Cypherpunks of the World, Here's a new analysis of the key registration proposal I just posted to a couple of groups. -Tim Newsgroups: sci.crypt,alt.privacy,comp.org.eff.talk From: tcmay@netcom.com (Timothy C. May) Subject: A Silver Bullet to Limit Crypto? Date: Wed, 11 Nov 1992 18:36:44 GMT Key Registration as a "Silver Bullet" to Limit Crypto Use Two weeks ago, and more than 500 related messages ago, I posted the "Trial Balloon to Ban Encryption?" message, alerting sci.crypt and other newsgroups to the Dorothy Denning "trial balloon." Prof. Denning has continued the balloon metaphor, calling her first proposal a "lead balloon" and her improved, law-enforcement-friendly version a "copper balloon." Others have called it a "uranium balloon," i.e., it's worse than the lead balloon. In reading the hundreds of comments about ways to bypass the Denning proposal, about the many clever schemes to avoid detection, I came to some realizations about the likely reason for key registration. Also, at the recent Hackers Conference in Lake Tahoe, lots of interesting points came up (crypto, PGP, anonymous remailers, digital cash, privacy, and the "Crypto Crackdown," to borrow Bruce Sterling's title of "The Hacker Crackdown," were hot topics). Mike Godwin of the EFF, who may be reading this in comp.org.eff.talk, spoke on such policies...he told us this kind of crackdown on crypto tools is a priority of several government agencies and that the issue will not go away with the new administration. But why scheme to register keys, by whatever means, if the system is so easily thwarted and bypassed? Neither Prof. Denning nor her colleagues, both in and out of the NSA and FBI, are dummies. The "silver balloon," or silver bullet, is this: * a formal key registration system will directly affect and limit use of the _most important_ part of public key systems: the ability to use public key directories (like phone books) rather than set up all communications on a one-to-one basis (as private key systems require, for key exchange, and as many of the key registration bypasses implicitly or explicitly require). * enforcement, at least for publicly announced P-K keys, can be by insisting that a special message ("This is J. Random User.") be signed with one's registered/deposited key and then verified with the public key to ensure the same private key-public key pair is used. (Yes, there are still bypasses and clevernesses to spoof these systems, but most "publicly visible" use of P-K methods, the main raison d'etre for public keys, will be affected and effectively controlled.) Keys can and will be registered under this proposal, but many people will simply not bother with the hassle and just won't use P-K methods (thus making the monitoring job easier). * bypassing the key registration laws by "going underground" is always possible, but for this purpose one can already use one-time pads, pack message bits into the least significant bits of digital recordings and images, and generally do all sorts of other devious things. The key point is that the wide use of public key methods is reduced, which may be the real motivation. * reducing the wide use of crypto technology by the masses allows the monitoring agencies a slightly easier job in monitoring those who _are_ using crypto. One can imagine exactly the same arguments for restricting or registering voice scramblers for phone use: by requiring registration, fees, etc., many users will simply not bother to use scrambling (and there may be related to spread the idea that anyone using scrambling--or crypto in general--is somehow suspect, must have something to hide, etc. * the key registration ideas discussed so far severely limit use of crypto protocols that _dynamically_ generate lots of public keys. Cryptographic voting, most forms of digital cash, anonymous remailers, and several other exciting uses all tend to generate a lot of keys "on the fly." Are all of these to be registered? How? For how much money per registration? And how long will it take? Weeks? Instead of concentrating on how these kinds of uses, mentioned by many people, effectively make the Denning/Rivest/Micali proposals unworkable, we should look instead at how these proposals may _in fact_ be aimed at limiting the explosive use of crypto for these new applications. A government afraid of digital cash, of anonymous remailing networks, of information markets in technologies, and of lots of other interesting uses, may see key registration as a way to contain this explosion. Even if the private keys kept at the "trusted key authority" were _never_ looked at by court order or otherwise, the key registration act itself would place severe limits on the use of modern cryptographic protocols for novel uses and for wide use by the public. In this sense, the key registration idea may be a silver bullet, or balloon, to head off these uses. A chilling effect (the "liquid nitrogen balloon"?). Any thoughts on this view? -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^756839 | PGP Public Key: awaiting Macintosh version.