Ronald L. Rivest Associate Director, MIT Laboratory for Computer Science Cambridge, MA 02139 (617)253-5800; fax (617)258-9738 rivest@theory.lcs.mit.edu http://theory.lcs.mit.edu/~rivest June 10, 1997 Senators of the Senate Judiciary Committee I am writing you regarding issues of cryptographic policy that face you, and face the nation. I am very concerned that regulations and legislation may be adopted that would prove harmful to law and order, crippling to our software industry, and embarassing to the government. Such regulations and legislation would require support of cryptographic ``key recovery.'' Today, most information is digital, stored in computers and transmitted over networks. Diaries, love-letters, medical and financial records, business plans, movies, political speeches, and textbooks are all represented and communicated as sequences of ones and zeros. Our national memory is now captured, saved, and replayed in digital form. In its pure form, digital information is anonymous--you can't tell who created a given one or a given zero. A digital prescription may have been created by your physician, or by a high-school hacker. A digitized world requires authentication: a way of telling who authored what. Similarly, digital information is normally transmitted semi-publicly on a radio or on a computer network. Anyone with an appropriate receiver or network connection can ``listen in'' to what is being sent. (With a little more work, an eavesdropper can even modify the information being transmitted.) The digital world is largely a public world, unless special steps are taken to make information private. The two most important needs of the digital world are thus authentication and privacy (or confidentiality). These needs are of exceptional importance for the security of this nation. Our economy requires the authenticity of financial transactions. The competitiveness of our industries requires the confidentiality of their planning, operational, and technological information. We lose billions every year through fraudulent financial transactions and corporate espionage. Law and order requires achieving authenticity and confidentiality of our digitized information infrastructure. Fortunately, there are reliable ways to achieve privacy and authentication. The essential tool is cryptography---the science of communicating securely in the presence of adversaries who wish to overhear or modify your digital communications. Cryptography enables two parties to ensure that an adversary can not understand a transmitted message (because it is encrypted) and that an adversary can not modify a transmitted message without being detected (because it is ``digitally signed''). Cryptography uses sophisticated mathematics to provide unbreakable encryption and unforgeable digital signatures. Cryptography is a relatively new technology, outside of military applications. In the public domain, serious study of cryptography really began in the 60's, but didn't blossom until the 70's and 80's. Necessity is the mother of invention, and computer networks are the mother of modern cryptography. Computer networks need cryptography to link their far-flung parts together just as a high-rise building needs welds and rivets to hold the girders together. Without cryptography, computers don't know which other computers they are talking with, and don't know if their information is securely kept within a given domain of trusted computers. Without rivets, a high-rise building is a pile of girders, none supporting each other, with all of the building contents spilled on the ground. In most engineering sciences, the way parts are connect and interact is most important. With computer networks, either the parts connect and interact using cryptography, or they are vulnerable to fraud and unwanted disclosure of information. Cryptography is the ``connection science'' of computer networks. Used well, cryptography enables us to build the information infrastructure of the twenty-first century: secure and strong enough to support our information-based national economy. Used poorly, we invite hackers and enemies to disrupt our networks and steal from us. Law and order requires a strong national capability in cryptography, well-executed, to protect our information infrastructure. Most technologies are usable by the ``bad guys'' as well as by the ``good guys.'' The automobile becomes a get-away car. The radio and telephone enable long-distance communications between a crook and his boss. The computer is used to run a numbers game. Airplanes carry drugs. Most technologies are egalitarian--they help everyone, good or bad, to be more effective or more efficient. Of course, there are numerous examples of forensice and surveillance technologies developed specifically for law-enforcement: DNA, fiber, handwriting and fingerprint analysis, bugging and wiretapping, polygraphs, video surveillance, radar speed detectors, chemical trace detectors, intrusion and motion detectors, and so on. Because of these specific advances, one can reasonably conclude that technological advances have, overall, helped law enforcement immensely. It is curious that the technology of cryptography has come to be such a controversial one in terms of societal policy. The issue arises because cryptography allows individuals, good or bad, to keep their communications confidential. Of course, the issue isn't really whether individuals can have private conversations. Of course they can. You and I can always meet privately on the beach or elsewhere to talk. I believe that a democratic society should guarantee the right of any two individuals to have a private conversation, unless one or both of them is in jail. (This is an important belief to me, although not central to the development here.) The problem arises from the fact that more and more of our communications are now carried on electronically. When I was young, a phone call was a rare event, and TV a novelty. Today, the bulk of my communications are electronic---I use the phone, TV, and email heavily for routine communications. I talk to my wife almost as much on the phone as I do to her in person (we talk a lot on the phone). I frequently send email to my secretary to ask her to do something. I watch the news on TV. Because it conquers distance easily, electronic communication replaces talking face-to-face. But electronic communication, like any network communication, engenders needs for privacy and authentication. I want to know that no one is listening in to my conversaation with my wife. My secretary wants to know that the request to mail out my draft paper is really from me. We have been working with a deeply flawed communications network for most of the century. The network does not provide the privacy and authentication that it should. It replaces private face-to-face communication with reproduced voice and email that is not guaranteed to be private and is not guaranteed to be authentic. Cellular phones have long been known to broadcast lover's sighs and credit-card numbers to all who cared to listen. A computer receiving a phone call has little idea who is calling, until the caller identifies himself with a name and password. The network gets the information from one point to another, but privacy and authentication have been lost in the transition from face-to-face to electronics. Law enforcement has upon occasion exploited these flawed communications networks. Wiretapping exploits the lack of privacy. Bad guys (and good guys) often use the computer and phone networks as if they had properties of privacy and authentication that they don't. A wiretap can pick up a inadvertent fact or admission. We are in the process of fixing these flawed networks, because it is in our national interest to do so. Cryptography is the essential tool that can provide the privacy and authentication required. The ``fix'' may take the form of new phones embodying cryptography, or of a computer program that enables secure computer-to-computer connections. Engineers everywhere are adding cryptography to their network and product designs. Devices that process digital information now use cryptography routinely. Products that don't use cryptography are ``cracked'' and cause their users and manufacturers huge problems. Electronic commerce, electronic voting, the privacy of medical records, pay-per-view entertainment, protection of intellectual property, maintaining the stability of the financial system, and controlling access to information and property all require cryptography. Cryptography is becoming as ubiquitous and pervasive as electronic communications, because electronic communications require cryptography to function properly and securely. The average household may soon (if not already) contain dozens of devices that deal with digitized information, all of which use cryptography. You will have pay-TV decoder boxes, smart-cards in your wallet, electricity meters that can be read remotely, computers that allow you browse the web, purchase items with your credit card, or read your email, electronic door locks that communicate with an electronic key, postage meters that print digitized postage stamps, phones that provide secure communications, and medical records encrypted in your electronic wallet. Everywhere there is information, there cryptography will be. Good cryptography is the friend of law enforcement, because it prevents crime. Cryptography allows the flow of information to be managed and checked. Information only goes where it is supposed to go, and bad or fraudulent information is detected and discarded. Information theft and fraud based on unauthorized information manipulation are stopped in their tracks by cryptography. It is in our national interest to see that cryptography is vigorously developed and utilized by the private sector. Our economy is becoming increasingly based on information and information management, and cryptography is the most important and effective tool for controlling and authenticating the flow of information. Economic and political adversaries, malcontents and insiders can exploit poorly protected information systems. Airline control systems, power grids, financial institutions, and high-tech industries are either well-protected cryptographically, or they are vulnerable targets waiting to be attacked. Cryptography is a defensive technology. It protects against an adversary exploiting a lack of privacy or a lack of authentication. It is the lightning rod, the flame-proof material, the door-way peep-hole of communications. It protects the user from harm. It is the ``communications condom'' protecting one from ``unsafe communications.'' It prevents damage to the integrity or privacy of an information system. It does not do damage itself. Given the overwhelming need for such a excellent defensive technology in today's world, why should anyone attempt to restrict or limit its use? The answer is obvious: if the ``bad guys'' can use this defensive technology as well, then the ``good guys'' won't be able to tap and exploit their communications. As noted earlier, technology often smiles on the evil as well as on the good. Unfortunately, this is as true of cryptography as it is of the automobile. The bad guys can protect their secrets with cryptography, and smuggle their drugs in an automobile. When should technology be regulated? I think there are two conditions that need to be satisfied: (a) it should first of all be possible to do so, and (b) the benefit of regulation should exceed the costs and disadvantages of doing so. I feel that cryptography fails both of these criteria. It is not possible to effectively regulate cryptography. Trying to do so is trying to command the sea to retreat. As noted above, information systems require cryptography for effective and secure operation. It is not possible to prohibit cryptography without crippling our information infrastructure. It is not possible to require ``weak cryptography'' without leaving the whole structure vulnerable to collapse. And it is not possible to provide ``key recovery'' without running enormous risks, as noted in my recent report (co-authored). Putting key recovery into cryptography is like soaking your flame-retardant materials in gasoline---you risk a catastrophic failure of the exact sort you were trying to prevent. The ability of organized crime to corrupt just a few officials or judges could be the spark that ignites it, with the security of our national information infrastructure disappearing in the flames of keys ``recovered'' by organized crime. Moreover, cryptography is impossible to regulate because it is trivial to reproduce. Many cryptographic techniques can be described with a computer program that is shorter than the preceding paragraph. Trying to prevent the spread of a cryptographic technique is as hard as trying to prevent the spread of a good piece of juicy gossip. A short telephone call can transmit a cryptographic program from one state or country to another. While one could coerce some major manufacturers into producing products that are cryptographically weakened to include key-recovery, alternative cryptographic techniques are easily available from overseas world-wide-web sites. I don't believe that one should pass laws or issue regulations that are laughably naive about the likelihood that they are capable of enforcement or being effective in the desired aims. Second, I believe that disadvantages of regulating cryptography far exceed the aimed-for advantages. It is regrettable that some ``bad guys'' will use cryptography to conceal their activities. It is regrettable that duct tape is used by criminals too. But I already have more cryptographic devices in my house than I have rolls of duct tape, and the benefits of duct tape are accepted without undue regard for the fact that criminals might find it useful. I believe that one should properly regard cryptography as a kind of ``duct tape'' for the information infrastructure of the country. Like duct tape, cryptography is cheap, essential, and easily reproduced. Everyone needs it. Some crooks may use it to help them commit crimes. We'll catch them and convict them using the many newly developed forensic and surveillance technologies. Trying to regulate the ``duct tape'' is foolish and a waste of taxpayer's money.