Cryptographic Backdoors and Why Policymakers Shouldn't Do Math


Originally published at:

Generally speaking, I don’t trust policymakers to do math. This isn’t a new thing. In 1894, the Indiana State Legislature attempted to set the value of Pi to 3.2 via legislative fiat. Fortunately, there was a professor from Purdue there to set them straight, but it was a close call. National governments haven’t gotten any better at math since.

Cryptography is math, and it’s hard

As anyone in the world of computer science knows, cryptography is math. In its simplest form – the Caesar Cypher – cleartext can be encoded simply by adding an integer to the letter and shifting the representation by that many steps of the alphabet. Modern cyphers are made far more complex through the use of Modular Arithmetic and Matrix Algebra, but ultimately all encryption is based on math.

Getting encryption right is extremely difficult, as the Germans found out in World War II. Even though the Germans got the math right (the Enigma Cypher was unbreakable if proper procedures were followed) their cypher system was broken due to poor procedural control on behalf of operators and a key space that was small enough to be solved by 1940’s era analog computers. Small mistakes like using the same operator code at the beginning of each message, sending the same information multiple times, and other lazy practices gave allied code breakers the ability to decipher the traffic. General Dwight Eisenhower said after the war that the intelligence gathered by breaking Enigma was decisive to allied victory.

Weakening security

In the present day, two prominent countries – Australia and the United Kingdom – have undertaken efforts to create back-doors into modern cryptographic systems. Bills in both nations seek to undermine data security in favor of national security. It is hard enough to implement a cryptographic system securely, even when all of the math is done right and the system is designed to be secure. It is nearly impossible to secure a system that is intentionally designed to be vulnerable to cryptanalysis.

Efforts by governments to weaken encryption will inevitably backfire. Governments should have a vested interest in making sure their businesses are able to protect trade secrets and proprietary information. Weakening encryption just makes their industries ripe for attack by sophisticated hackers sponsored by nation states.

To say these backdoors will prevent or help solve crime is unlikely. Sophisticated criminals are just going to deploy encryption without backdoors anyway, instead of Apple or Google or whoever’s standard encryption. Often, the encryption deployed by those criminals is vulnerable enough to break regardless. Even criminal enterprises like Silk Road or Phantom Secure who tried to take encryption seriously were eventually penetrated and shut down due to poor operational security practices. There is no reason to believe that law enforcement won’t be able to do the same for other criminal enterprises regardless of whether the underlying encryption has back doors or not.

If government leaders want to regulate how math is done, they should start with their own budgets. Accounting is simply addition and subtraction – something that many governments around the world have mastered. Legislators in the UK and Australia should focus on the basics and leave the crypto to the experts.


It has to be said that Enigma did have an implicit flaw: it wasn’t able to encrypt a letter as itself. That, combined with peculiarities in the material being encrypted (it was text, in a known language), was enough to compromise it. As another minor niggle, when cryptanalysis was mechanised it used what we’d today call switching networks, not analogue computers (which I’m sure some would call AI :-)

There’s only one possible way that this will end, and that is for sovereign states to demand that both ends of an encrypted communication are within their jurisdiction, so that if necessary a legitimate demand for interception can be implemented. Anybody caught sending encrypted material under other conditions, or anybody suspected of using steganography, can expect an “involuntary appointment” with somebody demanding to know what’s going on.

That is, of course, how things should be since it is the state’s responsibility to both oversee citizens’ privacy and to protect against intrusion by Facebook, the Kremlin, and any other casually-hostile power. Regrettably, however, it assumes that politicians are well-informed and diligent in their supervision of the state apparatus: and like you I admit to harbouring grave doubts on both fronts.

So we both end up asking the same question, which is how can politicians be better-informed and better-supported so that they can both make wise decisions and ensure that they are implemented appropriately.