Legal compulsion and self-incriminating passphrase

Caspar Bowden cb at fipr.org
Thu, 9 Jul 1998 15:51:03 +0100 

> Almost, but the requirement only works (if it works) because
> the hash is a direct and necesary descendent of your having made the
> statement.

Accepting again that this is all a bit far-fetched, I think that there are
some details about the way the passphrase mechanism works which are
relevant:

In say PGP, your private key is protected from being pinched off your
hard-disk, by being itself encrypted with a *conventional* symmetric cipher.
The symmetric-cipher key may be say 128-bits, and the hash function will map
an infinite number of ASCII-character passphrases to that key. (The computer
knows when you have got the right passphrase, because the private-key has
tags which look like gibberish until correctly decrypted). A given
passphrase will always produce the same key according to the hash function
algorithm, but there is no way to go back from a key to the original
passphrase. But although an infinite number of other passphrases will
generate the same key, it's also hard to find a passphrase which *will*
generate a specific key. Thus if the phrase "I stole Geoffrey Howe's
trousers" works, that's good evidence that it was the orginal passphrase,
because the chances of hitting on another passphrase which works is
astronomical (2^128 key-space, unless the hash is designedly knobbled).

I think the legal point of significance about the self-incriminating
passphrase example is that the passphrase is not written down, it's in my
head.

>> They are not asking you to make a new
>> statement but executing a search on a confession already made

There is nowhere any trace of the passphrase which identifies or pins it
down uniquely. Each time you type the passphrase in, you effectively
re-utter a confession. The fact that I must have previously typed in the
same words when no-one else was around, doesn't alter the fact that I would
*divulge* my guilt (and the offence), if compelled to disclose the
passphrase. I am also unable to disclose the key itself (rather than the
passphrase), unless I have delved into the program to find out what the
result of the hash was, and made a note of it.

> The police could for example say that you should generate a
> passphrase...
> At the point where you generate a matching key pair to
> your known key pair, they have you.
I don't see how I could be asked to extemporize on a guilty theme
indefinitely.

I suppose if we do get export controls on intangibles, and one is accused of
e-mailing a copy of PGP abroad (encrypted), we have meta-self-incrimination
("I e-mailed this crypto code on dd/mm/yy + hash of my dig.sig. of this
passphrase"). In this case I not only divulge, but prove my guilt. Now
that's just getting silly.
--
Caspar Bowden
Director, Foundation for Information Policy Research
Tel: +44(0)171 354 2333
Fax: +44(0)171 827 6534