Friday, 10 July 2015

Ban multiplication!

We have seen cries to ban encryption by the UK government (and others). They are couched in wording to try and get some sympathy for this, such as "there can be no safe places for terrorists to communicate", and that they only want to ban "strong" encryption. They have even said there have to be "back doors" in software. It is still not clear what they want. These are all ways to say "ban privacy for law abiding citizens".

One of the problems is getting through to people why this sort of request is totally insane, and so I am going to try and make it simple. Encryption is a bit like a mathematical function. So, just for a moment, let's imagine the call is to "ban multiplication". I am sure that being able to multiply is as useful to terrorists as to the rest of us.

Can you just ban this for the bad people?

Well, no. It is hard to see how you can tell if someone using is using multiplication, and if they are, if they are doing so for good or bad reasons. If you had multiplication banning orders, you'd have to tell the suspects they are banned, and they would know they are suspects. The only way is to ban everyone using multiplication.

This is the same with encryption - well, more so. You cannot see what the encrypted data is, so you cannot tell if someone is a viable suspect even. If they are a suspect you cannot stop them using encryption without telling them to stop, which kind of gives the game away. The only way is to ban everyone from using encryption, even the 64 million of us in the UK that are not terrorists.

Would banning multiplication work?

Obviously not - anyone that wants to multiply would still do it. They may not make it obvious what they have done, but I am sure, if it is useful to them, they would multiply still. If they are a criminal, why would they not be prepared to commit one more crime?

This is the same for terrorists and encryption. Terrorists would be able to use encryption and can easily hide that they have done so. Only legitimate, law abiding people and businesses would not be able to use encryption.

Can we stop multiplication by making the manufacturers of calculators stop it?

Well, you could make a law, and it would apply to calculators. Nobody making them would be allowed to include the multiplication function. We'd have to make sure nobody brought one in it the country - checking at ports and confiscating anything that can multiply. But hang on - multiplication is not that hard - people can do it with pen and paper or in their heads, stopping manufacturers does not stop that? And what of someone that just writes their own calculator app for their phone or PC?

This is the same for terrorists and encryption - most encryption software is actually "open source" so has no manufacturer to act on, and you can encrypt using nothing more than pen, paper and dice. If iPhones were banned, or even "any iPhone except the special UK version" was banned, it means checking people at airports for illicit iPhone smuggling. But anyone can still get encryption for any phone or computer that allows you to load your own software as it is freely available.

Can we make manufacturers add a back door?

Perhaps allow multiplication, but make the manufacturers of calculators have something that logs what was multiplied, so we know. But again, what if people don't use calculators? And even if they did, surely the calculator manufacturer could log two different numbers that multiply to give the same answer, giving the impression they are complying but not actually doing so?

The same is true of encryption - again, most encryption software is free and exists already. Even if you did encryption by hand you could log (post off to GCHQ?) keys that decrypt what you sent in a way that looks like you are complying but does not actually reveal the real message.

Could someone else use the back door?

Well, obviously, if the calculators are logging what was multiplied, even though you actually wanted it kept secret, someone else might be able to look at that log.

This is true for encryption - if you make it weaker or you create logs or back doors - you make it easier for terrorists, criminals, hackers, competitors, anyone to access your data. It makes you massively less secure.

Is this comparison silly?

No! Encryption can be done in a lot of ways and computers are good at it, but you can make impossible unbreakable encryption with nothing more than a pen and paper, and mathematics that are actually as simple as adding up - not even as complicated as multiplication. When I said let's pretend encryption is multiplication I was making it harder in some cases!

As per one of the comments: There is an excellent paper on the subject published this week...


  1. Neal Stephenson's Cryptonomicon describes an encryption algorithm, designed by Bruce Schneier, that uses a deck of cards to provide encryption that's effectively unbreakable:

    That's a pretty good analogy to your "people could just do it by hand" step.

  2. Let them ban multiplication...

    Firstly, you don't need a multiply, or even an add instruction in silicon, you can get away with subtraction and division
    X + Y == X - ( 0 - Y )
    X * Y == X / ( 1 / Y )
    Some particularly irritating hardware has done just this.

    Secondly, all they have to do is wait, judging by the latest intake of trainees I've seen at WeProcessBettingSlips, it appears that any form of mathematics must now be an entirely optional component of the school syllabus. Eventually all the old-timers (i.e. those who have calculators with real buttons, not touch-screens) will retire, resign, or just give up in disgust, and I'll be able to charge extortionate fees for doing niche or bespoke work, such as long division.

    They need to read:

    Co-authored by Whitfield Diffie (Co-inventor of public key encryption), and Ronald L. Rivest (The 'R' in RSA), and many other luminaries in the field..

  3. On a similar line, I wrote a blog post a few weeks after reading your one-time pad blog and youtube clip -

    As you say, steganography, one-time pads, and the fact that there is no way of telling which "communication data" is actually encrypted data rather than just a random byte-stream makes the whole idea of legislating against encryption so utterly ludicrous.

    I think swapping encryption for "multiplication" is a great analogy

  4. Did you see that I already posted this in May in response to one of your previous posts?

    I already shared the link with you: