23 September 1997
Source: Mail list cryptography@c2.net

See related messages on GAK costs: http://jya.com/gak-costs.htm

From: rivest@theory.lcs.mit.edu (Ron Rivest)
Date: Mon, 22 Sep 97 22:50:38 EDT
To: cryptography@c2.net
Subject: Emphasizing a point by Donald Eastlake re key recovery

I'd like to emphasize an excellent point made by Donald Eastlake in a
recent posting (attached below).  Mandatory key recovery can have
devastating effects on any use of public-key cryptography, not just
its use for encryption.  An unintended consequence of mandated key
recovery would be to put the entire framework of digital signatures at
risk.  The reason is that a user's private key (with which he signs
messages) is typically encrypted for safe storage on his computer (or
on a server).  Mandated key recovery could require that every user
turn over to the FBI the password with which he encrypts his private key.

Even if the user does no encryption of email or other data, and only
wants to use cryptography for digital signatures, he should use
encryption for the sole purpose of securing his private digital
signature key on his computer.  The user-supplied password becomes the
key with which he unlocks his signing capability by decrypting his
private signing key.  Thus, encryption provides a secure foundation
for digital signatures.

Presumably, when a user generates his private-key/public-key signature
keys, he would have to submit his password to the FBI before he could
store his private key securely (encrypted with his password) on his

The administration has long argued that it did not intend to impair
the functioning of authentication and digital signature technologies,
as they are apparently ``separable'' from the issue of encryption.
But Eastlake has correctly pointed out that strong encryption normally
provides the foundation for secure authentication and digital
signatures, by protecting the users' private signature keys while in
storage.  The law of unintended consequences may strike with surprising

If mandated key recovery were to become law, digital signatures could
lose any legal standing, as the private signing keys might no longer
be known only to one party (the signer).  Electronic commerce,
dependent on digital signatures, might be stillborn or badly deformed.
Congress, while ``merely'' attempting to keep citizens from holding
secrets the FBI couldn't read, could deprive them of the ability of
producing signatures the FBI couldn't forge.  

Mandated key recovery would not only allow the FBI to search all of
one's electronic records, but would also allow the FBI to forge
signatures on business contracts and other documents, paradoxically
weakening the value of electronically signed documents as

The closer one looks, the worse mandated key recovery looks...

-- Ron Rivest


Date: Mon, 22 Sep 1997 16:59:48 -0400 (EDT)
From: "Donald E. Eastlake 3rd" <dee@cybercash.com>
To: cryptography@c2.net
Subject: FWD: Costs of Mandatory Key Recovery

I sent the following mail earlier today.

Donald E. Eastlake 3rd     +1 978-287-4877(tel)     dee@cybercash.com
   318 Acton Street        +1 978-371-7148(fax)     dee@world.std.com
Carlisle, MA 01741 USA     +1 703-620-4200(main office, Reston, VA)
http://www.cybercash.com           http://www.privacy.org/ipc

---------- Forwarded message ----------
Date: Mon, 22 Sep 1997 14:58:20 -0400 (EDT)
From: Donald E. Eastlake 3rd <dee@cybercash.com>
To: Philipw@CBO.GOV
Cc: Fred Baker <fred@cisco.com>, Don Heath <heath@isoc.org>,
    "Donald E. Eastlake" <dee@cybercash.com>
Subject: Costs of Mandatory Key Recovery

Dear Mr. Webre,

I understand that you are seeking input to help estimate the economic burden
that would be placed on the US economy by the provisions requiring that all
electronic, opto-electronic, and optical communications and data storage in
connnection therewith [see USC Tile 18, Chapter 119, Section 2510
definitions], within the United States, be, when authorized, instantly
readable by US law enforcement and spy agencies without notice to the parties
communicating as voted recently, along with additional restrictions on
cryptography, by the House Intelligence Committee. 

Below is a brief summary of those costs that immediately occur to me.  These
cover (1) loss of business due to export restrictions, (2) cost of changes to
cryptographic hardware and software communications systems, (3) general
software changes, (4) the prohibition of the transport of secret keys, (5)
costs of induced failure to strongly secure, (6) costs of the prohibition of
certain uses of the National Information Infrastructure, and (7) costs of
criminalizing certain areas of research.  It is my understanding that your
office has produced some initial estimates of cost in the hundreds of
millions of dollars.  This is low by many orders of magnitude and must
indicate that many of the cost areas have been ignored and/or grossly

1) Export - I will not estimate this area as I believe the area of US
computer industry competitiveness and export restrictions is one on which you
have received input already.  But I must point out that this is no remote
threat to the US economy.  It is immediate and close.  Canada, for example,
while imposing US restrictions on the export of items with US content, does
not restrict items of purely Canadian origin.  And, in fact, realizing that
uncompromising strong cryptogrphy will do much more to stop crime than to
facilitate it, is permitting export of the Entrust line of products with 128
bit key unsymmetric crypto and no GGAK (Guaranteed Government Access to Keys)
to most countries.  In fact, two days from now, on the 24th of September, I
plan to attend a seminar Entrust will be giving in Boston, Massachusetts on
its product line, which is part of a series of seminars they are giving all
over the United States. 

2) Cyrptographic system changes - The next most obvious change is that every
piece of software and hardware used to secure electronic, opto-electronic, or
optical communications will have to be extensively modified or replaced. 
Every bank network, every credit card swipe box, every secure email program,
every secure remote computer access program, every World Wide Web brower or
server with security features, every secure database access program, and so
on almost ad infinitem. That this could actually be done by the proposed
deadline is very dubious but even assuming the transition to trapdoor
equipped software and hardware occured over a longer and more reasonable
time, the costs will be staggering.  GGAK (Guaranteed Government Access to
Keys) equipped software and hardware communications products will be
substantially more complex and expensive than those they replace.  It is most
likely that dozens of hardware and software communications product companies
will be driven into bankruptcy by the costs updating their products or simply
go out of business without trying.  The cost will be in the tens of billions
of dollars. 

3) General Software changes - Changes will be mandated by the proposed law in
much, much more computer software than merely that designed to provide
cryptographicly secure communication.  Essentially all full featured word
processing, spread sheet, archiving, and similar software products have some
form of encryption built in.  Even zip, the small but venerable PC data
compression and archiving tool can "passord protect" data with encryption.
Every such product, from zip to Microsoft Word to Lotus 1-2-3, will need to
be modified or replaced if there is any chance that it's output might be
transmitted in any way, even such routine tranmission as remote computer file
backups.  That this could actually be done by the proposed deadline is very
dubious but even assuming the transition to trapdoor equipped software
occured over a longer and more reasonable time, the costs will be staggering. 
It is most likely that dozens of general software companies will be driven
into bankruptcy by the costs of updating their products or simply go out of
business without trying.  The cost will be in the tens of billions of

5) Elimination of private key transmission - It would seem at first glance
that the proposed legistlation affects only secrecy and privacy in cyberspace
and would not affect authentication.  Indeed, messages are not constrained by
the proposed law from having authentication attachments such as digital
signatures.  However, the basis of modern authentication is the
public/private key pair where the private key must be known only to the
author.  Any compromise or revelation of the private key destroys the basis
of the authentication.  It follows then, since the proposed legislation's
purpose is to permit easy access to all transmitted infomration, it
effectively prohibits the electronic transmission of private keys.  There
exist extensively deploys systems, such as the Novell directory system, based
on the Bellovin-Merritt and similar protocols, that permit a central private
key store to be remotely accessed in a safe fashion, given certain integrity
assumptions.  All such systems will be criminalized by the proposed
legislation and no substitute will be legal.  Persons who wish to transport a
cyberspace identity will be able to do so only by physical transport of a
hardware token.  This will be substantially more expensive and complex in
those cases where the existing deployed software solutions are adequate.
Should an organization desire, for whatever reason, to have copies of a
private key in two locations, it would, under the proposed legislation, have
no alternaitve but to physically courier the information.  No legal means
will exist to transmit it via electronic, electro-optical, or optical means
that does not destroy the authenticating ability of the private key.  The
costs of having to abandon the National Information Infrastructure for these
purposes is difficult to estimate, but could easily approach a billion

6) Costs of failure to strongly secure - The propsed legislation will make
legal cryptographic systems more complex, more expensive, and less secure. 
The increased direct costs are included in items 2 and 3 above; however,
another effect will be that many systems that would otherwise be secured by
the strong and cheap methods that have been criminalized will simply be left
insecure.  Already a more than one billion dollar a year criminal industry in
cellular telephone fraud exists because the US government resisted efforts by
the cellular telephone industry to strongly secure their communications.  In
some areas of the country, law enforcement agencies estimate that as much as
80% of all cellular telephone traffic is illegally monitored, all because the
cellular telephone industry was not permitted to deploy and export strong
encryption.  What other criminal industries will flourish becasue of the
proposed legislation, especially as more communicaitons is wireless, over the
radio waves, making it easily interceptable by unauthorized eavesdroppers? 
How many secrets of US industry will be lost to foreign competition? Over the
coming decade, this effect will clearly lead to tens of billions of dollars
in losses. 

7) Prohibited uses of the NII - There are a variety of potential uses of the
National Information Infrastructre that are foreclosed by the proposed
legislation.  For example, consider voting via electronic communications. 
The essense of the secret ballot is that it not be possible to determine how
a peson actually voted, even if that person wishes to reveal it.  They can
say what they want about how they voted but there must, to avoid the
possibilties of coercion and retribution, be no way to determine how an
individual actaully voted.  The proposed legislation probhibits such secrecy
and will forclose the benefits of inexpensive, convenient secret balloting
via the NII.  Any other form of absolutely privileged information, such as
communications of a sitting judge while acting within their judicial
authority, will be effectively barred from the NII.  And for all practical
purposes, less privileged communications, such as penitant to clergy or
attorney to client communications, will use the NII only at their peril and
such use could be considered malpractice. When any local assistant county
prosecuter can breach the confidentiality of communications based on probable
cause to investigate any crime, say littering, such communications can not be
considered confidential by anyone having a duty to maintain their privacy. 
The cost of all such communications being done only via physical transport
and physical meetings will certainly be in the billions of dollars over the
next decade. 

8) Criminalized research - There are substantial areas of ongoing research
which are criminalized by the proposed legislation.  In particular, quantum
cryptography is a field which makes use of the some of the strange properties
of our universe at the quantum level to construct transmission systems which
it is impossible to tap.  That is to say, with quantum cryptography, it would
be impossible for any third party, including law enforcement and spy
agencies, to obtain access to communications using this technology. This may
sound like science fiction except that actual working prototypes have been
constructed and demonstrated under controlled conditions.  The legislation
would criminalize any such system, denying the US the benefits of such
technology domesticly and the financial benefits of developing, licensing,
and exporting such technology.  It is difficult to asses this as a dollar
amount but it forgoing it is a substanial risk. 

Based on the above it is clear that the long run economic damage to the
United States of American by the restrictions being proposed in this
legislation will be absolutely staggering, measuring over the next decade, at
a minimum, over a hudred billion dollars and possibly several hundred billion

Donald E. Eastlake, 3rd
Principal Systems Engineer
(speaking as an individual and not for CyberCash, Inc., my employer)
Donald E. Eastlake 3rd     +1 978-287-4877(tel)     dee@cybercash.com
   318 Acton Street        +1 978-371-7148(fax)     dee@world.std.com
Carlisle, MA 01741 USA     +1 703-620-4200(main office, Reston, VA)
http://www.cybercash.com           http://www.privacy.org/ipc