Leaky Locks
What Counts as Information?
In 1943, the telephone in Winston Churchill’s war room was a problem.
Transatlantic calls to Roosevelt were encrypted by SIGSALY, fifty tons of equipment that digitized speech, scrambled it with one-time pads, and reassembled it on the other end. The voice channel was mathematically unbreakable. The Germans couldn’t decode a single word.
But Bell Labs engineer A.B. Clark noticed something troubling. The encryption scrambled the content of Churchill’s speech. It didn’t scramble the rhythm. The timing of syllables, the cadence of sentences, the patterns of pauses—all passed through intact.
Clark realized that rhythm alone might be enough to reconstruct words. He was right. The phenomenon would later be called “residual intelligibility.”
SIGSALY was redesigned to mask timing patterns. The fix added more equipment. More weight. More complexity. All to hide something no one had thought to protect.
The Beeping Safe
In the 1980s, hotel room safes used a simple four-digit code. Guests would set their own combination. The safe beeped once for each correct digit as you entered it.
Thieves figured it out immediately.
Start with 0000. If the safe beeps once, the first digit is 0. If not, try 1000. Work through 0-9 until you hear a beep. Then move to the second digit.
A four-digit safe has 10,000 combinations. These safes fell in 40 tries.
The safe protected the code. It didn’t protect information about the code.
The Collapse
Here is the mathematics of what happens when structure leaks.
A password with $n$ positions, each drawn from an alphabet of size $k$, has $k^n$ possible values. For a 4-digit PIN:
\[10^4 = 10{,}000 \text{ attempts}\]But if the system reveals whether each position is correct independently, the attacker solves each position separately:
\[k \times n = 10 \times 4 = 40 \text{ attempts}\]The exponent becomes a multiplier. Security collapses from $k^n$ to $kn$.
| Secret length | Without leak | With leak | Collapse |
|---|---|---|---|
| 4 digits | 10,000 | 40 | 250× |
| 8 lowercase | 208 billion | 208 | 1 billion× |
| 12 mixed | $10^{21}$ | 744 | $10^{18}$× |
The longer the secret, the more catastrophic the leak.
The Collapse, Visualized
Paul Kocher’s Discovery
For decades, cryptographers believed they had learned the lesson. Don’t leak partial information. Make verification all-or-nothing.
In 1996, a twenty-three-year-old cryptographer named Paul Kocher published a paper that redrew the boundaries of information security. He showed that even when software reveals nothing explicitly, the time it takes to compute is itself a channel.
Consider password verification:
def check(input, stored):
for i in range(len(stored)):
if input[i] != stored[i]:
return False
return True
This code returns as soon as it finds a mismatch. A wrong first character fails in one microsecond. A wrong last character takes eight microseconds.
The timing is the beep.
Kocher demonstrated the attack against RSA implementations. By measuring how long decryption took for different inputs, he could extract private keys bit by bit. The attack worked remotely. It worked through noise. It worked against code that had been audited for security and revealed nothing through any official channel.
The cryptographic community was stunned. They had protected the message. They hadn’t thought to protect the duration of the computation.
The Expanding Boundary
If timing is information, what else might be?
1998: Power analysis. Kocher again. The power consumed by a chip varies with the operations it performs. Different instructions draw different current. By measuring power consumption during cryptographic operations, attackers could extract keys from smart cards.
1985 (published much later): Van Eck radiation. Every wire is an antenna. CRT monitors emit electromagnetic radiation proportional to what they display. Wim van Eck showed you could reconstruct screen contents from across the street. Later researchers demonstrated the same for LCD screens, keyboards, and network cables.
2003: Cache timing. Modern CPUs have memory caches. Accessing cached data is fast; uncached data is slow. An attacker who shares your CPU can deduce what memory addresses you’re touching, including cryptographic key material.
2018: Spectre and Meltdown. Modern CPUs speculate. When they hit a conditional branch, they guess which way it will go and start executing down that path. If the guess is wrong, they roll back. This is speculative execution, and it makes processors fast.
Meltdown exploited the fact that Intel chips performed speculative memory accesses before checking permissions. A user program could speculatively read kernel memory. The CPU would eventually realize the access was forbidden and discard the result—but not before the data had touched the cache. By measuring which cache lines were now fast to access, attackers could reconstruct the forbidden bytes.
Spectre was subtler. It trained the branch predictor to mispredict, then used that misprediction to speculatively access memory through the victim’s own code. The victim’s program would briefly touch memory it shouldn’t, leaving cache traces the attacker could read.
Both attacks crossed boundaries that were supposed to be inviolable: user to kernel, guest to host, process to process. The CPU’s architecture guaranteed isolation. The CPU’s microarchitecture leaked it away.
Shannon’s Definition
Shannon defined information as reduction in uncertainty. A message conveys information because it tells you something you didn’t know.
By this definition, anything that reduces uncertainty is information, whether or not it was intended to communicate.
The safe’s beep reduces uncertainty about which digit is correct. The computation’s timing reduces uncertainty about which branch was taken. The chip’s power draw reduces uncertainty about which operations occurred. The radiation from a cable reduces uncertainty about what it’s carrying.
The Shape of Everything
Netflix and traffic analysis. Your video stream is encrypted. An eavesdropper sees only noise. But the pattern of the traffic—packet sizes, timing, bitrate changes—correlates with what you’re watching. Researchers have identified specific movies from encrypted Netflix streams with over 99% accuracy.
Keystroke dynamics. The rhythm of your typing—how long you hold each key, the gaps between keystrokes—identifies you as reliably as a fingerprint. This works through encryption, through Tor, through any anonymizing layer.
Website fingerprinting. HTTPS hides which page you’re viewing but not the pattern of requests: how many resources, what sizes, what timing. The pattern is enough to identify the site with high accuracy.
Your Rhythm
Type anything below. The content doesn't matter. Your rhythm is the signal.
Different people produce different patterns. The text vanishes into encryption. The signature persists.
The Arms Race
The natural response: fix the leaks. Cryptographers have tried.
Constant-time code. Compare all characters, even after finding a mismatch. Make every branch take the same time. Never let computation depend on secret data.
Blinding. Add random noise to inputs. The answer is the same, but intermediate steps are randomized, masking power and timing patterns.
Shielding. Faraday cages block electromagnetic radiation. Expensive. Imperfect. A well-funded adversary can still get through.
Each fix addresses one channel. Physics guarantees there are always more.
Computation requires energy. Energy dissipates as heat, radiation, vibration. Any physical process leaves traces. The question is not whether information leaks, but whether an adversary can detect it.
For the NSA, the threshold is low. For a random thief, high. But the threshold keeps falling as sensors improve and analysis gets cheaper.
The Lesson
Here is what the twentieth century taught us:
Information is whatever can be inferred from what you do—regardless of what you intended to reveal.
The boundary between “the secret” and “information about the secret” is not fixed. It moves as our ability to measure improves. What leaked undetectably in 1980 leaks detectably in 2000. What seems safe today will leak tomorrow.
Churchill’s engineers thought they were protecting speech. They were forced to protect rhythm. Cryptographers thought they were protecting keys. They were forced to protect timing, power, radiation, cache access, and speculative execution.
Each generation discovers that the last generation’s definition was too narrow.
Privacy, Anonymity, AI
Privacy. Every digital action has a shape: timing, size, frequency. Encryption hides content but not shape. Metadata is data.
Anonymity. Behavioral patterns are signatures. How you type, how you move your mouse, how you browse—these persist across contexts. True anonymity requires suppressing not just identity but behavior, and behavior is hard to fake.
AI. Machine learning excels at finding patterns humans miss. The leaks that were too subtle to exploit manually become tractable with enough data and compute. The attacker’s threshold keeps dropping.
Why Leaks Persist
Return to the beeping safe.
The fix seems obvious: remove the beep. But the beep was not the problem. The problem was that the mechanism processed each digit separately, and that separation was detectable.
Silence the electronics—timing still leaks. Equalize timing, and power consumption gives you away. Shield power, and electromagnetic radiation escapes. Even fully shielded, the fact that you’re standing in front of the safe reveals something.
Every physical process is a broadcast. Security requires ensuring that the broadcast conveys nothing useful. The broadcast itself cannot be stopped.
Understanding what information is—what can be received, regardless of what you intended to transmit—turns out to be the hard part.