[jki275]

You've missed the point.

There is no solution. If you build in your "exceptional access" exception, then the system is broken by design and no one will use it. That's the end of the discussion, there's nothing more to discuss. You can rube goldberg "solutions" all day long, but in the end you're just figuring out ways to deploy a broken system.

[masscrypteria]

The government has a different idea of what constitutes “broken” in this case. Of course adding a third party introduces additional risks. Two parties versus three parties: All can access the clear info; neither scenario is without risk. The goal is to find a solution that minimizes the risks of providing exceptional access.

Again, simply arguing that “it can’t be done”, which is of course theoretically true if the goal is to have zero additional risk by introducing a third party, isn’t going to stop such systems from being deployed, it will simply reduce the quality of such solutions due to talent refusing to work on the problem.

An idea that comes to mind: third party can’t trivially decrypt the data (maybe it requires substantial computation to decrypt) thus reducing practicality of bulk decryption. Make the exceptional access truly exceptional.

I agree that having a trivial way for governments to access encrypted comms at scale is bad; I don’t agree that governments should be completely locked out, without exception, of all comms deployed at scale by mega tech corporations.

[jki275]

You're describing a broken and unusable cryptosystem. What you believe requires "substantial computation" to break today requires a consumer GPU tomorrow.

There is no minimizing the risk. Your concept is broken. It does not -- and cannot -- provide security of any use. And I don't care what the government thinks about it.

[masscrypteria]

It’s just a brainstorming idea. There would be a key as well - the idea would require both the key and substantial computational power for exceptional access

Brainstorming ideas are meant to be thrown out. Attacking the idea respectfully is fine. It’s to help inspire other ideas.

Of course there’s a trade off involved. But whether it’s two party encryption or three party encryption with exceptional access none is perfectly secure anyway. There is major conflation of political ideologies with hardline technical viewpoints going on

[masscrypteria]

Pre quantum algos have this shortcoming built in

[jki275]

Word salad.

[kyboren]

> [...] arguing that “it can’t be done”, which is of course theoretically true if the goal is to have zero additional risk by introducing a third party [...]

So then you recognize that "exceptional access" mechanisms necessarily weaken a cryptosystem, which are already notoriously difficult to implement securely. This brings us back to your OP, where you complain about people telling you the truth you already recognize, and make two entreaties for assistance from HN:

1. "Perhaps HN would do well to ask how to solve the problem from a technical perspective, given the requirements. This includes both how to build a better mousetrap (one that doesn’t have a “backdoor” or significantly weakens the encryption mechanism) [...]"

2. "[...] and how to solve concerns about abuse of exceptional access."

I understand now that you suffer from severe cognitive dissonance with respect to the first. You just acknowledged that the "weakening issue" with "exceptional access" cannot be solved, yet still argue that it can be solved, presumably with more effort from security professionals.

I already addressed the second: Concerns about abuse of "exceptional access" also cannot be solved, except by avoiding their inclusion in the first place.

Your idea is also a non-starter. Human political masters will set the work parameters, not users (otherwise: Who would choose anything but an infinite amount of work to decrypt their communications?). Users would have no way to verify the work required to decrypt as, again, they cannot verify that communications have or have not been "exceptionally accessed". The work parameters must be updated as technology improves, so there must be a way for human political masters to update work requirements (potentially reducing them). Nobody outside certain SCI or ECI compartments has any idea what kind of cryptanalytic power USG can bring to bear. Maybe, like Skipjack, the proof of work cryptography is subtly weaker than expected in a way that only they know. Maybe the USG will just start allocating $100B/year to routinely use "exceptional access". And certainly, after such a backdoor scheme is deployed, LEO and IC will howl that they cannot access enough plaintext to stop child molesting terrorist superpredators, and anyone who would just think of the children would support reducing or eliminating the burdensome computational obfuscation parameters. Once again: Any such "exceptional access" scheme necessarily reduces security by inserting a critical dependence on trust in humans that cannot be verified and whose compromise has Biblically enormous value to many groups.

> I agree that having a trivial way for governments to access encrypted comms at scale is bad; I don’t agree that governments should be completely locked out, without exception, of all comms deployed at scale by mega tech corporations.

If we agree on the first part, then we should agree on everything that I've written. "Exceptional access" schemes only make sense for unconstitutional dragnet surveillance purposes and are a severe threat to liberty. If a target is known, and is found to be using cryptanalytically impenetrable cryptography, targeted physical surveillance will defeat that cryptography every time. If some impenetrable communications happen between two non-targets, it doesn't matter that those communications cannot be read, because the government doesn't want to read those communications anyway--right? Of course, serious criminals and terrorists--the ones on whom collection is really important for security--are not going to use known-compromised cryptosystems when non-broken ones are already ubiquitous. Therefore this "exceptional access" is only useful on the average citizens; unless, that is, the government is doing dragnet surveillance and attempting to "winnow" out secure communications, something they can only do effectively if they attempt decryption of every "exceptional access-enabled" communication.

Finally, consider your request in the historical context. For the great deal of our history, communications have defaulted to being private (there were no microphones in Lincoln's log cabin) and inaccessible to government agents except through testimony (which cryptography does nothing to prevent). Now your claim is that the government must have the ability to access any communication. But why? Our government and society worked just fine without substantially all communications being recorded and accessible to the government. Such a large shift in the balance of power will, I fear, lead inevitably to tyranny.

[masscrypteria]

It’s a trade off. There’s no cognitive dissonance, just refusal to work towards better compromises. Lovely argument, though. Euphemistically it’s clear you’re very passionate about this issue. Maybe my hacker news throwaway should’ve been called cryptopassion

[jki275]

There is no compromise. There is either security, or there is not. You want the not, because you prioritize government access to all communications over privacy.

The rest of the world disagrees with you.

[masscrypteria]

No, not true. Crypto isn’t perfect as is, and involves levels of security.

Two party crypto has two parties who could leak the data. Two party with exceptional access has three. Current crypto is susceptible to brute force via shor’s and quantum

The rest of the world absolutely does not agree with you. It’s just that a lot of people here live in a bubble.

[jki275]

Current crypto is possibly subject to attack due to implementation defects. You're throwing out word salad that you clearly don't understand on this subject -- but hey, let's take your statement as fact for a hypothetical second.

Since as you say, "Current crypto is susceptible to brute force via shor’s and quantum", then there's no need for backdooring algorithms, since they're all already broken.

I mean, none of that is accurate, but given your argument you're asking for something you don't need because you already have it.