This is a slightly edited version of what I sent: Thank you for giving members of the public such as myself the opportunity to discuss our concerns as the NRC studies the National Cryptography Policy. I will make my points using the outline of issues dated September 14, 1994 as a reference.

* the impact of current and possible future restrictions and standards regarding cryptographic technology on

- the availability of such technology to foreign and domestic parties with interests hostile to or competitive with the national security, economic, commercial, and privacy interests of the U.S. government, U.S. industry, and private U.S. citizens;

One traditional method for limiting access by hostile foreign powers to strategically important technology has been the defense-oriented classification system. Important discoveries made by government researchers have been classified at various levels in order to prevent their dissemination. This general approach of secrecy has been applied as well to the SkipJack algorithm used in the Clipper chip. However, this approach has not been completely effective with cryptographic discoveries that are made by private researchers not under the control of the government. Probably the most notable event along these lines was the discovery of public-key encryption technology in the 1970's. The concept of PK encryption, easy to explain and understand even for a technologically knowledgeable layman, spread like wildfire despite some early abortive efforts to suppress it. This discovery has served as the foundation for a wide range of research in cryptography and no doubt is an important reason for the rapid growth of the field over the last twenty years. Today, the electronic networks which circle the globe make communication of new results far easier and more rapid than in the past. And the transparency of national borders on the computer networks means that information, once made available, is available globally. A discovery made today comparable to PK encryption in the 1970's would have been far less likely to be suppressed, and in the future we can expect this tendency to increase. Despite this, the US government is currently wielding clumsy policies which classify all encryption software as munitions and require complicated licensing procedures for their export. There is a terrible mismatch between these policies and the mechanics of information flow today. For one thing, the distinction between distribution within the country and information which flows out of the country is nearly impossible to make today. It was always quite unrealistic to suppose that technology which was widely deployed within the US was unavailable across our borders, but the information networks make it clear that this is a fantasy. As the networks increase in speed, power, and ease of use, the ties between countries will only grow. The net will need to be seen as a global phenomenon, and information on the net will no longer be localized; made available to one, it is made available to all. In this environment, the only way to stop information from making its ways into foreign hands is by keeping it off the net entirely. And that implies restricting what kinds of technologies American citizens can publicly discuss and what kinds of information they can exchange. If we want to keep cryptographic secrets, we must prevent people from knowing or at least talking about those secrets. This would require Draconian policies more suitable to a totalitarian state than the world's greatest democracy. In short, keeping cryptographic technology secret is incompatible with American principles.

- the competitiveness of U.S. manufacturers of such technology in the international market;

- the competitiveness and performance of commercial U.S. users of such technology;

Another problem with the present US policies restricting exports of cryptographic technologies is their lack of responsiveness to changing conditions. Despite the fact that such basic algorithms as the RSA public-key encryption system or the DES secret-key system are nearly twenty years old, the government still restricts their export. This is ridiculous. Those algorithms are in use all over the world! From whom are we trying to keep them secret? This is really an illustration of the well-known inertia and inflexibility of bureaucracies. The only effect of these bans is to impair the competitiveness of US business. Manufacturers of cryptographic technology are not allowed to export, and users of cryptography are not allowed to use modern technology if the products might go overseas. It would be as if the US were still determined to keep the design of internal combustion engines secret and so US car manufacturers were forced to use steam because the cars might be sent across the border. In the future, as new algorithms are discovered, the same problem will present itself. The rapidity and ease of communications ensures that if the technology is publicly known, it is globally known. Allowing US manufacturers to use a technology but not to export it is pointless; if they know how to use the technology, chances are the rest of the world does as well. Restricting exports can only benefit competitors in other countries at the expense of US businesses. It is pointless and counterproductive.

- U.S. national security and law enforcement interests;

Cryptographic technology has some characteristics which are at odds with the interests of law enforcement and security agencies. In a sense, cryptography is a "purely defensive" technology. It does not threaten anyone, it does not invade anyone's privacy, it does not cause damage or harm. On the contrary, it protects the user from various kinds of threats and invasions of his own privacy. In a way, it levels the playing field, providing the weak with some of the same protections of privacy and secrecy which have been traditionally available only to the strong. The problem is that law enforcement and security interests have gotten used to being strong. It may not have been easy to learn the internal secrets of a powerful opponent, but eavesdropping on a poor country or individual was easy. Indeed, most people have intuitively understood that they would be nearly powerless if threatened in any significant way by law enforcement or national security forces. Now, this may change somewhat. It remains to be seen to what extent these changes will occur, and what their full effects will be. It does appear that if free access continues to be granted to cryptographic technology that people will be more immune to certain types of surveillance. This does not necessarily mean that the world will descend into a nightmare of terrorism and war. It does mean that the agencies whose job it is to keep order will have to adapt, to learn new technologies and new approaches. Naturally, they will resist. Change is never comfortable, and it is all too easy to conjure boogeymen out of the unknown. But before allowing ourselves to be panicked by the thought of untappable phones and unreadable mail, we need to consider the alternatives. Because of the tremendous ease with which information will flow, only extremely severe and harsh measures can keep cryptographic technologies out of the hands of those who want it badly enough. This has been recognized from the beginning by the government, as was seen in its flawed Clipper chip proposal. The fundamental inconsistency with Clipper was that a voluntary standard would not be used by criminals, and the restrictions which would be needed to force criminals to use it would be completely at odds with American freedoms. The government's attempt to have it both ways only sowed fear and mistrust. It may sound harsh, but it is true: the only way in which cryptography which can be defeated by law enforcement will come into use is if people are forced to use it. And the problem is that people already have technologies which are too strong for law enforcement to break. It's too late to put the genii back into the bottle. The only choices at this point are between Big-Brother-style restrictions on use of certain simple algorithms, or a world in which privacy, unbreakable privacy, is a fact of life. Consider carefully whether the latter would be so horrible before you accept choices which are at odds with our national traditions of individual freedom.

* the strength of various cryptographic technologies known and anticipated that are relevant for commercial and private purposes;

In my opinion, the current suite of cryptographic technologies is well suited for commercial purposes. The RSA public-key system has withstood nearly twenty years of attacks and new algorithms for factoring numbers (factoring is the problem on which the algorithm is based). At worst it may be desirable to raise key sizes from the 512 to 1024 bit level which are widely used today to perhaps 1024 to 2048 bits, a level which should provide effectively impenetrable security. As computers get faster the larger key sizes can be handled efficiently, while the time to break the algorithm increases at a much faster rate for larger keys. The result is that the passage of time and the increase in computer speeds only helps the user of RSA rather than the attacker. RSA is typically used in conjunction with a secret-key cypher for efficiency, and here DES has been the choice for a number of years. DES is now showing its age; its 56-bit key size is beginning to be too small to give confidence against an attacker. However, two alternatives are readily available: triple-DES and IDEA. Triple-DES has a key length of 112 or 168 bits, depending on the configuration, and IDEA has a key length of 128 bits. Both of these are large enough that no conceivable attack can be launched based on key size alone. Triple-DES itself has been cryptanalyzed almost as long as DES, and while IDEA is newer its security should be much clearer within the next two or three years. In addition, there are a number of other conventional cyphers being developed all the time. Chances are that one or more of these will be acceptable as well. By the turn of the century there should be at least three or four strong and widely accepted conventional cyphers. In sum, there is no real commercial need for government involvement in the development of new cryptographic technologies. While new approaches are always welcome, the range of technologies which already exists is adequate for commercial encryption needs well into the next century. Here the best policy for the government is to simply facilitate the use of these well established systems.

* current and anticipated demand for information systems security based on cryptography;

Cryptography is going to be a key technology over the next ten to twenty years. There is far more to this technology than simply maintaining privacy, although certainly in the early years this may be the principle market area. But, more generally, cryptography is a technology of information management. It allows precise control over how information is revealed, packaged, and disseminated. Once recent discoveries by cryptography researchers are commercialized and made available to the public there will be whole new areas of business and commercial interest that are barely imagined today. Starting with the nearer term, cryptography will be used initially primarily for privacy and authentication. As commerce moves onto the nets, so too will the need for confidentiality. The insecure nature of many existing networks will be addressed by layering cryptographic protocols on top of the existing foundation. And new networks may be developed with cryptographic security built in from the beginning. An important point will be to make the security trustable and transparent. Trustable means that the end user does not have to trust some third party not to betray his secrets. In an increasingly competitive world where government and corporate espionage are beginning to merge, a system which tells its users to "trust me" is not going to be competitive with one which allows users to determine for themselves that their communications are secure. This suggests that end-to-end encryption, where the message is in the clear nowhere on the network, will be the preferred mode. And at the same time, the encryption will be transparent, built into the software used for access to the network, with user-friendly controls and indicators for the encryption status (and hence reliability) of each piece of information displayed. We see the prototypes for these concepts already with the security extensions to the World Wide Web and its associated software program, Mosaic. Similar concepts are being designed into personal computers as well. Looking out a bit farther, the next big market for cryptography technology will be electronic payment systems. The potential speed and flexibility of electronic commerce requires an equally fast and flexible means of electronic payment. There are many cryptographic technologies which are suitable, including the electronic equivalent of bank drafts, checks, cashier's checks, and, perhaps most controversial, digital cash. It is worth discussing digital cash in a little more detail. It may well be that this technology will produce the next Clipper controversy. The situation is that digital cash provides for a means of payment which is the electronic equivalent of cash. It is private and anonymous. In an era when databases of consumer preferences and buying habits may be one of the major threats to privacy, digital cash will provide protection by allowing transactions to occur anonymously. If there is no record of who participated in the transaction, there is no privacy threat from databases of such records. In a sense, this is nothing new, no more threatening than paying a dollar for bread at the corner grocery store. But law enforcement efforts which rely on tracking the flow of funds may be hindered by the widespread use of digital cash. This could have implications for money laundering, income and sales tax collection, and other types of financial regulations. As with the prospect of encrypted communications, the response by law enforcement is likely to be an attempt to block this technology from coming into widespread use. And once again the choice will be between restrictions on what kinds of algorithms people can run on their computers, and allowing people some privacy in their financial affairs. Other cryptographic technologies which are waiting in the wings include "zero knowledge" proof systems, which allow new forms of authentication, and which make it possible to prove possession of certain information without revealing the information itself; secret sharing systems which allow for true "escrow" of information (unlike the misnamed government "key escrow" which keeps secrets contrary to the interests of the user, rather than on his behalf) with very flexible controls on who can access the information; pseudonym-based credentialing systems which will allow people to prevent linkage of information about them in different databases while allowing them to control which information will be revealed; secret-exchange systems which make it possible for two people to simultaneously exchange secret information in such a way that neither can cheat; many forms of digital signatures, some of which are verifiable only with the cooperation of the signer, but in such a way that he can't cheat; and a variety of others. These technologies will permit wholly new and unforeseeable approaches to managing and controlling information, and will undoubtedly serve as the basis for new companies and even new industries. But these possibilities can only come about if people are allowed to use them. Any approach which requires law enforcement review of every new encryption technology is going to hamstring American companies which want to innovate and compete in the world. The tremendous growth and success of the US software business comes from the free-wheeling competition and innovation which have characterized it. Inserting law enforcement restrictions into the picture can only harm American competitiveness, as we see already in the cryptographic privacy area. As we move into the next century, information itself is going to be a key commodity, and the monkey wrench thrown into the industrial machine by law enforcement restrictions on cryptographic and information technologies is going to have widespread impact. This is not something we can afford in an increasingly competitive world.

* the impact of foreign restrictions on the use of, importation of, and the market for cryptographic technology;

Narrowly speaking, the interests of the United States are best served if our foreign competitors are faced with as many disadvantages as possible. On this view, foreign restrictions on cryptographic technology should be welcomed, as they will only harm foreign companies and make it harder for them to compete with the US. In the broader sense, though, the world market is all interconnected. Inefficiencies and restrictions in one part inevitably harm the smooth operations of other parts. It is no longer easy or even possible in many cases to distinguish activities which are foreign from those which are domestic. Regulations which apply to a company's activities in one country inevitably influence its activities in others. In this sense, foreign restrictions on cryptographic technologies will end up being harmful to US companies and individuals. In the long run, then, it will be best for the US to work to reduce foreign restrictions on the use of cryptography. The prospects of success are excellent since those countries will be feeling their own domestic pressures from companies which are being harmed by those restrictions. And in an international world a country which stubbornly maintains obsolete and inefficient restrictions on internal business activities may simply find itself bypassed, as commerce flows to more hospitable jurisdictions. The great danger, and the one to be most carefully avoided, is the establishment of an international cabal of law enforcement agencies, all calling for uniform restrictions on encryption applied (as they would have to be) in all countries on the globe. This would represent a pre-emptive strike against individual privacy, the formation of a de-facto cartel in which governments around the world band together contrary to the interests of their citizens. It need hardly be pointed out how opposed this is to our American principles and traditions. Furthermore, such an approach is inherently fragile and unstable, as every country has incentives to advance its own interests by releasing the shackles which bind its industry.

* the extent to which current cryptography policy is adequate for protecting U.S. interests in privacy, public safety, national security, and economic competitiveness;

US cryptography policy has clearly gotten off on the wrong foot. With the disastrous Clipper chip proposal, the government has simultaneously alarmed privacy advocates and demoralized law enforcement. Today, the policy is in a shambles, with indications that the government is withdrawing support for Clipper and searching for other alternatives. The fact is that current cryptographic technology is perfectly adequate for privacy protection. There is no need for government efforts to introduce new cryptographic systems. To the extent that Clipper was presented as a new, improved cryptographic algorithm, it is simply unnecessary. Of course, the stated purpose of Clipper was not to improve privacy, but quite the reverse. Again, as far as meeting the goals of privacy protection, the government need only step aside. Similar considerations hold for economic competitiveness. Here the export restrictions on public-domain cryptographic technology are a ludicrous holdover from the past and serve only to hobble American companies. The single best step the government could take today would be to remove RSA, DES, IDEA, and other international cryptographic standard algorithms from the list of export controlled technology. As for the national interest in public safety and security, cryptography is simply not the threat that it is often painted by law enforcement and security interests. With only a few hundred authorized wiretaps a year on a population of over 200 million people, it is clear that the impact of secure communications will be only marginal. Traditional methods of law enforcement including physical surveillance, infiltration, informants, and similar approaches have been the foundation of crime prevention in the past and undoubtedly will be in the future. Furthermore, attempts to put the cat back in the bag are doomed to failure. There are already widespread programs for cryptographic privacy, and new ones are being written (often by amateurs, so widespread and simple is the technology) all the time. The kinds of regulations which would be required to prevent people from communicating privately would have to be severe and onerous. It was the recognition of this fact which forced the government to back down from early hints that Clipper might not be a voluntary program. Citizens of the United States simply will not tolerate the kinds of government controls that would be necessary in order to return to the days of free wiretapping.

* strengths and weaknesses of current key escrow implementation schemes;

So-called "key escrow", as pointed out by cryptographer Carl Ellison, is misnamed. What these systems really provide is Government Access to Keys, or GAK. That is the real purpose of these key escrow systems. All the discussion about escrow and restrictions on access is window dressing to obscure the fundamental issue and to make it seem more palatable. A true escrow system would be one which held certain information on behalf of the client. An escrow agency has well-defined obligations to the client and to other interested parties. For example, in a sale of real property, an escrow agent may hold the cash for the buyer and pass it to the seller when title has transferred. There are actually many legitimate purposes for escrow in the context of information. One example would be the purchase of some data package over a computer network (say, a music video in electronic form). An escrow agency could assist with the mutual exchange of payment (perhaps in the form of digital cash) and the information package in such a way that both parties are protected against cheating. In this sense, a true "key escrow" agency might be one with which a user could deposit his secret key with assurance that it would be held safely for him. Then if something happened in the future which caused him to lose his key, the escrow agency could follow through with its contractual obligation and return the key to the user. Or, again with appropriate authorization, in the event of the user's death or other circumstances, the agency could reveal the key to the heir or agent of the original user. The key point here is that the escrow agency is providing a service to the user; the user's interaction with the agency is voluntary. This kind of key escrow, if offered by the government, would not be particularly objectionable (although there is no particular reason why this escrow should be a government, as opposed to private, function). Just as the government indirectly backs the banks and provides security to the depositors, so a government key escrow agency could provide secure storage of keys (and perhaps other information). If only this is what the government meant by key escrow! Actually, of course, the real purpose of key escrow is to allow the government to defeat encryption if necessary. Most of the variations on the existing schemes involve what mechanisms are used to ensure that the keys are only revealed under specified conditions. The Clipper chip proposal has been widely discussed elsewhere. The difficulty of ensuring that copies of the keys are not made during the programming process has been pointed out, as well as the problem that knowing the family key (or having access to a family key based decryption unit) allows traffic analysis without needing access to the escrowed database. The possibility of rogue units interoperating with Clipper chips as discovered by Matt Blaze provides a further technical flaw in this proposal. A more recent proposal is also worth discussing. So-called "software key escrow" (SKE) provides similar functionality to the Clipper chip, but in software. A "law enforcement access field" (LEAF) is included in each message by compliant software as with Clipper. The main new feature is that the software on the receiving end can check that the LEAF is valid without knowing the family key. This prevents rogue software from interoperating with compliant software. Although interesting, this proposal is unlikely to achieve its goals without the kinds of harsh restrictions discussed above. The design goal of making it impossible for rogue software to communicate with compliant software is really not relevant as that does not solve law enforcement's problems. It would be an easy matter to create a rogue program which communicated compliantly with compliant software and non-compliantly with rogue software. This allows the hypothetical criminal to communicate with his cohorts privately while communicating freely with everyone else. Again, the only way this system or any similar key escrow system can succeed is if people are forbidden to use anything else.

* how technology now and in the future can affect the feasible policy options for balancing the national security and law enforcement interests of government and the privacy and commercial interests of U.S. industry and private U.S. citizens;

To the extent that this debate is expressed as a conflict between government and citizens, it is already clear what has gone wrong. There should not be a conflict between government and its citizenry, not in a democracy. The citizens rule the government in the American system, not the other way around. What has happened here is that certain agencies within the government seem to have forgotten this fundamental fact. They see the people of the United States as, if not their enemies, then at least their potential enemies. Law enforcement and national security agencies have become so accustomed to wielding immense power that they cannot tolerate the thought of giving up some of it. Thus we have their desperate attempt to turn back the clock, to freeze technology at a 1970's level, to prevent people from using the cryptographic tools which are becoming more widespread every day. There is no need to balance the interests of the US government and private citizens. The only interests which are relevant are those of the citizens. What needs to be balanced are those citizens' interests in public safety and their desire for privacy and freedom. This conflict is nothing new. It has always been true that there is a tradeoff between security and freedom. Different countries all around the world have chosen to balance this tradeoff at different points. At one extreme we have totalitarian states where security is everything and individual freedom is nearly gone. The example of Singapore is widely used today as a place where the citizens have, largely voluntarily, given up a great deal of individual privacy and freedom in exchange for a tightly regulated, but peaceful, society. We in the US have traditionally chosen a different, and historically superior, approach. Our national traditions emphasize the importance of the individual. All through American history the lessons we have learned have taught us to respect individual freedoms at the expense of government regulations and controls. This has been one of the fundamental principles which has led to our tremendous success. In the context of the encryption debate, then, the default position should and must be one of individual freedom. We already allow individuals to use any encryption technology they desire. Any proposal to move from this principle, a principle which is firmly in accord with American traditions, should be viewed with the utmost caution. And, as the above discussion has emphasized, there is really no legitimate policy position which moves us only slightly in the direction of greater control. The choice is not between privacy and a little bit of regulation. It is between privacy and very invasive, very intrusive restrictions. The nature of cryptographic technology is such that it is so easy to use that only an intensive effort can prevent its use, or force the use of a government-approved alternative. The policy decision is really between one which maintains American traditions of freedom and one which takes a drastic step towards government control. In the future, this situation will only become worse from the point of view of those opposed to communications privacy. As more countries become computerized, as the global networks spread further, as more people learn how easy it is to ensure their own privacy, it will be all the harder to keep people's communications under government-approved systems. Technology sounds the death knell for traditional ways of approaching the law enforcement and national security business. The longer governments are allowed to ignore that fact the more likely it will be that the totalitarian solution will be imposed.

* recommendations for the process through which national security, law enforcement, commercial, and privacy interests are balanced in the formulation of national cryptography policy.

The traditional way to balance the competing interests would be to put national security and law enforcement people, business people, and a few "privacy advocates" on a committee, then let them make recommendations to the Executive or Legislative branches of government. Although this may be appropriate for the initial evaluation of the situation, it has serious problems. It puts far too much weight on the specific interests of security and law enforcement. Although these are legitimate duties of government, they are not its only duties, and they certainly do not override the traditional American emphasis on individual liberty. In the next century, the primary economic fact will be international competition. In a global world, there is no longer any place for pointless government regulations which will interfere with the success of domestic business or cause commerce and capital to flee to other countries. Attempting to mollify outdated law enforcement concerns by restricting the use of encryption technologies will only hurt American citizens. The fact is that, given these economic realities, the only policy decision which makes sense is one which encourages, rather than restricts, the use of encryption. Government should relax export controls, retire its key escrow proposals, reveal the SkipJack algorithm used in Clipper, and turn its researchers to the task of helping American competitiveness rather than thinking up new ways of hindering US businesses. The only "process" that is needed is the political courage to overcome the objections of law enforcement and force them to concentrate on the job at hand, stopping criminals, rather than working on new ways to block encryption technology. It doesn't have to be done right away. It will take years for encryption to work its way into the economy. We probably won't see widespread encryption of telephone and other electronic communications for five or even ten years. This time must be used productively by law enforcement to design new strategies to meet the challenges ahead. If the government wastes time on an ultimately doomed campaign to try to freeze technology and restrict encryption then we will all ultimately be the losers. Thank you again for your attention. Hal Finney email: hfinney@shell.portal.com