1994-09-22 - My response to NRC crypto study

Header Data

From: Hal <hfinney@shell.portal.com>
To: cypherpunks@toad.com
Message Hash: c7499f02efede0dadba7f3c4d79bc499387a9dc60c70adb17098d4e8ec49ea17
Message ID: <199409220341.UAA02254@jobe.shell.portal.com>
Reply To: N/A
UTC Datetime: 1994-09-22 03:41:38 UTC
Raw Date: Wed, 21 Sep 94 20:41:38 PDT

Raw message

From: Hal <hfinney@shell.portal.com>
Date: Wed, 21 Sep 94 20:41:38 PDT
To: cypherpunks@toad.com
Subject: My response to NRC crypto study
Message-ID: <199409220341.UAA02254@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain


This is a slightly edited version of what I sent:

Thank you for giving members of the public such as myself the
opportunity to discuss our concerns as the NRC studies the National
Cryptography Policy.

I will make my points using the outline of issues dated September 14,
1994 as a reference.


>    * the impact of current and possible future restrictions and standards
>      regarding cryptographic technology on
>    
>        - the availability of such technology to foreign and domestic
>          parties with interests hostile to or competitive with the
>          national security, economic, commercial, and privacy
>          interests of the U.S. government, U.S. industry, and private
>          U.S. citizens;

One traditional method for limiting access by hostile foreign powers to
strategically important technology has been the defense-oriented
classification system.  Important discoveries made by government
researchers have been classified at various levels in order to prevent
their dissemination.  This general approach of secrecy has been applied
as well to the SkipJack algorithm used in the Clipper chip.

However, this approach has not been completely effective with
cryptographic discoveries that are made by private researchers not under
the control of the government.  Probably the most notable event along
these lines was the discovery of public-key encryption technology in the
1970's.  The concept of PK encryption, easy to explain and understand even
for a technologically knowledgeable layman, spread like wildfire despite
some early abortive efforts to suppress it.  This discovery has served as
the foundation for a wide range of research in cryptography and no doubt
is an important reason for the rapid growth of the field over the last twenty
years.

Today, the electronic networks which circle the globe make communication
of new results far easier and more rapid than in the past.  And the
transparency of national borders on the computer networks means that
information, once made available, is available globally.  A discovery
made today comparable to PK encryption in the 1970's would have been far
less likely to be suppressed, and in the future we can expect this tendency
to increase.

Despite this, the US government is currently wielding clumsy policies
which classify all encryption software as munitions and require
complicated licensing procedures for their export.  There is a terrible
mismatch between these policies and the mechanics of information flow
today.  For one thing, the distinction between distribution within the
country and information which flows out of the country is nearly
impossible to make today.  It was always quite unrealistic to suppose
that technology which was widely deployed within the US was unavailable
across our borders, but the information networks make it clear that this
is a fantasy.  As the networks increase in speed, power, and ease of use,
the ties between countries will only grow.  The net will need to be seen
as a global phenomenon, and information on the net will no longer be
localized; made available to one, it is made available to all.

In this environment, the only way to stop information from making its
ways into foreign hands is by keeping it off the net entirely.  And that
implies restricting what kinds of technologies American citizens can
publicly discuss and what kinds of information they can exchange.  If we
want to keep cryptographic secrets, we must prevent people from knowing
or at least talking about those secrets.  This would require Draconian
policies more suitable to a totalitarian state than the world's greatest
democracy.  In short, keeping cryptographic technology secret is
incompatible with American principles.


>        - the competitiveness of U.S. manufacturers of such technology
>          in the international market;
>        
>        - the competitiveness and performance of commercial U.S.
>          users of such technology;

Another problem with the present US policies restricting exports of
cryptographic technologies is their lack of responsiveness to changing
conditions.  Despite the fact that such basic algorithms as the RSA
public-key encryption system or the DES secret-key system are nearly
twenty years old, the government still restricts their export.  This is
ridiculous.  Those algorithms are in use all over the world!  From whom
are we trying to keep them secret?  This is really an illustration of the
well-known inertia and inflexibility of bureaucracies.

The only effect of these bans is to impair the competitiveness of US
business.  Manufacturers of cryptographic technology are not allowed to
export, and users of cryptography are not allowed to use modern
technology if the products might go overseas.  It would be as if the US
were still determined to keep the design of internal combustion engines
secret and so US car manufacturers were forced to use steam because the
cars might be sent across the border.

In the future, as new algorithms are discovered, the same problem will
present itself.  The rapidity and ease of communications ensures that if
the technology is publicly known, it is globally known.  Allowing US
manufacturers to use a technology but not to export it is pointless; if
they know how to use the technology, chances are the rest of the world
does as well.  Restricting exports can only benefit competitors in other
countries at the expense of US businesses.  It is pointless and
counterproductive.


>        - U.S. national security and law enforcement interests;
        
Cryptographic technology has some characteristics which are at odds with
the interests of law enforcement and security agencies.  In a sense,
cryptography is a "purely defensive" technology.  It does not threaten
anyone, it does not invade anyone's privacy, it does not cause damage or
harm.  On the contrary, it protects the user from various kinds of
threats and invasions of his own privacy.  In a way, it levels the
playing field, providing the weak with some of the same protections of
privacy and secrecy which have been traditionally available only to the
strong.

The problem is that law enforcement and security interests have gotten
used to being strong.  It may not have been easy to learn the internal
secrets of a powerful opponent, but eavesdropping on a poor country or
individual was easy.  Indeed, most people have intuitively understood
that they would be nearly powerless if threatened in any significant way
by law enforcement or national security forces.

Now, this may change somewhat.  It remains to be seen to what extent
these changes will occur, and what their full effects will be.  It does
appear that if free access continues to be granted to cryptographic
technology that people will be more immune to certain types of
surveillance.  This does not necessarily mean that the world will
descend into a nightmare of terrorism and war.  It does mean that the
agencies whose job it is to keep order will have to adapt, to learn new
technologies and new approaches.

Naturally, they will resist.  Change is never comfortable, and it is
all too easy to conjure boogeymen out of the unknown.  But before
allowing ourselves to be panicked by the thought of untappable phones
and unreadable mail, we need to consider the alternatives.  Because of
the tremendous ease with which information will flow, only extremely
severe and harsh measures can keep cryptographic technologies out of
the hands of those who want it badly enough.  This has been recognized
from the beginning by the government, as was seen in its flawed Clipper
chip proposal.  The fundamental inconsistency with Clipper was that a
voluntary standard would not be used by criminals, and the restrictions
which would be needed to force criminals to use it would be completely
at odds with American freedoms.  The government's attempt to have it both
ways only sowed fear and mistrust.

It may sound harsh, but it is true: the only way in which cryptography
which can be defeated by law enforcement will come into use is if people
are forced to use it.  And the problem is that people already have
technologies which are too strong for law enforcement to break.  It's too
late to put the genii back into the bottle.  The only choices at this
point are between Big-Brother-style restrictions on use of certain simple
algorithms, or a world in which privacy, unbreakable privacy, is a fact
of life.  Consider carefully whether the latter would be so horrible
before you accept choices which are at odds with our national traditions
of individual freedom.


>    * the strength of various cryptographic technologies known and
>      anticipated that are relevant for commercial and private purposes;

In my opinion, the current suite of cryptographic technologies is well
suited for commercial purposes.  The RSA public-key system has withstood
nearly twenty years of attacks and new algorithms for factoring numbers
(factoring is the problem on which the algorithm is based).  At worst it
may be desirable to raise key sizes from the 512 to 1024 bit level which
are widely used today to perhaps 1024 to 2048 bits, a level which should
provide effectively impenetrable security.  As computers get faster the
larger key sizes can be handled efficiently, while the time to break the
algorithm increases at a much faster rate for larger keys.  The result is
that the passage of time and the increase in computer speeds only helps
the user of RSA rather than the attacker.

RSA is typically used in conjunction with a secret-key cypher for
efficiency, and here DES has been the choice for a number of years.  DES
is now showing its age; its 56-bit key size is beginning to be too small
to give confidence against an attacker.  However, two alternatives are
readily available: triple-DES and IDEA.  Triple-DES has a key length of
112 or 168 bits, depending on the configuration, and IDEA has a key
length of 128 bits.  Both of these are large enough that no conceivable
attack can be launched based on key size alone.  Triple-DES itself has
been cryptanalyzed almost as long as DES, and while IDEA is newer its
security should be much clearer within the next two or three years.  In
addition, there are a number of other conventional cyphers being
developed all the time.  Chances are that one or more of these will be
acceptable as well.  By the turn of the century there should be at least
three or four strong and widely accepted conventional cyphers.

In sum, there is no real commercial need for government involvement in
the development of new cryptographic technologies.  While new
approaches are always welcome, the range of technologies which already
exists is adequate for commercial encryption needs well into the next
century.  Here the best policy for the government is to simply
facilitate the use of these well established systems.


>    * current and anticipated demand for information systems security
>      based on cryptography;

Cryptography is going to be a key technology over the next ten to twenty
years.  There is far more to this technology than simply maintaining
privacy, although certainly in the early years this may be the principle
market area.  But, more generally, cryptography is a technology of
information management.  It allows precise control over how
information is revealed, packaged, and disseminated.  Once recent
discoveries by cryptography researchers are commercialized and made
available to the public there will be whole new areas of business and
commercial interest that are barely imagined today.

Starting with the nearer term, cryptography will be used initially
primarily for privacy and authentication.  As commerce moves onto the
nets, so too will the need for confidentiality.  The insecure nature of
many existing networks will be addressed by layering cryptographic
protocols on top of the existing foundation.  And new networks may be
developed with cryptographic security built in from the beginning.

An important point will be to make the security trustable and transparent.
Trustable means that the end user does not have to trust some third party
not to betray his secrets.  In an increasingly competitive world where
government and corporate espionage are beginning to merge, a system which
tells its users to "trust me" is not going to be competitive with one
which allows users to determine for themselves that their communications
are secure.  This suggests that end-to-end encryption, where the message
is in the clear nowhere on the network, will be the preferred mode.  And
at the same time, the encryption will be transparent, built into the
software used for access to the network, with user-friendly controls and
indicators for the encryption status (and hence reliability) of each
piece of information displayed.  We see the prototypes for these concepts
already with the security extensions to the World Wide Web and its
associated software program, Mosaic.  Similar concepts are being designed
into personal computers as well.

Looking out a bit farther, the next big market for cryptography
technology will be electronic payment systems.  The potential speed and
flexibility of electronic commerce requires an equally fast and flexible
means of electronic payment.  There are many cryptographic technologies
which are suitable, including the electronic equivalent of bank drafts,
checks, cashier's checks, and, perhaps most controversial, digital cash.

It is worth discussing digital cash in a little more detail.  It may well
be that this technology will produce the next Clipper controversy.  The
situation is that digital cash provides for a means of payment which is the
electronic equivalent of cash.  It is private and anonymous.  In an era
when databases of consumer preferences and buying habits may be one of
the major threats to privacy, digital cash will provide protection by
allowing transactions to occur anonymously.  If there is no record of who
participated in the transaction, there is no privacy threat from
databases of such records.

In a sense, this is nothing new, no more threatening than paying a
dollar for bread at the corner grocery store.  But law enforcement
efforts which rely on tracking the flow of funds may be hindered by the
widespread use of digital cash.  This could have implications for money
laundering, income and sales tax collection, and other types of financial
regulations.  As with the prospect of encrypted communications, the
response by law enforcement is likely to be an attempt to block this
technology from coming into widespread use.  And once again the choice
will be between restrictions on what kinds of algorithms people can run
on their computers, and allowing people some privacy in their financial
affairs.

Other cryptographic technologies which are waiting in the wings include
"zero knowledge" proof systems, which allow new forms of
authentication, and which make it possible to prove possession of
certain information without revealing the information itself; secret
sharing systems which allow for true "escrow" of information (unlike
the misnamed government "key escrow" which keeps secrets contrary to
the interests of the user, rather than on his behalf) with very flexible
controls on who can access the information; pseudonym-based credentialing
systems which will allow people to prevent linkage of information about
them in different databases while allowing them to control which
information will be revealed; secret-exchange systems which make it
possible for two people to simultaneously exchange secret information
in such a way that neither can cheat; many forms of digital signatures,
some of which are verifiable only with the cooperation of the signer, but
in such a way that he can't cheat; and a variety of others.  These
technologies will permit wholly new and unforeseeable approaches to
managing and controlling information, and will undoubtedly serve as the
basis for new companies and even new industries.

But these possibilities can only come about if people are allowed to use
them.  Any approach which requires law enforcement review of every new
encryption technology is going to hamstring American companies which want
to innovate and compete in the world.  The tremendous growth and success
of the US software business comes from the free-wheeling competition and
innovation which have characterized it.  Inserting law enforcement
restrictions into the picture can only harm American competitiveness, as
we see already in the cryptographic privacy area.  As we move into the
next century, information itself is going to be a key commodity, and the
monkey wrench thrown into the industrial machine by law enforcement
restrictions on cryptographic and information technologies is going to
have widespread impact.  This is not something we can afford in an
increasingly competitive world.


>    * the impact of foreign restrictions on the use of, importation of, and
>      the market for cryptographic technology;

Narrowly speaking, the interests of the United States are best served
if our foreign competitors are faced with as many disadvantages as
possible.  On this view, foreign restrictions on cryptographic
technology should be welcomed, as they will only harm foreign
companies and make it harder for them to compete with the US.  In the
broader sense, though, the world market is all interconnected.
Inefficiencies and restrictions in one part inevitably harm the smooth
operations of other parts.  It is no longer easy or even possible in
many cases to distinguish activities which are foreign from those
which are domestic.  Regulations which apply to a company's activities
in one country inevitably influence its activities in others.  In this
sense, foreign restrictions on cryptographic technologies will end up
being harmful to US companies and individuals.

In the long run, then, it will be best for the US to work to reduce
foreign restrictions on the use of cryptography.  The prospects of
success are excellent since those countries will be feeling their own
domestic pressures from companies which are being harmed by those
restrictions.  And in an international world a country which stubbornly
maintains obsolete and inefficient restrictions on internal business
activities may simply find itself bypassed, as commerce flows to more
hospitable jurisdictions.

The great danger, and the one to be most carefully avoided, is the
establishment of an international cabal of law enforcement agencies, all
calling for uniform restrictions on encryption applied (as they would
have to be) in all countries on the globe.  This would represent a
pre-emptive strike against individual privacy, the formation of a
de-facto cartel in which governments around the world band together
contrary to the interests of their citizens.  It need hardly be pointed
out how opposed this is to our American principles and traditions.
Furthermore, such an approach is inherently fragile and unstable, as every
country has incentives to advance its own interests by releasing the
shackles which bind its industry.


>    * the extent to which current cryptography policy is adequate for
>      protecting U.S. interests in privacy, public safety, national
>      security, and economic competitiveness;

US cryptography policy has clearly gotten off on the wrong foot.  With
the disastrous Clipper chip proposal, the government has simultaneously
alarmed privacy advocates and demoralized law enforcement.  Today, the
policy is in a shambles, with indications that the government is
withdrawing support for Clipper and searching for other alternatives.

The fact is that current cryptographic technology is perfectly adequate
for privacy protection.  There is no need for government efforts to
introduce new cryptographic systems.  To the extent that Clipper was
presented as a new, improved cryptographic algorithm, it is simply
unnecessary.  Of course, the stated purpose of Clipper was not to improve
privacy, but quite the reverse.  Again, as far as meeting the goals of
privacy protection, the government need only step aside.

Similar considerations hold for economic competitiveness.  Here the
export restrictions on public-domain cryptographic technology are a
ludicrous holdover from the past and serve only to hobble American
companies.  The single best step the government could take today would be
to remove RSA, DES, IDEA, and other international cryptographic standard
algorithms from the list of export controlled technology.

As for the national interest in public safety and security, cryptography
is simply not the threat that it is often painted by law enforcement and
security interests.  With only a few hundred authorized wiretaps a year
on a population of over 200 million people, it is clear that the impact
of secure communications will be only marginal.  Traditional methods of
law enforcement including physical surveillance, infiltration,
informants, and similar approaches have been the foundation of crime
prevention in the past and undoubtedly will be in the future.

Furthermore, attempts to put the cat back in the bag are doomed to
failure.  There are already widespread programs for cryptographic
privacy, and new ones are being written (often by amateurs, so
widespread and simple is the technology) all the time.  The kinds of
regulations which would be required to prevent people from
communicating privately would have to be severe and onerous.  It was
the recognition of this fact which forced the government to back down
from early hints that Clipper might not be a voluntary program.
Citizens of the United States simply will not tolerate the kinds of
government controls that would be necessary in order to return to the
days of free wiretapping.


>    * strengths and weaknesses of current key escrow implementation
>      schemes;

So-called "key escrow", as pointed out by cryptographer Carl Ellison,
is misnamed.  What these systems really provide is Government Access
to Keys, or GAK.  That is the real purpose of these key escrow
systems.  All the discussion about escrow and restrictions on access is
window dressing to obscure the fundamental issue and to make it seem
more palatable.

A true escrow system would be one which held certain information on
behalf of the client.  An escrow agency has well-defined obligations to
the client and to other interested parties.  For example, in a sale of
real property, an escrow agent may hold the cash for the buyer and
pass it to the seller when title has transferred.  There are actually
many legitimate purposes for escrow in the context of information.  One
example would be the purchase of some data package over a computer
network (say, a music video in electronic form).  An escrow agency could
assist with the mutual exchange of payment (perhaps in the form of
digital cash) and the information package in such a way that both parties
are protected against cheating.

In this sense, a true "key escrow" agency might be one with which a
user could deposit his secret key with assurance that it would be held
safely for him.  Then if something happened in the future which caused
him to lose his key, the escrow agency could follow through with its
contractual obligation and return the key to the user.  Or, again with
appropriate authorization, in the event of the user's death or other
circumstances, the agency could reveal the key to the heir or agent of
the original user.  The key point here is that the escrow agency is
providing a service to the user; the user's interaction with the
agency is voluntary.

This kind of key escrow, if offered by the government, would not be
particularly objectionable (although there is no particular reason why this
escrow should be a government, as opposed to private, function).  Just as
the government indirectly backs the banks and provides security to the
depositors, so a government key escrow agency could provide secure
storage of keys (and perhaps other information).

If only this is what the government meant by key escrow!  Actually, of
course, the real purpose of key escrow is to allow the government to
defeat encryption if necessary.  Most of the variations on the existing
schemes involve what mechanisms are used to ensure that the keys are only
revealed under specified conditions.

The Clipper chip proposal has been widely discussed elsewhere.  The
difficulty of ensuring that copies of the keys are not made during the
programming process has been pointed out, as well as the problem that
knowing the family key (or having access to a family key based decryption
unit) allows traffic analysis without needing access to the escrowed
database.  The possibility of rogue units interoperating with Clipper
chips as discovered by Matt Blaze provides a further technical flaw in
this proposal.

A more recent proposal is also worth discussing.  So-called "software
key escrow" (SKE) provides similar functionality to the Clipper chip,
but in software.  A "law enforcement access field" (LEAF) is included in
each message by compliant software as with Clipper.  The main new feature
is that the software on the receiving end can check that the LEAF is
valid without knowing the family key.  This prevents rogue software
from interoperating with compliant software.

Although interesting, this proposal is unlikely to achieve its goals
without the kinds of harsh restrictions discussed above.  The design
goal of making it impossible for rogue software to communicate with
compliant software is really not relevant as that does not solve law
enforcement's problems.  It would be an easy matter to create a rogue
program which communicated compliantly with compliant software and
non-compliantly with rogue software.  This allows the hypothetical
criminal to communicate with his cohorts privately while communicating
freely with everyone else.  Again, the only way this system or any
similar key escrow system can succeed is if people are forbidden to use
anything else.


>    * how technology now and in the future can affect the feasible policy
>      options for balancing the national security and law enforcement
>      interests of government and the privacy and commercial interests
>      of U.S. industry and private U.S. citizens;

To the extent that this debate is expressed as a conflict between
government and citizens, it is already clear what has gone wrong.  There
should not be a conflict between government and its citizenry, not in a
democracy.  The citizens rule the government in the American system, not
the other way around.

What has happened here is that certain agencies within the government
seem to have forgotten this fundamental fact.  They see the people of the
United States as, if not their enemies, then at least their potential
enemies.  Law enforcement and national security agencies have become so
accustomed to wielding immense power that they cannot tolerate the
thought of giving up some of it.  Thus we have their desperate attempt to
turn back the clock, to freeze technology at a 1970's level, to prevent
people from using the cryptographic tools which are becoming more
widespread every day.

There is no need to balance the interests of the US government and
private citizens.  The only interests which are relevant are those of the
citizens.  What needs to be balanced are those citizens' interests in
public safety and their desire for privacy and freedom.

This conflict is nothing new.  It has always been true that there is a
tradeoff between security and freedom.  Different countries all around
the world have chosen to balance this tradeoff at different points.  At
one extreme we have totalitarian states where security is everything and
individual freedom is nearly gone.  The example of Singapore is widely
used today as a place where the citizens have, largely voluntarily, given
up a great deal of individual privacy and freedom in exchange for a
tightly regulated, but peaceful, society.

We in the US have traditionally chosen a different, and historically
superior, approach.  Our national traditions emphasize the importance
of the individual.  All through American history the lessons we have
learned have taught us to respect individual freedoms at the expense of
government regulations and controls.  This has been one of the
fundamental principles which has led to our tremendous success.

In the context of the encryption debate, then, the default position
should and must be one of individual freedom.  We already allow
individuals to use any encryption technology they desire.  Any proposal
to move from this principle, a principle which is firmly in accord with
American traditions, should be viewed with the utmost caution.

And, as the above discussion has emphasized, there is really no legitimate
policy position which moves us only slightly in the direction of greater
control.  The choice is not between privacy and a little bit of
regulation.  It is between privacy and very invasive, very intrusive
restrictions.  The nature of cryptographic technology is such that it is
so easy to use that only an intensive effort can prevent its use, or
force the use of a government-approved alternative.  The policy decision
is really between one which maintains American traditions of freedom and
one which takes a drastic step towards government control.

In the future, this situation will only become worse from the point of
view of those opposed to communications privacy.  As more countries
become computerized, as the global networks spread further, as more
people learn how easy it is to ensure their own privacy, it will be all
the harder to keep people's communications under government-approved
systems.  Technology sounds the death knell for traditional ways of
approaching the law enforcement and national security business.  The
longer governments are allowed to ignore that fact the more likely it will
be that the totalitarian solution will be imposed.


>    * recommendations for the process through which national security,
>      law enforcement, commercial, and privacy interests are balanced
>      in the formulation of national cryptography policy.


The traditional way to balance the competing interests would be to put
national security and law enforcement people, business people, and a
few "privacy advocates" on a committee, then let them make
recommendations to the Executive or Legislative branches of
government.  Although this may be appropriate for the initial
evaluation of the situation, it has serious problems.  It puts far too
much weight on the specific interests of security and law enforcement.
Although these are legitimate duties of government, they are not its
only duties, and they certainly do not override the traditional
American emphasis on individual liberty.

In the next century, the primary economic fact will be international
competition.  In a global world, there is no longer any place for
pointless government regulations which will interfere with the success
of domestic business or cause commerce and capital to flee to other
countries.  Attempting to mollify outdated law enforcement concerns by
restricting the use of encryption technologies will only hurt American
citizens.

The fact is that, given these economic realities, the only policy
decision which makes sense is one which encourages, rather than
restricts, the use of encryption.  Government should relax export
controls, retire its key escrow proposals, reveal the SkipJack
algorithm used in Clipper, and turn its researchers to the task of
helping American competitiveness rather than thinking up new ways of
hindering US businesses.

The only "process" that is needed is the political courage to overcome
the objections of law enforcement and force them to concentrate on the
job at hand, stopping criminals, rather than working on new ways to
block encryption technology.  It doesn't have to be done right away.
It will take years for encryption to work its way into the economy.  We
probably won't see widespread encryption of telephone and other
electronic communications for five or even ten years.  This time must
be used productively by law enforcement to design new strategies to
meet the challenges ahead.  If the government wastes time on an
ultimately doomed campaign to try to freeze technology and restrict
encryption then we will all ultimately be the losers.

Thank you again for your attention.


Hal Finney
email: hfinney@shell.portal.com





Thread