Products  Main  Summary  FAQ  Customers  Contact  TOC  Choose format

FAQ - Guarantees, policies and arrangements

  1. Why is UPE not publicly available?
  2. Why is UPE not freely available?
  3. How can I trust the implementation of UPE?
  4. How can I check against undocumented features?
  5. Are there Never Answered Questions?
  6. How do you plan to convince people to use UPE?

Why is UPE not publicly available?

If the algorithm and implementation is open, more eyes can test it. But there are a lot of dangers, see the above sections. This is not so simple as for example in case of text encryption.

Text encryption is passive. The eavesdropper does not learn something for what usually do not have access. But UPE is active. It can be used to attack computer networks. This changes everything. The right development methods, attitudes developed for text encryption does not apply for UPE or related technologies.

In our recent business model, we do not release the algorithm. But to make certain applications  - like really smart cards, anon stock markets, virtual anon companies, secure voting systems, more developed forms of electronic money, etc -  to build the necessary trust we have to patent a version of it. So we have to make it public. But we cannot do it now because of the possibility of the malicious applications. We can release the algorithm and the source code only if the appropriate protection technologys, with special emphasis on secure OS-es, are widely available and used. Our intention is to immediately release the algorithm if the time is ripped for that, because secrecy substantially slows down our growth.

But it is only a popular myth that one cannot trust a security product without knowing its source code. (One has to check the compiler, the whole OS, the language, the chip. No one is capable of doing it for everything nowadays. Even the most secretive agencies outsource some of their hardware and even software developments. The fortress mentality is partially abandoned. If you are not an expert, just to have an idea about the difficulties, check this ACM Classic out.) There are so called zero-knowledge proof systems by which one can prove what a program does, without revealing the how. Unfortunately, so far no such a product is implemented. Our goal is to do that - first only for small but critical parts of a program - because we expect that it may take a long time to achieve the widespread usage of protection technologys.

Back to Top

Why is UPE not freely available?

Some people argue that we should follow an other model. Not to make money but to serve humanity. After building a secure OS (naturally open source OS, like Linux, for free) in a secure environment by trusted programmers, we should release this OS and the UPE algorithm for free.

It is a very widespread view in certain circles. Because there is something in it. But there are several problems with this view. The problem is that the development process is usually under sourced for structural reasons. (Easier and less risky to copy than invent, unless unauthorized copying is detected and punished severely.) The distributed development model, like Linux, is maybe very good at spotting mistakes in the implementation, but not good at implementing something really new. People would not invest in things what they can get later for free. The competition would be big, the profit margins small and the risk unpredictable. Not mentioning the necessary UPE related hardware development, where these issues are even more flexing and patents play a bigger and more positive role than in software. So far, the  Linux model did not work for hardware development, and UPE is principle is closer to hardware than to software. These are the basics of economy, so they should not be discussed here in detail.

Some people may not be able to pay for the protection. For them we make possible to have access some TPVS products for free. But only open source, freeware and adware products. But there is no free lunch. The developers of the products have to pay by some programming or translation work done for TPVS and / or by providing some advertising surface. So, you may get protection for free, but you have to see our logo, and maybe something more exciting too.

Back to Top

How can I trust the implementation of UPE?

To tell the truth in short, by a little leap of faith. As in case of any other cryptographic or software product (even if the marketing gurus do not tell it to you). Mumbling too much about the necessity of open source, or knowing the algorithm is misleading. It even may give a false sense of security. See this ACM Classic and the above section and think. Because of the possibility of sophisticated backdoors, there is no substantial difference between trusting PGP (it has an open source) and  UPE. Just hope, with some little dose of healthy skepticism.

I wonder, how many of those who demand publicly available source codes and algorithms reverse engineered the source of the security applications they use? Do you work on your own brakes and seat belts too? If you, most people would think that it is a sign of a severe mental condition ... . Most people hire an accountant for their taxes, a lawyer for such affairs, a mechanic for their car, and so on. Modern society is build on trust relationships in a market and legal guarantees combined with a division of labor. Crypto is very subtle, but so is tax law, litigation, finance and modern automotive and flight control systems. It is not in principle different from those areas, where money, property and life is at stake, and we trust others to help us.

Those who try UPE products, in the recent business model, do not make substantial risk. They just add the encrypted key hiding technology to existing "software protection". Secure key hiding is missing from recent ones. So, without adding any risk, we simply enhance existing technology. The only risk that we are not adding any further security - without weakening the existing one. If you find that our products are not secure - and can convince us by a reproducible security breach - you get your money back.

Back to Top

How can I check against undocumented features?

Well, to be honest, you can't. Even TPVS can't. Because it is, in general, mathematically undecidable. But  this is a common problem of any program which is not mathematically verified. And most - if not all - of them including the ones running in your machine are not. The scary thing is that people write and run programs which they do not completely understand. But by running and practicing the program with non important data you can convince yourself in the usual way. Although in case of encrypted programs it may take more time to develop trust.

TPVS is not interested in building undocumented features into its programs because there is no better way to ruin its business. Each step is documented in a secure way to clear ourselves of any charges if they emerge, and to make it easy to find those who are responsible if such things happened. But our opponents, either competitors, politicians or stupid people only having fun may spread unfounded rumors to discourage people to use encrypted software products.

However, this is not the end of the story. Mathematically it is possible to prove what the program does without revealing how it does it - if the program is short enough. Unfortunately this has not been implemented yet but we are working on it. It is a plan of TPVS to implement this self-verifying feature at least for its most simple programs to build further trust in its products. See our development plans page.

Back to Top

Are there Never Answered Questions?

Although our policy is to be as open as possible, we do not answer questions if the answer might compromise our mission. Here is a short list of questions we never answer to anybody under any circumstances. Please, do not bother us by asking them. The list is intentionally not complete.

Of course, if UPE is patented and the algorithm and source code is made open then the first question will be answered. In our case the problem is, that we have to reveal the theory, and according to current patent laws, we may loose patent rights. 

Back to Top

How do you plan to convince people to use UPE?

Demonstrations: We hold demonstrations for possible customers and the public in general. Both about the possible malicious use of UPE and how to prevent it (by UPE). Unfortunately, we can give away code only  under very restrictive  conditions.

Auditing: We also plan some kind of auditing of our products and methods, while we cannot release the algorithm and the source code. An auditor has to have serious cryptographic background and a very strong commitment and interest against misuse. We are seriously working to find an appropriate not government related candidate, which is more difficult than we anticipated at first. It might occure that such auditor does not exists.

Back to Top

Products  Main  Summary  FAQ  Customers  Contact  TOC  Choose format