Crypto crumple zones: enabling limited access without mass surveillance
Files
Accepted manuscript
Date
2018
Authors
Wright, Charles V.
Varia, Mayank
Version
Accepted manuscript
OA Version
Citation
Charles V Wright, Mayank Varia. 2018. "Crypto Crumple Zones: Enabling Limited Access without Mass Surveillance.." Euro S&P. 2018 IEEE European Symposium on Security and Privacy (EuroS&P). London, https://doi.org/10.1109/EuroSP.2018.00028
Abstract
Governments around the world are demanding more access to encrypted data, but it has been difficult to build a system that allows the authorities some access without providing unlimited access in practice. In this paper, we present new techniques for maximizing user privacy in jurisdictions that require support for so-called “exceptional access” to encrypted data. In contrast to previous work on this topic (e.g., key escrow), our approach places most of the responsibility for achieving exceptional access on the government, rather than on the users or developers of cryptographic tools. As a result, our constructions are very simple and lightweight, and they can be easily retrofitted onto existing applications and protocols. Critically, we introduce no new third parties, and we add no new messages beyond a single new Diffie-Hellman key exchange in protocols that already use Diffie-Hellman. We present two constructions for crumpling cryptographic keys to make it possible-although arbitrarily expensive-for a government to recover the plaintext for targeted messages. Our symmetric crumpling technique uses a hash-based proof of work to impose a linear cost on the adversary for each message she wishes to recover. Additionally, our public-key crumpling method uses a novel application of Diffie-Hellman over modular arithmetic groups to create an extremely expensive puzzle that the adversary must solve before she can recover even a single message. Our initial analysis shows that we can impose an upfront cost in the range of 100Mtoseveralbilliondollarsandalinearcostbetween1K-$1M per message. We show how our constructions can easily be adapted to common tools including PGP, Signal, SRTP, full-disk encryption, and file-based encryption.