28 September 1997
Source: Mail list cryptography@c2.net

To: cryptography@c2.net
From: rivest@theory.lcs.mit.edu (Ron Rivest)
Date: Sat, 27 Sep 97 21:40:45 EDT
Subject: Michael Frese notes a serious flaw in proposed legislation

Michael Frese makes the interesting point (below) that proposed crypto
legislation mandating plaintext recoverability should, logically,
apply to ALL encryption, **including encryption whose purpose is just
to implement key recovery itself**.  There is nothing in the proposed
legislation that would make an exception for such encryption.

For example, if my software encryption encrypts message M with
symmetric key K, and then appends a trailer that contains K encrypted
with the public key of Citibank (my chosen key recovery agent), then
doesn't the trailer itself need to have some plaintext recovery
feature implemented for it?  If not, then why can't I be sending along
some secret stuff to Citibank with each trailer (i.e. in addition to
the key)?

Similarly, if I append two trailers which contain K1 and K2 encrypted 
respectively with the secret keys of Citibank and ACLU (my two chosen
key recovery agents), where the message key K = K1 xor K2 (so that I
am using a simple form of ``secret sharing''), then should the FBI
have ``immediate access'' somehow to the plaintext of the two trailers
(i.e. to K1 and K2)?  I note that in this case, K1 may be chosen
totally arbitrarily, and then K2 determined as K xor K1, so that I really
can send arbitrary messages to Citibank in the trailer.  

I think this nice example shows how poorly thought through the proposed
legislation is...

	Ron Rivest
Return-Path: <MFrese@aol.com>
Date: Sat, 27 Sep 1997 14:00:19 -0400 (EDT)
From: MFrese@aol.com
To: dee@cybercash.com (donalde.eastlake3rd)
Cc: rah@shipwright.com (roberthettinga), rivest@theory.lcs.mit.edu (ronrivest)
Subject: Re: Access to Plaintext: An Obvious Consequence

Dear Sir,

I apologize for the rather flippant tone of the message that
Bob forwarded on to you, but I think you will recognize in it
the banter of one brother to another.  I hope that the following
explanation will help.

On Mon, 8 Sep 1997 Declan McCullagh's forward
"Stewart Baker's analysis of administration crypto-proposal"
to fight-censorship-announce@vorlon.mit.edu, included the
following comparison of McCain-Kerrey to a "leaked
Administration legislative draft on encryption": 

> --  gone is the section (102) that would prohibit mandatory
> third party escrow of keys.  In its place is a new section (105)
> that would prohibit, after January 1, 1999, the provision of encryption
> services in the U.S., or the manufacture for sale or distribution in
> the U.S. of encryption products/systems, that do not have a
> plaintext recovery feature that may be turned on at the option of the user.
> --  gone is the exclusive emphasis on key recovery as the
> technology for assuring plaintext recovery.  Instead, this
> legislation would require products and systems that permit
> immediate decryption without the knowledge or cooperation of the user.  

Motivated by this, I wrote Bob

> If no encryption product can be sold that can't decrypt everything
> it encrypts, then no public-key cryptosystems can come to market.  
> This effectively eliminates the entire range of encryption products 
> of interest to you.
> Surely, this is clear?

and agreed when he suggested that he forward it to a mailing list.

Apparently, it was not clear.  I will endeavor to make it so.

The key phrase is:

> ...this legislation would require products and systems that permit
> immediate decryption without the knowledge or cooperation of the
> user.

If this language ever makes it into law, its meaning will be determined
in the courts, by judges and juries.  We have to understand
it as they will, not as the cryptographic community does.  And we
must expect that this language was written by administration lawyers,
with the advice of cryptographic experts and prosecutors.  

It seems to me that there are two immediate questions:

1. What does it mean that the product must "permit immediate

2. What messages must it provide this for?

I am certain that the meaning of "permit immediate decryption" will
be clear to the legal system, once the prosecutor explains it.  It will
be quite difficult to find a judge or jury that won't believe that this
means it must decrypt the message it just encrypted.

No problem, you say.  I'll just run my message through the symmetric
encryption scheme again.

But what about the other message?  You sent the session key to the
recipient of your intended message.  You claim that was not a
message, only a key, but "One, if by land; two, if by sea." is
exactly 256 bits.

Again, it will be difficult to find a judge or jury that won't believe that
the symmetric key was a message.

Of course, if the court insists that you decrypt that message for them
using your system you will be unable to do that without the cooperation
of the intended recipient.
This argument is further strengthened by other language in the draft
legislation:  the requirement  that any system must provide access
to plaintext without your knowledge or cooperation.
I believe that all of the language of this proposed legislation is intended
to make the use or provision of  public-key cryptosystems illegal,
possibly by an after-passage judicial extension.  Without a public-key
cryptographic infrastructure, everything you want to do evaporates,
including authentication, and all that the beneficial systems that depend
on it.

That, I believe is precisely the goal of the prosecutors and cryptographic
experts who formulated the draft legislation.


Michael H. Frese