Computers, Privacy & the Constitution
The use of encryption is required to maintain the secrecy, anonymity, and autonomy of messages between a sender and recipient. The most obvious solution is to use symmetric encryption, where parties share a secret key used to encrypt their messages. While simple, symmetric cryptography is deeply flawed in that it requires both parties to have access to the secret key. This creates something of a paradox – the sender needs a secure channel to transmit this key to the receiver, but the existence of that secure channel requires the receiver to already have said key.

The most commonly adopted alternative is the use of asymmetric encryption. This method separates the public key (used for encrypting the message) from the private key (used for decrypting the message). This allows for the sender to encrypt a message without knowing how to decrypt it. Since the public key is only capable of encryption, it can be freely distributed without compromising its security.

The mathematical basis for asymmetric encryption lies in the fact that certain calculations are easy to compute in one direction but hard in the reverse direction. The most frequently used method involves factoring the product of prime numbers. It is computationally simple to multiply two prime numbers, even numbers hundreds of digits long, but is significantly more difficult to factor out the resulting product. Another example of this principle is modular exponentiation, which involves the finding the remainder of an exponent when divided by a modulus. Calculating the remainder itself is easy, but calculating the components given the remainder is significantly more difficult. This property is important for the real-world applicability of encryption, as we can assume that a potential attacker has significantly more computing power than the average end user.

Both of these methods illustrate that even modern forms of asymmetric encryption make decryption very difficult without actually making messages unbreakable in absolute terms. Theoretically, it’s possible that any product of prime numbers can be factored given enough computing power. Rather, asymmetric encryption is secure because such computing power doesn’t currently exist – breaking the encryption is not theoretically impossible but is infeasible given current technology. In 2013, it was disclosed that NIST approved the use of 2048-bit RSA until the year 2030. The current record for largest RSA key size factored is 829 bits and was achieved in February 2020. For those who require even more security, 3072 and 4096-bit RSA encryption also exists.

However, developments in quantum computing have brought into question whether current forms of encryption will maintain their technological lead in the future. In 2019, a group of researchers estimated that a quantum computer with 20 million qubits would be able to factor a 2048-bit RSA encryption in eight hours. Perhaps more significantly, the paper noted that this estimate was two orders of magnitude lower than the estimate of one billion qubits given just four years ago, in 2015.

Of course, the current threat posed by this development is far more speculative than real. The most complex quantum computer, announced by Google in 2018, has a mere 72 qubits. Even if Google’s assertion that quantum computers will develop at a “double exponential rate” holds true, it’s unclear when the technology will actually have practical cryptographic use.

Furthermore, the threat posed by high-end decryption is a very small subset of an everyday user’s privacy concerns. Even if intelligence agencies had the ability to factor larger RSA keys (and if they did, I doubt they would disclose that fact to collect on the six-figure reward), that kind of effort would only be targeted at a select few. The factoring of 829-bit RSA was done using a supercomputer using the equivalent of 2700 years of server-grade computational power.

One clear use of encryption is for use in securing email, as we worked on last semester. By using PGP keys to encrypt communications, a user could shield the contents of their messages in Gmail from Google. This is a great example of the encryption just needing to be good enough to make snooping an unattractive proposition. Google clearly has an incredible amount of computing power – they even have the world’s most complex quantum computer. But they’re not going to go through the trouble if users take moderate cryptographic steps. While Google doesn’t disclose the value it places on a user’s data, it makes about $250 in revenue for each domestic user and about half that globally. Taken over the billions of users it has, that’s an incredible amount of revenue, but on an individual level it isn’t much. If a user encrypts their email with PGP, it simply isn’t worth Google’s time to decrypt it.

These kinds of real-world examples make encryption more relatable to the average user’s daily routines. When it’s described as throwing up roadblocks against the NSA, encryption doesn’t seem relevant to most people. Instead, encryption can be seen as taking general precautions to shield one’s personal information against most levels of surveillance (with any protection against intelligence agencies just being an added bonus). If people think of using encryption in the same vein as setting a strong password (and not writing it down on a post-it note), it would be helpful – not everyone will do it, but most people will admit that it’s worth doing.


Webs Webs

r1 - 10 Mar 2020 - 23:52:13 - MichaelPan
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM