Backdooring Encryption
If you want to keep a secret, you must also hide it from yourself
-- George Orwell, 1984
It's getting a bit long in the tooth... every time there's new "debate" about governments wanting "secure" backdoors into ciphers, the same one-sided arguments come out to play - we repeatedly hear that it's the cryptowonks' fault that we don't have the perfect surveillance state that they're asking for.
Today's newest entry into the ring is by Alan Rozenshtein. I was hoping to find new arguments, but unfortunately it reads like a Flat Earther debating the circumference of the Earth's disc. There are no new arguments, but instead just another thinly-veiled appeal to the research community to "nerd harder".
The first bit goes into great lengths to debate what the word "secure" means, which is fine given that this is what lawyers are good at. However, instead of defining the term, he goes off on a tangent to discuss costs to society... but:
This line of argument—that “secure” is neither all-or-nothing nor excludes broader social costs—has been the standard critique of the position that “everyone knows that third-party access is impossible.
This question includes considerations that fall outside the expertise of the information-security community
Of course it's outside scope - mathematics is apolitical!
When cryptographers talk about the security of a cipher, they're talking about a very precise definition:
A secure cipher is one where only the person holding the key can read the data
Given this above definition, what the government (the US in this case) is actually asking for is that they would like to have a copy of the keys to every single bit owned by everyone currently within their borders.
Currently, Wikipedia says that there are about 2.79 Million civil servants within the US. That's a huge number of people with potential access to Pandoras Box!! And as we now know from the Snowden's revelations, this access will most certaintly be abused.
Let's also pile on top of this dilemma the fact that the both the CIA and the NSA couldn't even keep their prize possesion hacking tools from hackers. So the question that needs to be pressed is how long until the keys of everyone within the country are also available on the dark web?
Rozenshtein goes on to suggest that maybe nobody has built a secure cipher because building the impossible is actually groupthink:
The first is the kind that comes from many independent researchers having tackled a problem and coming to the same conclusion. The second is the kind that comes when the views of a few key players come to be seen as the received, not-to-be-questioned wisdom—in other words, groupthink. If the consensus against secure third-party access is not a true consensus but, rather, groupthink, it becomes much harder to support the argument that we should reject, out of hand, government proposals for secure third-party access.
Wat?
Or maybe the real reason why cryptowonks haven't invented it yet is because the elders of the Global Fraternity of Cryptographers put out a decree that backdooring ciphers is a sin:
There are two reasons why I think there hasn’t been enough research to establish the no-third-party access position. First, research in this area is “taboo” among security researchers
Let me be very practical here and state what nobody has talked about yet - Governments around the world want something and are willing to pay through the nose for it. Build it, and that's lucrative government contracts for life. If there were any cryptographers out there with any commercial sense, they would have pounced on this years ago. Not even McAfee has put his hand up for this... and that's saying something.
When there's Billions on the table yet nobody has come to collect, you have to ask yourself why - maybe the experts are right and that "secure" backdoors really are impossible to build.
To quote the article:
Second, I am not arguing that secure (or even secure-enough) third-party access is possible. Frankly, I have no idea.
... then why write the article in the first place.