the question of the cost-effectiveness of phone encryption was raised by my other message. I would like to question how cheaply good encryption could be done on phones, with a poor quality microprocessor. most on this list are aware of the idea that good encryption is often used to send a low-bandwidth session key, which is then used to encrypt that session using a less sophisticated but less computationally-demanding algorithm. hence you seem to have good security at a computational price that is less than encrypting everything with the secure protocol. I was wondering how secure the following algorithm would be for phone calls: suppose that at the beginning of each session, the random key is traded using RSA or some other very secure approach. the key is a *random bit width*, say 100-6000 bits. now, my question is, I wonder if some very cheap algorithms, in terms of computation time, could be used for the "on the fly" encryption of the voice using those bit. would XOR with the pad be totally out of line? the situation is such that trivial algorithms such as XOR with *unlimited cyphertext* can be broken quite trivially. but it seems to me this dogma that "XOR is WEAK" is based on the premise that you have a huge amount of cyphertext to play with. take away this premise, that you have a session key that is guaranteed to really give you very little cyphertext, do these supposedly "weak" algorithms then become pretty secure? what I am getting at is that it seems there is this frequent assumption that "good cryptography for on-the-fly encryption means you need huge computational bandwidth". I wonder how true this really is. can you have a situation where you spend a lot of time computationally negotiating the *random one time pad*, but then have a fairly weak algorithm doing the on-the-fly encryption with the random pad? IMHO this would be the holy grail for phone hardware. as I wrote, you are already going to have something approximating the power of a low- bandwidth microprocessor in a phone. now imagine it took a long time to send the key at the beginning, but that once traded it was no big deal-- real time communication using even "weak" algorithms. what I am suggesting here is that we can get encryption for almost *no additional cost* over existing phone hardware. and I am suggesting that the main hurdles to encryption are political, not technical. again, I wonder if "weak" encryption schemes are really that weak if they are only used on short cyphertexts and if you have a good, secure OTP (one time pad). I think it may be a delusion that you must have a huge amount of computational bandwidth or have to encrypt every bit using state-of-the-art, computationally-demanding algorithms to have extremely secure on-the-fly communications. p.s. can someone give a brief summary of the Nautilus and PGP session key / code frameworks? p.p.s. a few footnotes in regard to the previous article. widespread, seamless phone encryption is the NSA's absolute worse nightmare. everything they are doing to prevent cryptography can be thought of as trying to avoid this particular reality configuration. pay special attention how they approach the issue and it will tell you what they fear the most, and what they are trying to do to prevent it. also, Bob Morris said in his talk, acc. to Gillogly, that Europeans *were* willing to pay for encryption in their phones, but those in the US weren't. please expand on that little nugget!! how did you come to that conclusion? why are americans fundamentally different than europeans in regard to the value of encryption? if humans want the same thing in most markets (as the situation of international product marketing generally seems to suggest) does it make you think that something besides the desirability of crypto is at stake here in the localities, such as *politics*? --Vlad Nuri