One of the benefits of my new job over my previous one is that I can talk about what I do in considerable detail. Today I actually got to do some real work, which was so great. I didn't have a lot of time due to all of the training, so the work was really just a brainstorming meeting. But it was still great.
During my thesis work I never really worked with anyone, and that was basically the last seven years. Suck. Even though I find the information barrier project that I was working on today to be silly, talking about electronics and industrial design for something that we are actually going to build in the next few months was awesome.
The idea behind the project goes something like this:
Russia and the US agreed to let each other inspect certain aspects of their nuclear stockpiles as part of an arms control agreement that came about after the collapse of the cold war. However, the foreign inspectors are not just allowed to examine classified stuff willy-nilly. Instead, the intersection of what each country considers unclassified was determined, and then a system was devised for analyzing "objects" based only on information that both parties agreed was "sharable."
To this end, a list of attributes for the unknown contents of a container was generated which would allow an inspector to determine if the container contained what the host country said it did, without revealing any classified information. These attributes are things like "Contains over 0.5kg of plutonium," "Has a plutonium enrichment above a certain percentage," "Contains plutonium that is older than a certain age," etc.
The evaluation of these attributes is trivial given modern radiation detectors and data analysis. However, the raw output of the detectors is classified (at least as far as the Russians are concerned; they classify the gamma spectrum of Plutonium, for example [buh??]). So our team has been tasked with building a device that includes standard neutron and gamma detectors, but also additional layers of hardware and software that turn the complicated detector data into simple yes/no answers for the attributes agreed upon by the diplomats.
Even this is a simple task. What makes it challenging is the levels of absolute paranoia that went into speccing out this policy. The entire assembley basically has to be idiot proof to use, tamper-proof, and have no chance for any leakage of information beyond the yes/no attribute measurements. The access panels on the enclosure have tamper switches that automatically kill power to the computers and detectors, for instance (btw this is a terrible thing to do to a cryogenic HPGe detector). The LEDs that indicate the attribute yes/no results are not allowed to blink lest they blink out morse code about actual spectra or something. The signal to the LEDs is opto-coupled via fiber optics to the information barrier electronics and the power to them is low-pass filtered to hell just in case someone were to sneak in a circuit to modulate a signal into the LED power. This sort of thing.
At the heart, the entire thing is silly.
But the requirements laid down by the admittedly goofy policy make for a non-standard hardware and software development cycle and this is challenging. Thinking outside of the box is a must, as no sensible box would ever include any of this stuff.
Right now the signal path goes through the following functional blocks:
* radiation impinges on a detector and causes the analog signal on the output to change
* data acquisition electronics transform the analog detector signal into digital pulse data
* a data processing computer examines the pulse data and determines characteristics of the radiation, outputting certain key pieces of information like the effective Pu mass or isotopic ratios
* a small microprocessor takes the various data and compares them to threshold values which determine whether the desired attributes are met or not.
* The attribute yes/no signal passes through an information barrier which is basically a low-pass filter, fancy data latch, and opto-coupler
* The signal powers an LED.
My piece of this pie is the design of the microprocessor that makes the attribute determination and the signal specifications for the connections between all the various blocks. They are very concerned about EMF leakage at all points in this device, so it's way more of a pain that it needs to be.
Anyway, that's the sort of stuff I was thinking about at work today.
Sounds like a truely wonderful machine on the order of those found in the Wizard of Oz. Don't bother me with the details, I just want to know the answer. I have had a number of students who expressed similar attitudes.
I know what you think about at work all day, and it's not that.
So, this is actually a pretty interesting problem. I forget if you actually read all the way through Cryptonomicon, but if you did -- questions like the ones Waterhouse explores there (i.e., how much information can you get out of a channel that shouldn't even exist, etc) are kind of the sort of thing I think about a lot. Not from the perspective of eavesdropping on communications, which is very apropos, and which is what a lot of my next door neighbors do, but from the perspective of "How much can I deduce about this physical system, which is not actively trying to hide from me, but is very very hard to measure?" They end up being almost isomorphic, unless you have feedback -- i.e., the person on the other end of the communication channel knows what you're doing, and is trying to either help or hinder you. What happens then is either (for some setups) the whole thing goes nonlinear = apeshit to solve, OR it turns out you can just go to a larger space and still solve it linearly.
Which brings me to the point. Given how sneaky people are, and how paranoid the government HAS to be, your team might not be being paranoid enough. Did they consider Van Eck phreaking types of attacks, where you detect radiation coming from the internal electronics and deduce what it's doing in memory? There's a similar approach to breaking encryption (which, unlike VEP to the best of my knowledge, has actually been proof-of-principled) which relies on the fact that some encryption algorithms take longer to encrypt different strings. You basically send a bunch of strings into your black box, measure the nanoseconds that it takes to deal with each one, and figure out the secret key from that data. Turns out it's possible.
I'm not sure right off how this could apply to your detector. But what if a user could pass lots of different, calibrated samples through the detector? Could the variation of the binary result "LED = on/off" with different variations of the samples result in the user gaining a level of information about the gamma spectrum of plutonium that is classified? Yes, it's stupid. But in some sense the whole thing is stupid, so if you're going to play by the rules you might as well go whole hog and do something that can be proven (information theoretically) to be secure...
Actually, you raise some good points. Van Eck and assorted EMF leakage has been considered. Each piece of equipment is inside a Faraday cage, all connecting cables are shielded, and the enclosure that contains all of the various components is itself shielded. We do a leakage study of each component and the AMS as a whole before it is certified for use.
The timing problem does, in fact, come into play for this work. A particularly hot source will provide a relatively fast count rate and thus good statistics convergence will be met faster by the DAE. If a result was returned particuarly quickly, we could make some statements as to the activity level of the sample, which is not information that we've agreed to share. To counter this, the microcontroller waits a fixed amount of time before delivering any output. This time is set such that the weakest source of interest will return a suitable result in time.
As for the LED parameter study... in a sense this is how we allow the inspector to validate that the machine is working. They use a variety of check samples that exercise each of the parameters being displayed. This tells them that the device is correctly identifying the attributes. But since all of the attributes have been determined to be "sharable," no combination of them will give information about the classified samples that we're concerned about revealing.
They've actually requested that we go down to a single light, and program the required attribute set into the microcontroller... but then it makes validation much more challenging. We're working through that issue right now actually.
It's interesting to see paranoia at work. The rather neat thing, once you get deep enough into information transfer analysis, is how physics (quantum mechanics especially) actually gives you incredibly hard bounds on what information can go where. I mean, classically you just can't prove anything "absolutely" -- it ends up being, "Well, it would take this long to get anything useful out of it" or "Unless they had a device that was this ridiculously good, they couldn't figure anything out". It's the finite scale of h-bar that actually allows you to say "They won't have that device" or "This can't be done in any time." Rather cool.
It's also cool to see just how paranoid people can be. I mean, I'm used to theorists being paranoid, but it's just because we want to prove conclusively that something can't be broken. The engineering perspective of "We have millions of dollars to be paranoid with" is fairly cool.
Anyway, sounds like N-div has done its homework. Although there is another interesting question: how do you prove conclusively that a given set of attributes which are "sharable" is closed? That is, that no possible combination of those attributes could yield information about a quantity that is not sharable? It sort of sounds like an application of group theory / algebra, although maybe I'm being too much of a math geek here. I mean, you can't classify _everything_ about the spectrum of plutonium... for instance, try classifying the following observation: "1 mg of plutonium metal does not emit more than 1 GW of power in the x-ray spectrum." Proof: your device doesn't instantly melt and explode.
So you can conclude _something_. But I'm going to stop rambling now, to stop accumulating experimental evidence for the statement: "Robin has nothing better to do." Which is, sadly, false.