From: gnu@toad.com
To: interesting-people@eff.org, eff-crypto@eff.org
Subject: Hal Finney on crypto policy (NRC study)
Date: Thu, 22 Sep 94 22:57:08 -0700

His analysis is slightly one-sided (he can't see the benefits to NSA
from restricting crypto exports -- but neither can anyone else outside
the classified community).  But he states his position very well, and
I agree with at least 90% of it.

John Gilmore

To: Cypherpunks Lite <cp-lite@comsec.com>
Date: Wed, 21 Sep 1994 20:41:09 -0700
From: Hal <hfinney@shell.portal.com>
Subject: My response to NRC crypto study

This is a slightly edited version of what I sent:

Thank you for giving members of the public such as myself the
opportunity to discuss our concerns as the NRC studies the National
Cryptography Policy.

I will make my points using the outline of issues dated September 14,
1994 as a reference.


>    * the impact of current and possible future restrictions and standards
>      regarding cryptographic technology on
>
>- the availability of such technology to foreign and domestic
>  parties with interests hostile to or competitive with the
>  national security, economic, commercial, and privacy
>  interests of the U.S. government, U.S. industry, and private
>  U.S. citizens;

One traditional method for limiting access by hostile foreign powers to
strategically important technology has been the defense-oriented
classification system.  Important discoveries made by government
researchers have been classified at various levels in order to prevent
their dissemination.  This general approach of secrecy has been applied
as well to the SkipJack algorithm used in the Clipper chip.

However, this approach has not been completely effective with
cryptographic discoveries that are made by private researchers not under
the control of the government.  Probably the most notable event along
these lines was the discovery of public-key encryption technology in the
1970's.  The concept of PK encryption, easy to explain and understand even
for a technologically knowledgeable layman, spread like wildfire despite
some early abortive efforts to suppress it.  This discovery has served as
the foundation for a wide range of research in cryptography and no doubt
is an important reason for the rapid growth of the field over the last twenty
years.

Today, the electronic networks which circle the globe make communication
of new results far easier and more rapid than in the past.  And the
transparency of national borders on the computer networks means that
information, once made available, is available globally.  A discovery
made today comparable to PK encryption in the 1970's would have been far
less likely to be suppressed, and in the future we can expect this tendency
to increase.

Despite this, the US government is currently wielding clumsy policies
which classify all encryption software as munitions and require
complicated licensing procedures for their export.  There is a terrible
mismatch between these policies and the mechanics of information flow
today.  For one thing, the distinction between distribution within the
country and information which flows out of the country is nearly
impossible to make today.  It was always quite unrealistic to suppose
that technology which was widely deployed within the US was unavailable
across our borders, but the information networks make it clear that this
is a fantasy.  As the networks increase in speed, power, and ease of use,
the ties between countries will only grow.  The net will need to be seen
as a global phenomenon, and information on the net will no longer be
localized; made available to one, it is made available to all.

In this environment, the only way to stop information from making its
ways into foreign hands is by keeping it off the net entirely.  And that
implies restricting what kinds of technologies American citizens can
publicly discuss and what kinds of information they can exchange.  If we
want to keep cryptographic secrets, we must prevent people from knowing
or at least talking about those secrets.  This would require Draconian
policies more suitable to a totalitarian state than the world's greatest
democracy.  In short, keeping cryptographic technology secret is
incompatible with American principles.


>- the competitiveness of U.S. manufacturers of such technology
>  in the international market;
>
>- the competitiveness and performance of commercial U.S.
>  users of such technology;

Another problem with the present US policies restricting exports of
cryptographic technologies is their lack of responsiveness to changing
conditions.  Despite the fact that such basic algorithms as the RSA
public-key encryption system or the DES secret-key system are nearly
twenty years old, the government still restricts their export.  This is
ridiculous.  Those algorithms are in use all over the world!  From whom
are we trying to keep them secret?  This is really an illustration of the
well-known inertia and inflexibility of bureaucracies.

The only effect of these bans is to impair the competitiveness of US
business.  Manufacturers of cryptographic technology are not allowed to
export, and users of cryptography are not allowed to use modern
technology if the products might go overseas.  It would be as if the US
were still determined to keep the design of internal combustion engines
secret and so US car manufacturers were forced to use steam because the
cars might be sent across the border.

In the future, as new algorithms are discovered, the same problem will
present itself.  The rapidity and ease of communications ensures that if
the technology is publicly known, it is globally known.  Allowing US
manufacturers to use a technology but not to export it is pointless; if
they know how to use the technology, chances are the rest of the world
does as well.  Restricting exports can only benefit competitors in other
countries at the expense of US businesses.  It is pointless and
counterproductive.


>- U.S. national security and law enforcement interests;

Cryptographic technology has some characteristics which are at odds with
the interests of law enforcement and security agencies.  In a sense,
cryptography is a "purely defensive" technology.  It does not threaten
anyone, it does not invade anyone's privacy, it does not cause damage or
harm.  On the contrary, it protects the user from various kinds of
threats and invasions of his own privacy.  In a way, it levels the
playing field, providing the weak with some of the same protections of
privacy and secrecy which have been traditionally available only to the
strong.

The problem is that law enforcement and security interests have gotten
used to being strong.  It may not have been easy to learn the internal
secrets of a powerful opponent, but eavesdropping on a poor country or
individual was easy.  Indeed, most people have intuitively understood
that they would be nearly powerless if threatened in any significant way
by law enforcement or national security forces.

Now, this may change somewhat.  It remains to be seen to what extent
these changes will occur, and what their full effects will be.  It does
appear that if free access continues to be granted to cryptographic
technology that people will be more immune to certain types of
surveillance.  This does not necessarily mean that the world will
descend into a nightmare of terrorism and war.  It does mean that the
agencies whose job it is to keep order will have to adapt, to learn new
technologies and new approaches.

Naturally, they will resist.  Change is never comfortable, and it is
all too easy to conjure boogeymen out of the unknown.  But before
allowing ourselves to be panicked by the thought of untappable phones
and unreadable mail, we need to consider the alternatives.  Because of
the tremendous ease with which information will flow, only extremely
severe and harsh measures can keep cryptographic technologies out of
the hands of those who want it badly enough.  This has been recognized
from the beginning by the government, as was seen in its flawed Clipper
chip proposal.  The fundamental inconsistency with Clipper was that a
voluntary standard would not be used by criminals, and the restrictions
which would be needed to force criminals to use it would be completely
at odds with American freedoms.  The government's attempt to have it both
ways only sowed fear and mistrust.

It may sound harsh, but it is true: the only way in which cryptography
which can be defeated by law enforcement will come into use is if people
are forced to use it.  And the problem is that people already have
technologies which are too strong for law enforcement to break.  It's too
late to put the genii back into the bottle.  The only choices at this
point are between Big-Brother-style restrictions on use of certain simple
algorithms, or a world in which privacy, unbreakable privacy, is a fact
of life.  Consider carefully whether the latter would be so horrible
before you accept choices which are at odds with our national traditions
of individual freedom.


>    * the strength of various cryptographic technologies known and
>      anticipated that are relevant for commercial and private purposes;

In my opinion, the current suite of cryptographic technologies is well
suited for commercial purposes.  The RSA public-key system has withstood
nearly twenty years of attacks and new algorithms for factoring numbers
(factoring is the problem on which the algorithm is based).  At worst it
may be desirable to raise key sizes from the 512 to 1024 bit level which
are widely used today to perhaps 1024 to 2048 bits, a level which should
provide effectively impenetrable security.  As computers get faster the
larger key sizes can be handled efficiently, while the time to break the
algorithm increases at a much faster rate for larger keys.  The result is
that the passage of time and the increase in computer speeds only helps
the user of RSA rather than the attacker.

RSA is typically used in conjunction with a secret-key cypher for
efficiency, and here DES has been the choice for a number of years.  DES
is now showing its age; its 56-bit key size is beginning to be too small
to give confidence against an attacker.  However, two alternatives are
readily available: triple-DES and IDEA.  Triple-DES has a key length of
112 or 168 bits, depending on the configuration, and IDEA has a key
length of 128 bits.  Both of these are large enough that no conceivable
attack can be launched based on key size alone.  Triple-DES itself has
been cryptanalyzed almost as long as DES, and while IDEA is newer its
security should be much clearer within the next two or three years.  In
addition, there are a number of other conventional cyphers being
developed all the time.  Chances are that one or more of these will be
acceptable as well.  By the turn of the century there should be at least
three or four strong and widely accepted conventional cyphers.

In sum, there is no real commercial need for government involvement in
the development of new cryptographic technologies.  While new
approaches are always welcome, the range of technologies which already
exists is adequate for commercial encryption needs well into the next
century.  Here the best policy for the government is to simply
facilitate the use of these well established systems.


>    * current and anticipated demand for information systems security
>      based on cryptography;

Cryptography is going to be a key technology over the next ten to twenty
years.  There is far more to this technology than simply maintaining
privacy, although certainly in the early years this may be the principle
market area.  But, more generally, cryptography is a technology of
information management.  It allows precise control over how
information is revealed, packaged, and disseminated.  Once recent
discoveries by cryptography researchers are commercialized and made
available to the public there will be whole new areas of business and
commercial interest that are barely imagined today.

Starting with the nearer term, cryptography will be used initially
primarily for privacy and authentication.  As commerce moves onto the
nets, so too will the need for confidentiality.  The insecure nature of
many existing networks will be addressed by layering cryptographic
protocols on top of the existing foundation.  And new networks may be
developed with cryptographic security built in from the beginning.

An important point will be to make the security trustable and transparent.
Trustable means that the end user does not have to trust some third party
not to betray his secrets.  In an increasingly competitive world where
government and corporate espionage are beginning to merge, a system which
tells its users to "trust me" is not going to be competitive with one
which allows users to determine for themselves that their communications
are secure.  This suggests that end-to-end encryption, where the message
is in the clear nowhere on the network, will be the preferred mode.  And
at the same time, the encryption will be transparent, built into the
software used for access to the network, with user-friendly controls and
indicators for the encryption status (and hence reliability) of each
piece of information displayed.  We see the prototypes for these concepts
already with the security extensions to the World Wide Web and its
associated software program, Mosaic.  Similar concepts are being designed
into personal computers as well.

Looking out a bit farther, the next big market for cryptography
technology will be electronic payment systems.  The potential speed and
flexibility of electronic commerce requires an equally fast and flexible
means of electronic payment.  There are many cryptographic technologies
which are suitable, including the electronic equivalent of bank drafts,
checks, cashier's checks, and, perhaps most controversial, digital cash.

It is worth discussing digital cash in a little more detail.  It may well
be that this technology will produce the next Clipper controversy.  The
situation is that digital cash provides for a means of payment which is the
electronic equivalent of cash.  It is private and anonymous.  In an era
when databases of consumer preferences and buying habits may be one of
the major threats to privacy, digital cash will provide protection by
allowing transactions to occur anonymously.  If there is no record of who
participated in the transaction, there is no privacy threat from
databases of such records.

In a sense, this is nothing new, no more threatening than paying a
dollar for bread at the corner grocery store.  But law enforcement
efforts which rely on tracking the flow of funds may be hindered by the
widespread use of digital cash.  This could have implications for money
laundering, income and sales tax collection, and other types of financial
regulations.  As with the prospect of encrypted communications, the
response by law enforcement is likely to be an attempt to block this
technology from coming into widespread use.  And once again the choice
will be between restrictions on what kinds of algorithms people can run
on their computers, and allowing people some privacy in their financial
affairs.

Other cryptographic technologies which are waiting in the wings include
"zero knowledge" proof systems, which allow new forms of
authentication, and which make it possible to prove possession of
certain information without revealing the information itself; secret
sharing systems which allow for true "escrow" of information (unlike
the misnamed government "key escrow" which keeps secrets contrary to
the interests of the user, rather than on his behalf) with very flexible
controls on who can access the information; pseudonym-based credentialing
systems which will allow people to prevent linkage of information about
them in different databases while allowing them to control which
information will be revealed; secret-exchange systems which make it
possible for two people to simultaneously exchange secret information
in such a way that neither can cheat; many forms of digital signatures,
some of which are verifiable only with the cooperation of the signer, but
in such a way that he can't cheat; and a variety of others.  These