[cryptography] Key escrow 2012

Nico Williams nico at cryptonector.com
Mon Mar 26 00:54:13 EDT 2012

On Sun, Mar 25, 2012 at 10:55 PM, Marsh Ray <marsh at extendedsubset.com> wrote:
> On 03/25/2012 11:45 AM, Benjamin Kreuter wrote:
>> The US government still wants a

No, probably parts of it: the ones that don't have to think of the big
picture.  The U.S. government is not monolythic.  The NSA has shown a
number of times that they are interested in strong civilian
cryptography for reasons of... national security.  In a battle between
law enforcement and national security the latter has to win.

>> system where encrypted communications can be arbitrarily decrypted,
>> they just dress up the argument and avoid using dirty words like "key
>> escrow."
> Aside from the deep moral and constitutional problems it poses, does anyone
> think the US Govt could have that even from a practical perspective?
> * Some of the largest supercomputers in the world are botnets or are held by
> strategic competitor countries. This precludes the old key shortening trick.
> * The Sony PS3 and HDMI cases show just how hard it can be to keep a master
> key secure sometimes. Master keys could be quite well protected, but from a
> policy perspective it's still a gamble that something won't go wrong which
> compromises everyone's real security (cause a public scandal, expose
> industrial secrets, etc.).

Key escrow == gigantic SPOF.  Even if you split the escrow across
several agencies and don't use a single master key, it's still
concentrating systemic failure potential into too few points.  To
build a single point of catastrophic failure into one's economic
infrastructure is one of the biggest strategic blunders I can imagine
(obviously there's worse, such as simply surrendering when one clearly
has the upper hand, say).  Back in the early 90s this probably wasn't
as clear as it is today.

> * Am I correct in thinking that computing additional trapdoor functions to
> enable USG/TLA/LEA decryption is not free? Mobile devices are becoming the
> primary computing devices for many. People may be willing to pay XX% in
> taxes, but nobody wants to pay a decrease in performance and battery life to
> enable such a misfeature.

Most users already pay heavy battery/performance taxes in the form of
uninstallable adware built into their devices.  The vendors might be
the ones to object then since they might have to stop shipping such
software.  But ultimately this argument depends on how heavy a burden
the users end up feeling.

For my money the winning argument is the strategic idiocy/insanity of
unnecessary SPOFs.  Who wants to ever even think of saying to the
POTUS "Mr. President, we have a mole, they've stolen the codes for our
civilian networks and they've shut them down from the people's shear
fear of financial and other losses. It will take months to re-key
everything and in the meantime we'll lose X% of GDP. The stock and
bond markets have crashed."  As time passes X will tend to increase in
the event of such a catastrophe.  The higher that percentage the more
crippling the attack, with derivatives losses becoming overwhelming at
small values of X.  It could get worse: "Mr. President, we can't even
re-key without changing all these hardware dongles that are
manufactured by the enemy, who's now not selling them to us."

If the point of key escrow is to make law enforcement easier then
there are much simpler non-cryptographic solutions -- not ones to your
taste or mine perhaps, but certainly ones that don't involve strategic

I'm with you: key escrow is necessarily dead letter, at least for the
time being and the foreseeable future.


More information about the cryptography mailing list