[xyzzyz]

Government generates a public/private key pair Gpub/Gpriv, and publishes the public part. It also requires the following scheme to be used: if you want encrypt a message M with a key P, you generate random key K, encrypt M with K to obtain Enc_K(M), encrypt K with Gpub to obtain Enc_Gpub(K), and encrypt K with P to obtain Enc_P(K), and then send this triple (Enc_K(M), Enc_Gpub(K), Enc_P(K)). This way, either of the P or Gpriv can be used to decrypt M (you just use it to first decrypt K, and then decrypt M). This scheme is as strong as the scheme used for encryption is, and no cryptography is weakened by its use, except of course a huge negative impact in case Gpriv leaks. With stakes this high though, you could bring likelihood of leak to be very low, and you could modify the scheme to mitigate the impact of the leak.

I don't like it as much as anyone else, but unfortunately I think this is viable in practice. Of course, nothing stops you, a hacker, from using non-backdoored encryption, but government is fine with that, as long as Google, Apple, Facebook etc. are forced to use backdoors.

[nybble41]

> Of course, nothing stops you, a hacker, from using non-backdoored encryption, but government is fine with that, as long as Google, Apple, Facebook etc. are forced to use backdoors.

Which just goes to show that this isn't actually about catching hardened criminals (who will just use non-backdoored encryption, either alone or layered on top of the compromised channels) but rather about enabling pervasive surveillance of ordinary citizens.

[xyzzyz]

Not necessarily. There is a middle ground between the two: common criminals that simply use the tools that Google, Apple etc create to make security for normal people easy. If it's effortless to enable full end to end encryption on your phone, then not only will your grandpa enjoy benefits of it, but also a cocaine dealer or a burglar trying to fence stolen goods.

But yes, I think that there are lower-hanging fruits available for pick up here. I wish we lived in a reality where backdooring encryption was the best available path to reduce crime.

[nybble41]

The lazy sort of criminal that relies on commonplace, corporate-controlled communications apps would be caught using a traditional investigative approach regardless of any end-to-end encryption. It's the more sophisticated ones that they're using as justification for these backdoors—exactly the type that might be mildly inconvenienced at most by backdoors in standard communications services.

If what these criminals are doing is causing actual harm then there must be sufficient offline physical evidence to track and convict them by without direct access to their communications networks. Far from reducing crime, the enforcement of compulsory backdoors would itself be a crime committed by the government against its own citizens on a massive scale.

[cesarb]

> Government generates a public/private key pair Gpub/Gpriv [...]

Isn't that exactly the Clipper Chip scheme? The arguments against it are as valid now as they were then. If you haven't seen them before, they can be found at the 1997 paper "The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption", and its 2015 followup "Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications".

[xyzzyz]

Not exactly the same, it offers slightly different trade-off between the benefits and the drawbacks. But yes, the idea is clearly not new or non-obvious. There are plenty arguments against doing that, and thank you for the references (I wasn't aware of the second one). Nevertheless, just because it has some (in fact, many) drawbacks, doesn't mean it's completely broken and useless, and that means that we shouldn't expect that something like this won't ever materialize.