,0) + p(1,0,1) + p(1,1,1) $$
$$ {\rm Pr}[y=z] = p(0,0,0) + p(1,0,0) + p(0,1,1) + p(1,1,1) $$

The sum of the probabilities of these non-mutually-exclusive events must thus satisfy $$ {\rm Pr}[x=y] + {\rm Pr}[x=z] + {\rm Pr}[y=z] = 1 + 2p(0,0,0) + 2p(1,1,1) \geq 1 \enspace . $$

In the intuitive words of Preskill, “whenever three coins are on the table, and each one is either an H or a T, then at least two of the three have to be the same”13. However, Alice and Bob experimentally confirm that ${\rm Pr}[x=y] = {\rm Pr}[x=z] = {\rm Pr}[y=z] = (\mathsf{cos} \, 120^\circ)^2 = 0.25$ and hence

$$ {\rm Pr}[x=y] + {\rm Pr}[x=z] + {\rm Pr}[y=z] < 1 \enspace , $$
thus violating the Bell inequality.

In practice, experiments prefer to use the less accessible CHSH inequality14. However, the same principle is used: EPR local-realism and quantum entanglement predict different measurement statistics. Since Bell’s original 1964 paper, there have been many variants of his equation and even more experimental validations — that is to say: violations of the inequality — deciding in favor of the non-local-realism of quantum mechanics beyond reasonable doubt.

3.2. Quantum Key Distribution

So if we can’t observe particles without disturbing them, how about using this to our advantage? Specifically: certain actions are quantum mechanically impossible; can we put these impossible tasks on the only path between the attacker and our sensitive information, in the same sense that computationally infeasible tasks block this path now? The answer is yes, it is possible to use quantum mechanics to protect information. It turns out entanglement isn’t even required.

In 1984, two researchers by the name of Bennet and Brassard proposed what is now known as the BB84 protocol: a mechanism for key distribution relying on the polarization of photons15. Alice chooses a string of bits from which to derive the key. She then sends a string of individual photons where each bit of her secret bit string is encoded in the photons’ polarization, with respect to rectilinear ($+$) or diagonal ($\times$) bases as determined by random coin tosses. Bob measures the incoming photons with respect to rectilinear or diagonal bases as determined by his own random coin tosses. Whenever Bob chooses the same basis as Alice, there is a small probability of the photon not being measured at all, but if it is measured it is guaranteed to produce the same bit Alice sent. On the other hand, if the photon is measured in opposite bases, Bob’s measured bit will be uniformly random.

After measuring the photons with respect to random bases, Bob announces these chosen bases to Alice over a public classical channel, along with an indication which bits were actually received. Alice responds by identifying which choices of basis were correct, thus indicating which of Bob’s measured bits are identical to Alice’s. A few of these correct bits are also exchanged just to guarantee with high probability that there is no eavesdropper on the quantum channel.

Security is guaranteed by the following rationale. Suppose an eavesdropper named Eve is observing the photons on the quantum channel with respect to her randomly chosen bases. And suppose she sends out new photons towards Bob with the polarization that she measures. Then whenever Alice and Bob used the same basis, there is a $1/2$ chance that Eve’s basis is opposite. If this is the case, Bob’s measurement will be the same as Alice’s with probability $1/2$. So by exchanging $k$ agreed upon bits in the last step, Alice and Bob reduce the probability of a successful eavesdropper to $(3/4)^k$. Table 1 is drawn straight from BB84’s paper and summarizes the steps involved.

Table 1. The BB84 protocol in action.
Table 1. The BB84 protocol in action.

In 1991, a couple of years after the BB84 protocol, Artur Ekert proposed another construction for key distribution based on quantum entanglement16. While Ekert’s protocol is rather more difficult to realize physically, the security guarantees it offers are vastly different from the ones offered by the BB84 protocol, so it is certainly worthwhile to take both protocols into account.

In Ekert’s protocol, the quantum channel consists of a source of pairs of entangled particles sent to opposite ends of the channel. The emitted particles are in the singlet state: $|S\rangle = 1/\sqrt{2} |\uparrow\downarrow\rangle – 1/\sqrt{2} |\downarrow\uparrow\rangle$, guaranteeing that whatever spin is measured at one end, the other end must measure the opposite spin provided the same basis is used.

Both Alice and Bob measure the particles headed their way in random bases. After this measurement, they communicate over a public classical channel to determine in which cases both Alice and Bob registered a measurement in the same basis. At this point, they release the measurements obtained when their measurement bases were unequal; this allows them to determine statistical variables for which the CHSH inequality (an inequality of the Bell family) should be violated if the particles are properly entangled.

An eavesdropper who measures the particles’ spin in random bases just before the particle reaches Bob and then sends out a new particle with the measured spin, cannot violate the Bell inequality. Consequently, this eavesdropper will be detected with very high probability.

The reliance on Bell’s inequality removes the requirement to trust the device that produces the quantum particles to be honest: malicious devices cannot pass the Bell test. Consequently, this type of quantum key distribution is called device-independent.

3.3. Authentication

At this point we have glossed over a key assumption on the adversary: he can look, but not touch. In other words, the adversary is assumed to be somewhat passive. While he is allowed to read messages, his cannot block, modify, or create them.

Of course, in a realistic scenario, the adversary is capable of active intervention. In this case, he can perform the man-in-the-middle attack: impersonate Bob in the eyes of Alice, and impersonate Alice in the eyes of Bob. Both Alice and Bob think they’re establishing a secure connection to the other, but in reality they are only establishing a secure connection to Eve, the (wo)man-in-the-middle. Even the Bell test cannot help because at most it will indicate that Alice’s connection to Eve and Bob’s connection to Eve were both generated using properly entangled particles.

In practice, the only way to block a man-in-the-middle attack is to authenticate the messages that are sent over the public classical channel. This variant of digital signatures allows the receiver, who knows the secret key, to verify beyond doubt that the messages were sent by the other owner of the secret secret key and that the messages were not modified in transit. Under the assumption that the adversary does not know this secret key, an authentication scheme thus offers two properties: entity authentication, the sender is who they say they are; and data integrity authentication, the data has not been tampered with. Unfortunately, any secure authentication scheme requires a pre-shared secret key, thus cancelling in large part the very point of quantum key distribution in the first place. Moreover, the authentication schemes used in practice, for example in internet protocols such as TLS, rely once again on hard problems to guarantee security. But the whole point of QKD was to not have to rely on computational problems at all!

Fortunately, though, the outlook for quantum key distribution is not quite as bleak. There exist unconditionally secure authentication schemes whose security does not rely on the intractability of computational problems, such as the Wegman-Carter scheme17. The reason they are not used in TLS, for example, is because they consume secret key material as they are used, in the same sense that the one-time pad consumes secret key material as it is used. Use the same secret bits twice and the security of the scheme is broken. However, in the case of authentication and in contrast to encryption, the length of the secret key can be shorter than the processed data. This means that it is possible to use a short shared secret key to authenticate quantum key distribution which then generates a longer shared secret key. From this point of view, the term quantum key distribution is a misnomer; it should be quantum key-length extension.

4. Criticisms of QKD

Quantum key distribution can obviously offer security properties that classical cryptography is incapable of offering. So why is the reception of quantum cryptography lukewarm at best among traditional cryptographers? We explore several possible reasons.

4.1. Implementation Issues

Quantum key distribution is not just an idea; it is supposed to be implemented in practice using physical matter. Consequently, it might be very difficult or even impossible to engineer this physical matter into behaving according to the protocol. Conversely, the adversary against which the protocol is supposed to protect might have access to the physical device through side-channels that the security model does not account for.

The possibility of side-channel attacks was observed in the very first practical demonstration of the BB84 protocol, which the authors describe as being “unconditionally secure against any eavesdropper who happened to be deaf! :-)”18. Indeed, the listening adversary could hear the polarization filters rotating and would be able to infer the chosen bases from the sound. Another example considers the difficulty of generating a laser pulse containing exactly one photon. But if the pulse contains multiple photons, the adversary can get away with measuring the polarity of one of the superfluous ones, leaving the one photon that travels all the way to Bob intact. A final example considers an implementation attempting to get around the rotating filters problem by generating photons of different polarization by different sources. Unfortunately, this implementation does not take into account that different sources have a unique spectral signature, which grants the adversary access to another side channel leaking information on the chosen bases. An excellent survey of practical issues is due to Scarani and Kurtsiefer19.

It is clear that requiring specialized hardware for instantiating quantum key distribution protocols generates its own set of specific problems, each one requiring significant engineering considerations to circumvent. By contrast, traditional cryptography is by design implementable on standard computer hardware. The all-too-common pitch that quantum key distribution offers “security guaranteed by the laws of physics” is clearly false if the adversary has side-channel access to the QKD devices. Likewise, the security of traditional cryptographic algorithms breaks down whenever the attacker has side-channel access to the computing device — but in this case at least the notion of “side-channel access” is well-defined and empirically bounded: power consumption, timing information, acoustic and electromagnetic wave emanation, voltage of probed wires … and that’s about it. In order to instantiate secure quantum key distribution, one has to take into account many more, vastly different, and unpredictable side-channel attacks.

4.2. Quantum Eavesdropper

It is tempting to compare the adversary in the quantum key distribution protocols with the passive adversary in classical key distribution protocols. However, this comparison does not quite hold. The passive adversary in classical cryptographic protocols is allowed to observe data in passing; he is merely not allowed to modify. By contrast, in the quantum case observing is modifying; by making observation and modification inseparable, quantum key distribution is introducing a model that is simultaneously weaker and stronger than the passive model of classical protocols, albeit for good reason (i.e., the laws of physics).

Except, observation is equated to measurement, which necessarily collapses the state. However, especially in the realm of quantum phenomena there exist manipulations which are more subtle than measurement but nevertheless akin to observation. In particular, consider the quantum computer20 that, having access to its own, secret qubit prepared in the state $|s\rangle = |0\rangle$ manipulates the photon heading to Bob by performing the computation $|b,s\rangle \mapsto |b,s\oplus{}b\rangle$. This quantum operation is unitary and does not violate the no-cloning theorem because after the computation is done the eavesdropper’s qubit is not independent of the passing photon; by contrast, it is perfectly entangled with it. Once Bob makes known the bases in which he measured, then the quantum computer uses the same basis to measure its secret qubit, thus obtaining the exact same bit Bob obtained.

Ekert’s protocol implicitly deals with this attack as it is a subcase of the explicitly considered situation in which three entangled particles rather than two are emitted by the source. Bell’s inequality comes to the rescue: the statistical test cannot be satisfied if three particles are entangled rather than two. In other words, not only can the Bell test distinguish between some entanglement and no entanglement; it can also distinguish between some entanglement and even more entanglement. While the adversary can get away with eavesdropping on a few particles in this manner, the probability of this misbehavior being noticed rises with the number of ‘observed’ particles. This is precisely the reason why quantum key distribution protocols are often enhanced with another “privacy amplification” step, in which the string of shared secret bits of which the adversary might know some individual bits is transformed into a bitstring of which the adversary does not know any individual bits but instead some minimal amount of general information.

However, the BB84 protocol is vulnerable to this attack precisely because there is no Bell test. More importantly, there cannot be a Bell test in the BB84 protocol because there is no entanglement; there is no “third coin” whose non-existence must be indicated by the statistical information. Phrased differently, there is no counterfactual event whose occurrence would have caused different observations. The measurement statistics in this protocol conform to local realism.

However, it is not clear that even if quantum computers can be built that they should also be capable of intercepting photons, computing on the qubit represented by its polarization, and send out a photon with a polarization matching a given qubit. Nevertheless, this possibility is implied by the conjectured possibility of quantum routers and relays that enable quantum key distribution across many hops and storing them in quantum memory for a little while at each point. Moreover, the alarming fact is that this attack is not ruled out by quantum physics. Quantum key distribution is, after all, one of the proposed solutions to the threat of quantum computers and their break of widely deployed public key infrastructure. It would seem that the claims of security against quantum computers are restricted only to device-independent QKD.

4.3. Nothing Wrong with Computational Security

Perhaps most fundamentally, the chief selling point of quantum key distribution attests to a deep-seated distrust in computational hardness assumptions — a distrust that cryptographers, in general, are unlikely to share. It is fairly reasonable to assume that the discrete logarithm and integer factorization problems may one day be easy; Shor’s algorithm predicts as much. However, it is another thing altogether to conjecture that AES will one day be easy to break or that collisions to SHA2-256 will one day be found. Cryptographers will not take the people who make these claims seriously unless they are preceded by breakthrough results. However, anyone who prefers the clearly-not-unconditional security of quantum key distribution over the merely-computational security offered by AES or SHA2 is implicitly making exactly these claims. QKD proponents who don’t want to make these claims even implicitly must consequently argue for quantum key-length extension until the shared key reaches 256 bits, after which point computational cryptography over the classical channel is perfectly adequate. But in this case the usefulness of QKD is restricted to the world in which it is feasible to establish shared and perfectly secret strings of less than 256 bits but for some reason it is not feasible to do the same for a string of 256 bits or longer.

Nevertheless, there is eminent justification for skepticism regarding the conjectured computational difficulty of the problems underlying post-quantum cryptosystems for public key encryption and Diffie-Hellman key agreement. These problems are after all new and under-studied, and don’t secure large monetary rewards for whoever solves them. However, perhaps one day, after resisting many years of attempted cryptanalysis and being duly recognized by national and international standardization bodies, a subset of these problems can achieve the same status as AES and SHA2 — and inspire the same confidence. Indeed, not only is this likely to happen, it is the desirable outcome. At that point, the same criticism applies to quantum key distribution: what advantage does it offer over a classical cryptosystem relying on hard problems that are trusted anyway?

5. Conclusion

Quantum physics speaks to the imagination because it is so viciously counter-intuitive. It rejects many rules of thumb that make perfect sense in the macro world, such as counterfactual events having well-determined outcomes; or such as information having to travel in order for one event to exert influence on another. It is all too easy to ascribe some mystical properties to the workings of quantum mechanics because to the uninitiated it truly is indistinguishable from magic.

To a lesser degree, the field of cryptography is also familiar with this mysticism. Cryptography deals with problems that are difficult by design — they must be, because otherwise they would be ineffective. In the eyes of popular science it takes many years of studying complex mathematical formulas before being able to grasp this spirit of difficulty.

It is perfectly understandable then, that the combination quantum + cryptography speaks to the imagination beyond what either branch is capable of by itself. It is a self-selling sales pitch that lodges itself firmly in the pitchee’s mind in that special place allocated for whatever thought is capable of producing a sense of wonderment about the world. No doubt this enticing nature has helped secure funding on the topic for many years to come.

Except, that’s not how science works. It is wrong and unscientific to worship the priests for informing us about the truth. It is a disservice to all three fields — quantum information theory, cryptography, and the overlap — to ascribe importance to the technology of quantum key distribution due to its perceived mystical properties. The researchers in these fields hold themselves to the highest (and most definitely anti-mystical) standards of verifiability and reproducibility and to pretend otherwise is to level an insult. Either quantum key distribution produces material benefits or it does not, and the quality of this invention should be assessed accordingly.

Without a doubt, we have seen that quantum key distribution is capable of offering security properties that no classical cryptosystem can offer. However, the setting in which these special security properties become relevant is rather artificial and constrained. By contrast, the promulgation of quantum key distribution technologies seems to focus on the BB84 variant, which introduces a whole host of new security hazards, to the point where the claimed security “benefit” is very dubious indeed.

In the end, it will not be the theoretical computer scientist who decides which technologies are useful and which are not — nor should it be. It will instead be the engineer who plots graphically the implementation cost on one axis against the security requirements on the other, and comes to a conclusion based on considering the relative positions of all competing options. Quantum key distribution may well occupy a location on this graph that justifies its existence. But until quantum key distribution proponents take the existence of this cost-benefit-graph into account and pinpoint QKD’s location on it, QKD is bound to remain only a theoretical exercise with the occasional proof of concept supporting its physical possibility.

Formal Ethics, Provable Justice

TL;DR. Automation in the information sector is bridging the gap between human cognition and physical reality. It behooves humanity to apply these fruits of scientific advancement to ethics and the institutionalization of law. This essay attempts to show that it is possible to ground ethics on a rigorously logical foundation and derive provable ethical theorems. In combination with the ongoing cognitive automation that allows humans to relate ethical formalisms to real human conflicts, this development paves the way for a world in which all human conflicts are resolved in a provably just way. Realizing the political reforms mandated by an independent and provably correct ethical philosophy, as proposed in this essay, is the only way to completely eradicate systemic injustice.


The Rise of Automation

Of the many scientific advances of the last centuries, not one has more profoundly affected the course of human history — or indeed, human imagination­­᠎ — than the rise of automation. Beginning in the mid Eighteenth Century, automation in agriculture has generated an ever-increasing, ever-urbanizing global population. The automatic production of vaccines, medicines and hygiene products has eradicated infectious diseases such as smallpox and polio, and limited the scope or prevented the outbreak of many others. For good or for ill, the automatic production and deployment of instruments of war has dramatically escalated the destructive potential of power-wielders. However, all these advances pale in comparison to the ubiquity of information and processing power offered by the pinnacle of automation: computers and the internet.

Just as human strength is limited, so is human precision and brain power. While precise and computationally-heavy tasks are often relatively difficult to automate, any such automation will increase product quality, essentially bringing to life products that could not exist before. Especially in sectors where lack of precision or presence of errors can lead to disastrous consequences, such as finance, medical diagnostics, or construction design, computerized tools are indispensable.

While human labor is often the bottleneck, it is also the most fungible and therefore the most valuable resource. As superior machinery replaces humans, these humans (in contrast to their supplanters) are capable of finding employment in other sectors, potentially satisfying a societal need that previously went unsatisfied. Thus, the effect of automation is not limited to whatever sector the change occurs in, but positively affects society as a whole. From this point of view, automation is the driving force that sets mankind free from the fundamental constraint imposed by nature: the scarcity and limited quality of human labor.

Cognitive automation, in the form of intelligent programs, is reaching the higher levels of human thought. Semantic search is at our fingertips, automatic translation of documents only a mouse-click away, and spam filters block even the richest Nigerian princes. AI researchers are producing neural networks that are capable of dreaming, recognizing images and speech, beating the world champions in Jeopardy!1 and Go2, and even writing scientific papers accepted to peer-reviewed journals3. As fewer traditionally human-dominated tasks appear immune to automation, it seems inevitable that this automation will become even more ubiquitous and affect society even more profoundly.

The Gap of Rigor

Another triumphant scientific breakthrough of the last century is the complete formalization of logic and the classification of valid laws of logical inference. By emphasising syntax rather than the semantics, formal logic is capable of encompassing all of mathematics by reducing even its most sophisticated proofs to tiny, individual steps of rigorously verifiable logic. Any proof that is not at least in theory reducible to formal logic is not accepted as valid by peers in the mathematical community. Moreover, there already are computer programs such as Coq and Mizar for mechanically verifying formal proofs. The QED Manifesto4 envisions a world in which all mathematical proofs are presented in a formal, computer-verifiable language, as this formal presentation offers the only reliable method to distinguish valid proofs from invalid ones with absolute certainty.

Unfortunately, the adoption of computer-verifiable proofs is slow at best. The underlying notions in any given mathematical theorem or proof are chosen precisely because they are semantically meaningful to the problem at hand. The mathematicians responsible for creating such “semantically deep” objects do so by stacking layer upon layer of abstractions and definitions on top of the indivisible units of the underlying formal system. A full formalization would require writing an exponential number of highly redundant atomic symbols, not to mention the effort on the part of the mathematician required to master a skill as tricky as writing formalized proofs. Such a devotion to formalism hardly seems worthwhile when other experts in the field are satisfied with much less; any surplus effort is more prudently expended on the next brilliant research idea.

Nevertheless, the benefit of formalized proofs should be obvious: they completely eradicate the possibility of error. As all humans are fallible, so are both the mathematicians that write proofs and the ones that verify them. Peer-reviewed and published mathematical proofs are bound to contain errors — and, indeed, they do. Currently, the only way in which such an error is discovered, is through the hard, virtuous work of another expert in the field. Formal proofs, however, offer the option of democratizing the process: they make proof verification available to anyone who is willing to download, install and run the software.5

Enter the potential of cognitive automation: deep neural networks may one day be trained to traverse the many layers of abstraction in mathematical proofs, interfacing with the mathematician in his own terms and definitions, while at the same time outputting a list of logical symbols that constitute a valid, verifiable proof. As the depths of abstraction increase to which mathematicians can descend while retaining a neural network-assisted link to formalized logic, who knows what exciting new branches of mathematics may be discovered, or which conjectures may finally be proven — or disproven?

The Importance of Law

Reason — the fundamental trait that sets man apart from animals — manifests itself in essentially two ways. On the one hand, human cleverness allows him to overcome the harsh conditions of nature; on the other hand, human argument allows him to cooperate with his fellow man and settle their disputes with words instead of violence. Words offer the means to the institution of law, which is the quintessential trademark of civilization — as opposed to the law of the jungle.

The importance of an ethical basis for institutional law cannot be overstated. Ethics underlies the legitimacy of the political system; without ethics, the entire state is no more than an infrastructure for organized theft.6 Even the thief, rapist and murderer, by committing their barbarities, profess and defend a (mistaken) conception of  right and wrong. The ethical skeptic or nihilist cannot charge these criminals with an inhuman crime that is obviously wrong in and of itself, because to make this charge is to assert the validity of ethics. Most fundamentally, it is literally impossible to argue successfully for the superiority of other qualities of human interaction over ethicality. Any universally valid argument for the superiority of other qualities would itself be, by definition, part of ethics.

And yet, law is currently arbitrary; it reduces to the thoughts and ideas of defunct revolutionaries of the past. In the end, judges base their pronouncements on those of other judges, on the writs of politicians in and out of parliament, and on the ex-post manifestos of successful coups-d’etat. There is no process or incentive that ever weeds out past errors of judgment, except perhaps accidentally and based on popular sentiment. Conversely, the emotions of the masses may introduce irrational fallacies into law just as easily as they may eliminate them. Without rigorous ethical foundation, legislation relies only on gut feeling and is consequently entirely irrational. Irrational law is unjust by default and just by accident. Any political system based on institutionalized irrational law amounts to systemic injustice, and its existence is an affront to human dignity.

This need not be so. If ethics can be formalized, then laws can be formally proven to be valid.  Automation can help judges to make provably just pronouncements. Members of parliament can justify their legislation to their constituents and to the rest of the world on the basis of a computer-verified proof of justice. The power of the executive can be delineated not by some arbitrary document nor by the subjective oversight of some supposedly independent power, but by the rigorous quality of sound ethical theorems. Human society can at last reach its full, unbridled potential. If only ethics could be formalized …

Towards a Formalization of Ethics

An argument is a list of propositions, each one of which is either a premise or else is held to follow logically from the preceding propositions, and which is designed to convince someone of final proposition, the conclusion. An argument is rigorous if each non-premise follows from the preceding propositions through the application of exactly one inference rule of the underlying formal logical system. Consequently, rigorous arguments are trivially verifiable by simply checking the inferences made. Unfortunately, a complete reduction of ethics to a formal logical system such as those used in mathematics and computer science would make this essay too long to be comprehensible. Instead, the goal of this section is to illustrate the intuition and convince the reader that such a formal reduction is indeed possible.

Commonplace definitions of “ethics” relate the term to normative concepts such as right and wrong, or proper behavior, but leave these normative terms undefined or only defined in a circular way. A formalization of ethics must start with a definition that contains this crucial concept of normativity and reduces it to other concepts. Let us use the following definition: Ethics is the set of valid arguments for or against human interactions applying universally to all persons, as well as a methodology for obtaining such arguments and distinguishing valid from invalid ones.7

The word “human” and “person” in the above definition do not refer to instances of the species homo sapiens; instead, they refer to members of the category of moral agents whose existence is implied by the possibility of a universally applicable argument. After all, an argument cannot appeal to any object incapable of receiving the argument; nor to anything incapable of understanding logic and distinguishing between valid and invalid; nor of acting on that understanding. As such, the abilities to communicate, to understand and to act are the key properties that set moral agents apart from other objects.

Argumentation Ethics

Immanuel Kant makes two important distinctions between types of propositions.8 First, a proposition can be either analytic, i.e., true or false depending solely on the meaning of the words; or synthetic, i.e., true or false depending on the state of reality. Second, a proposition can either be a priori, i.e., independent of empirical observation; or a posteriori, i.e., dependent on empirical observation. While the notion of an analytic a posteriori proposition is self-contradictory, the opposite notion of a synthetic a priori proposition is not. Indeed, the most well-known example is Descartes’ famous quip, “I think, therefore I am.” It is a priori because it cannot be logically contradicted, and yet it is synthetic because it conveys information about the universe.

Ethical propositions belong to the same category. On the one hand, they are a priori because they must apply universally to all moral agents. Moral agency is after all an abstraction defined independently of reality, as opposed to a model designed to approximate reality.9 On the other hand, ethical propositions are also synthetic because they apply to real instantiations of moral agents. In other words, in order to convey a normative imperative unto real world people, ethical propositions must be synthetic.

Phrased differently, ethics consists of principles and hypothetical arguments that exist only in mind-space and whose validity is independent of reality. However, anyone who wishes to escape their reach must first argue that these arguments do not apply to them. But this is unarguable because by presenting this argument, he proves his own moral agency and thus ensures that the arguments do apply. The use of this performative contradiction places this brand of ethics inside the more general category of argumentation ethics, as propounded by Frank van Dun10 and, independently, by Hans-Hermann Hoppe11.

In order for ethics to be relevant, there must exist another person, independent of the first, allowing for the possibility of interaction and discussion. It is thus possible to capture the fundamental principle of ethics in one proposition: there exists a discussion about proper interaction between two or more persons.

It is impossible to deny the existence of this discussion without making an argument for its non-existence. However, any such non-existence argument must take place in the context of a discussion and thus immediately defeats itself. Likewise, one cannot argue that invalid or illogical arguments ought to be accepted in this discussion: by making this argument, the arguer is presupposing the desirability of logic and validity. Not only that but he is also appealing to the ability of his discussion partners to distinguish valid from invalid and logical from illogical. Both are contrary to the content of the argument and thus invalidate it. As a consequence of all this, only valid arguments in the omnipresent ethical discussion can be used to derive ethical principles.

The minimality of this foundation of ethics cannot be overemphasized. Argumentation ethics is entirely independent of deniable axioms, human emotions, state officials, leaps of faith, and deities themselves. One who wishes to include any of these items in the foundation of ethics must first argue for their relevance. However, this argumentation cannot invoke said items for justification as it would be circular if it did. So, logically, any such argument would defeat itself by conceding the irrelevance of whatever extension it was trying to justify in the first place.

Persons and the Universe

The fundamental principle of ethics has been phrased only with respect to notions that are intuitively meaningful: action, interaction, exists, person. In order to properly formalize ethics, these notions must receive a rigorous definition as well. Importantly, these definitions must be abstractions and not models so as to ensure the a priori quality of ethical arguments.

A universe is a finite directed fractal graph, which at every level of consideration consists of nodes and edges. The nodes represent automata obeying physical laws and the edges represent channels of transmitted information — or, equivalently, causation. It is a fractal graph because what may be considered a node or an edge at one level may also be considered a subgraph at another, and vice versa. Something exists if it can be identified with a node in the universe. The universe is the unique universe in which the argumenter exists as a non-isolated node.

A person is a node in the universe which 1) communicates, i.e., exchanges information with other nodes; 2) simulates, i.e., makes models of the nodes in his vicinity and computes their perturbed states under suitable approximations of their governing physical laws so as to predict the consequences of changes in the environment; 3) is capable of reasoning, i.e., distinguishing truth from falsehood; and 4) acts, i.e., configures the nodes in his environment so as to realize a simulated reality. An action is any such configuration, whereas an interaction is a set of actions by distinct persons, each affecting the other and his environment.

Want and Action

A central notion implied by that of action is want, i.e., the situation the action attempts to realize. Crucially, this property is what sets persons apart from clever automata such as computers or more primitive life forms. It is a hard problem to distinguish, empirically or through thought experiments, between nodes that act and nodes that merely exhibit behavior inherent in their programming. Nevertheless, an appeal to inherent programming does not excuse crimes in the court of law as any such appeal is itself an action, thus defeating itself. Likewise, the inability to act cannot underlie a valid ethical argument as any such argument is itself an action.

The concept of action as opposed to programmed behavior ties in to the question of freedom of will. However, as far as ethics is concerned, it is unnecessary to make this distinction, or even to debate whether free will exists. Ethics is an abstract notion and if an ethical question arises in the course of hypothetical debate in order to establish the proper principle, then both parties can be explicitly assumed to be acting persons —  or not, depending on the nature of the hypothesis. If an ethical question is raised in the court of law then both parties fit the category of acting persons by virtue of presenting their arguments.

Action is defined as bringing nearby nodes into a configuration that matches a simulated universe. Importantly, action is not meaningfully distinct from argumentation. Indeed, the very purpose of an argument is to precisely bring nearby nodes into a desirable configuration, except that in this case these nearby nodes happen to be persons capable of reason as opposed to merely reactive matter. More importantly, actions can be thought of as arguments because they affect nearby humans and convey information about the desirable configuration. Likewise, any interaction between two or more people can be thought of as a discussion.


Ethics is not an autistic hypothetical exercise. Plurality of actors must be explicitly assumed as a premise before any ethical theorem can be derived. Robinson Crusoe, alone on his island, has no need for ethics until he meets the natives.

More importantly, there is no need for ethics either as long as all actions by all parties are perfectly harmonious, i.e., wanted by all who are involved. The ethical question only arises when some actions by some persons are unwanted by others. Generally speaking these actions occur in pairs: the action and the reaction, each mutually exclusive with respect to the other and therefore both unwanted by the opposite party. Thus ethics essentially deals with conflict and prescribes its prevention and resolution through rationally defensible actions.

Conflict12 occurs whenever there is 1) scarcity, i.e., equivalent nodes of a particular type are finite and cannot be configured conformant to several simulations simultaneously; 2) plurality of wants, i.e., the simulated universes are distinct; 3) independence of will, i.e., the capacity for action of either party is independent of that of the other; and 4) access, i.e., both parties are capable of causing the configuration they desire. All four items are necessary qualities; drop one and there is no conflict.

In order to eliminate conflict there are thus four options. Scarcity is an unfortunate property of the universe and can perhaps be ameliorated by technology but never wholly eliminated. Wanting is in itself not an action and hence cannot be subject to reason, nor the prescription of an ethical argument. Independence is the premise of any discussion and in particular the discussion about ethics; consequently any argument that would undermine independence would defeat itself. The only option to resolve conflict without undermining the fundamental principle of ethics and which can be the subject of reason and choice is thus the restriction of access. Therefore, there is a possibility for the ethical solution to conflict, namely the reasoned restraint by one or both participants. The exact form of this restraint and this reason is yet to be argued.

While conflict of wants is inevitable and must be tolerated, conflict of actions is essentially the antithesis of discussion: one party rejects the arguments of the other party — outside of reasonable grounds — and resorts to physical intervention to accomplish his goals. Consequently, whenever there is active conflict, at least one party is guilty of undermining the discussion, contrary to its un-counter-arguable desirability. In other words, at least one party is being unethical. The next question is to determine who, i.e., to distinguish the party who is acting ethically from the party who is not.


Action implies a sense of appropriation. By employing scarce goods in order to attain an end, the actor broadcasts to the world an argument that those goods ought to be used for that purpose, as opposed to other potential purposes. Moreover, the actor reassigns those goods away from their previous use and to their new use; or else he is the first to assign a use to the previously unused goods.

In the latter case, the actor essentially transforms things into means. As long as this transformation is isolated, i.e., cannot affect the environments of other persons, the employment of these goods as means cannot be the subject of ethical argument or counterargument. He is thus free to do as he pleases. The act of appropriation through mixing labor with unowned resources is called homesteading; the person who does this is a homesteader.13

A different reasoning applies when the goods in question are capable of affecting another actor, and in particular when this second actor wants to appropriate the resources himself, in order to employ them for his own ends. Time is on the side of the original homesteader as he performed his actions — and broadcasted his argument — before the ethical question was raised and thus before the discussion was started. In order to formulate an ethical argument in the discussion with the original homesteader, the latecomer must first recognize the agency of his discussion partner, and respect the homesteader’s application of the previously unowned goods to whatever ends they are applied to. Any subsequent appropriation on the part of the latecomer undermines homesteader’s capacity for argument and with it the foundations of the discussion. Consequently, ethics prescribes reasoned restraint on the part of the latecomer.

However, if both parties consent, then the burden of reasoned restraint may pass from the latecomer unto the homesteader. Equivalently, contract may transfer property rights, i.e., the right to employ a particular scarce good to any use whatsoever, from the original homesteader to the latecomer, or from the latecomer to a third party. Thus, by induction, ownership of property is just if and only if it traces back through links of voluntary contract, to the original homesteader.

Another exception is when the argument for reasoned restraint as would be made by the owner, cannot be made without itself undermining the discussion. For example, no one can be ethically compelled to take their own life or take actions that would result in the same, on the basis of an otherwise would-be violation of property rights. Similarly, if in the course of human action, another person is created from matter that is owned by the first person, such as is the case when children are conceived and born and grow up, the property rights of the first person cannot be used to undermine the personhood of the newly created person. In other words, argumentation ethics guarantees self-ownership just as surely as it guarantees property rights.

From self-ownership and property rights follows the non-aggression principle, which states that any physical invasion of a person’s property or body is ethically wrong unless it is consensual. The non-aggression principle serves as the foundation for the well-established edifice of libertarian legal theory, which covers freedom of speech, privacy, the right to keep and bear arms, and a whole host of civil liberties and principles of criminal law.14



The foundation for ethics is the omnipresent discussion about ethics, in which certain propositions must be true by virtue of their negations being self-defeating and thus unarguable. While this discussion is abstract, relating to the universe and persons as nodes and edges in a fractal graph, its logical consequents are no less true than those of mathematics as both can potentially be rigorously formalized; nor are its propositions any less applicable to real human life than sociology or psychology. Most importantly, unlike sociology, psychology or mathematics, the logical proofs arising from the ethical discussion confer a normative quality on their interpreter, by virtue of his capacity for understanding them.

The central notion in this discussion are its participants, who are necessarily actors, i.e., persons who act, are independent, number two or more, and are potentially in a state of conflict with respect to scarce goods. By virtue of using scarce goods as means to an end, the actors make claims to scarce goods. In general only that one claim that precedes all others cannot be logically invalidated. Informed and voluntary consent to contract may transfer the one un-invalidatable claim to alienable scarce goods unto others, giving rise to property rights and, by proxy, all other human rights.


All pieces of the puzzle are finally in place. The ethics presented in the previous section can be cast into a perfectly formal, symbolic language in which every step is a rigorous application of basic laws of logic. There is thus an objective method by which to decide which ethical propositions are true and which are false — and automatic proof checkers that offer this functionality already exist.

Judgment varies from case to case and while it may be contentious which ethical principle applies, the validity of two or more contending principles should be beyond doubt. Moreover, which of two contending principles applies should be purely a function of the evidence presented, which in today’s world can also be digitized and whose processing can also be automated. Consequently, judges have recourse to a mechanistic, optimizable, computerizable and auditable process by which to produce a judgment, which should in the end reduce to a provably correct ethical theorem. Perhaps one day judges themselves can be replaced by faster, harder-working, more environmentally friendly and less error-prone computer programs.

The spread of provable ethics should not stop at the judiciary. Legislators, too, offend against reason when they pretend to write into law a mere proposition and attribute its legitimacy not to any valid argument but instead to a quorum of votes. Contrary to popular conception, law does not come into being by the pen of the parliamentarian; law is discovered, like mathematics, and spreads organically from thinker to thinker through discussion and by virtue of the validity of its proof.

Nor should provable ethics remain contained within the judicial and legislative branches. As ethics concerns the moral quality of all human interaction, the people who make up the executive branch are not exempt. Not only should their actions be held to the highest possible, provable and verifiable standards; their legal and practical power should not exceed what is logically mandated and allowed by ethics to begin with.

International conflicts, like interpersonal conflicts, have a unique and provably ethical solution. It is only the public disbelief of this fact that continues to lend power, credence and legitimacy to the warlords across the world who commit and enable unspeakable acts of inhuman atrocity. By dismantling the myths of ethical pluralism and ethical nihilism, provable ethics can undercut the real source of power that fuel the many wars, feuds and conflicts raging across the world, and thus end their destructive reign of terror once and for all.

Not even the foundations of the state are immune to ethical scrutiny — scrutiny which is finally entirely independent of the state and in no way relies on its existence. The constitutions of the various nations of the world — including the Universal Declaration of Human Rights — should be culled until only those phrases remain that are completely, provably compatible with ethical principles. Democracy itself, hailed often, proudly and wrongly as the greatest achievement of mankind since the invention of the wheel, should be seen for the disaster it is: democracy is the means to trump a valid argument. It should be discarded but well-remembered for its destructive potential along with all the other defunct ideas from the black book of human history.

The Road to Utopia

Having established a humble picture of utopia, it is time to turn to another, related question: how to bring it about in the most ethical way possible. While the answer is easy when one is allowed to assume unlimited power — i.e, “immediately” — no such divine force is thrust upon ethical revolutionaries. They must instead face the dilemma of choosing which injustices to suffer before the master plan is hatched.

Except, a divine force is thrust upon ethical revolutionaries. This force does not ordain them to, as it were, break the eggs to make the omelet; no ideology absolves its believers of their sins. Nor does it suffer them to be lazy; despite its objective correctness, the ideology of provable ethics will not spread of its own accord. The power in the hands of ethicists is reason, the ability to make and distinguish valid and invalid arguments; and discussion, the ability to confer arguments unto others and receive them in turn. It allows the revolution to charge its ideological opponents with an incontrovertible argument to either join the revolution, or be reduced to indignified animals for rejecting it irrationally.

However, this essay merely argues that a formalization of ethics is possible; it does not present one outright. There are many holes to be filled and leaps of understanding to be formalized that are intuitively accessible but lacking in rigor. The skeptic can delay the inevitable dilemma until such time as he is presented with a more rigorous formalism. And any reasonable delay-seeking counter-argument is truly a gift, because it leads to a more rigorous ethical argument or else exposes its falsity in the first place. Until at one point, if there is no falsity to be exposed, the argument is completely formalized. At this point, the critic must accept the conclusion or else forsake all semblance of rationality.

Fortunately, however, despite the many trials and tribulations that await the doctrine of provable ethics, there is just cause for optimism. Think about it: the fundamental principle of ethics is undeniably well in place. For how does the skeptic hope to refute any part of this essay without presenting rational arguments and engaging in discussion?