CINDY A. COHN, ESQ.; SBN 145997 McGLASHAN & SARRAIL Professional Corporation 177 Bovet Road, Sixth Floor San Mateo, CA 94402 Tel: (415) 341-2585 Fax: (415) 341-1395 LEE TIEN, ESQ.; SBN 148216 1452 Curtis Street Berkeley, CA 94702 Tel: (510) 525-0817 Attorneys for Plaintiff Daniel J. Bernstein IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF CALIFORNIA DANIEL J. BERNSTEIN ) ) C 95-00582 MHP Plaintiff, ) ) DECLARATION OF v. ) MATT BLAZE ) ) UNITED STATES DEPARTMENT OF ) STATE et al. ) Defendant. ) ) ________________________________________) I, MATT BLAZE, hereby declare: 1. I am a Principal Research Scientist at AT&T Laboratories, and an Adjunct Professor of Computer Science at Columbia University. My primary research areas include computer security, applied cryptology, and large scale distributed computing systems. My current interests focus on the use of secure hardware, the management and specification of trust, public-key certificate infrastructure, and cryptography policy. 2. I hold a Ph.D. in Computer Science from Princeton University, an M.S. from Columbia University, and a B.S. from the City University of New York. 3. I make this Declaration on my own behalf and not on behalf of my employer. 4. Although there are many different types of cryptography, the purpose shared by all of them is separation of the security of information from the security of the physical media in which the information is embodied or transmitted. This is accomplished through the use of mathematical transformations, called "cipher functions'' or "cipher algorithms'', that alter information in such a way that it can only be recovered with the knowledge of a secret, called a "key.'' These transformations are combined to form "cryptographic protocols" that accomplish various security objectives. CRYPTOGRAPHY IS MATHEMATICS 5. While the study of cryptography draws upon many disciplines, the most important activity engaged in by cryptographers is the design and analysis of the underlying mathematical cipher functions and protocols. Although the subject has existed for literally thousands of years (being perhaps as old as the written word itself), the mathematics of cryptography is not yet fully understood, and cryptography is today one of the most vital and exciting areas of mathematical research. THE SCIENTIFIC COMMUNITY FOR CRYPTOGRAPHY INCLUDES ACADEMICS, INDUSTRY RESEARCHERS AND INDIVIDUAL RESEARCHERS 6. Like researchers in all scientific disciplines, cryptographers seek to advance their field through open discussion of new approaches, collaboration with one another, and the rigorous peer review that comes from informal scientific exchange and the publication and presentation of technical papers at conferences and in journals. The community of cryptographic researchers is extraordinarily diverse, and includes academic researchers working in universities (primarily in mathematics and computer science departments), scientists employed by industrial research laboratories, as well as individuals with no formal employment in the subject. GOOD CRYPTOGRAPHY REQUIRES WIDESPREAD SCRUTINY AND TESTING 7. Because the mathematics of cryptography is not fully understood, we are not able to systematically determine or mathematically prove that any given proposed cryptographic algorithm or protocol is "secure''. That is, there is not yet a useful "theory'' of cryptography that would enable the designer (or user) of a cipher algorithm to be sure that a proposed system is free of subtle flaws that might allow an attacker to obtain information without knowledge of the decryption key. The only way to obtain any assurance whatsoever about the strength of a cipher function or system built around one is to expose the system to the scrutiny of the largest possible community of cryptographers. Systems are usually acknowledged to be "secure'' only after an extended period of widespread scrutiny. For example, it took over fifteen years after the publication of the US Government's "Data Encryption Standard'' before the standard was trusted by many cryptographers to be free of easily-exploitable weaknesses. 8. The US National Security Agency (NSA) is said to be the largest employer of cryptographers in the world, and is said to be many years ahead of the commercial and academic world in its understanding of how to design cipher functions and protocols and how to use them to build secure systems. The technical work of the NSA is primarily classified and thus cannot be exposed to the scrutiny the public research community. However, a few systems have been released from NSA for publication as civilian standards. 9. My analysis of one of these systems, the interface to the "Escrowed Encryption Standard,'' in 1994, suggests that even systems designed with the benefit of the government's superior experience and broad internal expertise can still benefit from outside scrutiny. In this case, my analysis of the published specifications revealed a "protocol failure'' that allowed the system to be used in a way that circumvented one of its basic design objectives. This does not reflect especially badly on the NSA's abilities. It simply re-affirms what the civilian community has long understood - cryptographic systems are hard to design, and therefore must be exposed to extensive and diverse scrutiny before they should be trusted. CRYPTOGRAPHIC ALGORITHMS ARE DESCRIBED IN COMPUTER PROGRAMS 10. Although in an abstract sense cipher functions and protocols are purely mathematical objects, their properties and nature are usually most readily understandable when they are specified and represented as computer programs. In fact, modern techniques for analysis of cipher functions rely heavily on computer simulation and experimentation, and computer programming languages serve as a standard notation for describing new ciphers. The analysis of the performance and behavior of a cipher system on real computers is one of the central aspects of the evaluation of new systems. 11. Because one of the most natural ways to describe a cipher algorithm is by means of computer programs, there is little distinction between a description of an algorithm and a program that implements it; they are as often as not the same thing. It is virtually impossible to fully describe a modern cipher system without at the same time providing a program that implements it. THE ITAR SCHEME IMPEDES SCIENTIFIC RESEARCH 12. The current export controls on cryptography have a far-reaching impact on the practice of scientific research in the discipline, even domestically. The cryptographic research community is a truly international one, with researchers from all over the world collaborating with one another and sharing their results through publication and conferences. Many natural research collaborations are limited or stifled by the export regulations, which are understood to effectively prevent researchers in the US from working with their foreign colleagues on certain kinds of applied cryptographic research. THE ITAR SCHEME HAS IMPEDED MY RESEARCH AND TEACHING 13. My own professional life has been adversely affected by my inability under the export regulations to fully collaborate with researchers from other countries and from my inability to openly and freely publish computer source code to my own cryptographic systems for peer review. I will give three examples, chosen from many. First, in 1993 I was collaborating on a research project with a post-doctoral researcher from Greece at Columbia University in New York City. We were designing what would become one of the first proposals for securing message traffic on the Internet from eavesdropping and forgery. Because my collaborator was not a "US person'' under the law (he was not a permanent resident), we could not legally freely exchange computer code that implemented our proposed protocols, and so were unable to collaborate at all on any experimental aspects of the analysis of our design. In fact, we were uncertain as to whether it would even be legal for my collaborator to have access to any computer programs he produced himself that implemented or described our protocol. 14. A second example involves a system I designed in 1992 for securing files stored on computer workstations. The system demonstrates a number of engineering techniques for including encryption in a computer operating system, and so, in addition to writing a paper that describes the techniques in abstract terms, I wrote a computer program that implements it to help other researchers understand, evaluate and measure the technique. Unfortunately, because the computer program is covered under the export controls, I was told by our corporate legal department that I cannot legally make the system available on the Internet. Instead, those who want it must write to me and ask for a copy, and I can send it to them only if they indicate that they are US citizens in the US. To this day, I spend a significant fraction of my time filing and managing these requests, a task that would be eliminated completely were I able to simply make the system available on the Internet. 15. A final example involves a graduate-level course I taught on the subject of cryptography and computer security at Columbia University in 1995. Many of the students in the class were not US citizens, and so I was unable to make available as part of the course material computer programs that implement the techniques being taught in the course. This created an extraordinarily difficult situation for me and for the students; imagine trying to teach or learn an applied technical subject without benefit of real examples. I declare under penalty of perjury that the foregoing is true and correct and that this Declaration was signed at Murray Hill, New Jersey. Dated:_________________ _________________________________________ MATT BLAZE