An open challenge on encryption: show us

There still seems to be a steady stream of people standing up and claiming that law enforcement and other security agencies are unable to do their jobs properly, particularly in respect of terrorism, because of encryption.

I mentioned in a previous article that key escrow had been tried before and failed. Perhaps the lessons learned then would be an aid to us now.


The most public and spectacular failure of key escrow was in the Clipper chip, which flopped just twenty years ago. In the early 1990s, these same agencies had been banging the same drum very loudly, saying how important secure encryption was, as long as they were able to have a backdoor to decrypt anything that they needed.

US government, in the form of President Clinton himself, acceded to pressure from the NSA, and allowed the agency to bring to market an encryption chip, the MYK-78 or Clipper, which gave everyone what they wanted. At a time when CPUs were much slower – the Mac Quadra 950, for example, had a 68040 processor clocked at just 33 MHz – and lacked support for the primitives used in most methods of encryption, a custom chip looked like a good idea.

The MYK-78 or Clipper chip. Image courtesy of Travis Goodspeed, via Wikimedia Commons.

For users, it apparently offered robust encryption and decryption of network data and speech, backed by the NSA’s expertise. For law enforcement and other agencies, it provided a ‘golden key’ (built into each chip from new) which would enable them to decrypt its output once they had obtained appropriate authority. What could possibly go wrong?


For a start, the Skipjack encryption algorithm was classified Secret, and therefore its source was not made public so that it could be examined by independent cryptographers for weaknesses. It turned out to have serious vulnerabilities and problems, the worst of which disabled the escrow capability completely. More extensive analysis of the system by eleven of the leading crytographers and security experts of the day concluded:
“Key recovery systems are inherently less secure, more costly, and more difficult to use than similar systems without a recovery feature. The massive deployment of key-recovery-based infrastructures to meet law enforcement’s specifications will require significant sacrifices in security and convenience and substantially increased costs to all users of encryption. Furthermore, building the secure infrastructure of the breathtaking scale and complexity that would be required for such a scheme is beyond the experience and current competency of the field, and may well introduce ultimately unacceptable risks and costs.”

By the time that report was published in final form, in 1997, the Clipper chip was dead in the water, an expensive and embarrassing failure.


Much has changed since then: modern processors commonly manage clock speeds in excess of 2 or 3 GHz, and many have instruction sets which include primitives to support high-speed implementations of many encryption algorithms. The threat landscape has also changed beyond all recognition: twenty years ago there were far fewer ‘bad guys’ on the Internet, and most of those who were a threat were a lot less technically-adept than current criminals.

As a consequence of the failure of Clipper and shortcomings in the old DES, the US National Institute of Standards and Technology recognised the need for a new and robust encryption standard which did not play games with escrow of keys. It opened an international competition to develop a new Advanced Encryption Standard, which was open source. In 2000, NIST selected Rijndael as the successful candidate, and it remains the basis of the widely-used and very robust AES, a US Federal tool. It would also appear to be one of the methods which, when properly implemented, law enforcement agencies remain unable to break (unless in flawed circumstances).

A solution

There is, though, a very simple solution which would resolve the issues over whether encryption can be both robust and accessible to law enforcement agencies.

The US NSA and its UK equivalent, GCHQ, stand to gain most if there are backdoors in commonly-used methods of encryption. They also have the highest concentrations of cryptographic talent on the planet. Why don’t they come up with a proposal for an encryption algorithm which is at least as secure as AES, but which also would give them a secure backdoor?

In the light of the history of the Clipper chip, current best practice, and to compare against AES, the algorithm must of course be provided as open source, so that cryptographers and others can analyse it fully and confirm its robustness in both respects.

I think that I already know the answer to the challenge: the experts at the NSA and GCHQ know full well that such an algorithm does not exist. Indeed, I suspect that some of them may even be able to prove mathematically that it cannot exist.

Prove me wrong, someone.