1

Introduction

Encryption is a process for making information unreadable.¹ The inverse process, making information that has been encrypted readable, is referred to as decryption. Encryption and decryption are facets of a broad scientific field referred to as cryptography. The statement of task for this study uses the term “encryption,” but the scope of the study is the broader field of cryptography. (Historically, this field was referred to as “cryptology,” but in current usage, the word “cryptography” is more common. This is the term the committee will use in this report.) This report sometimes uses the terms encryption and cryptography interchangeably; where the difference between encryption and decryption are significant, those terms are used in their technical sense.

Cryptography is a complex and specialized subject: Chapter 2 of this report introduces aspects of cryptography for readers who are not familiar with it, and the National Institute of Standards and Technology’s (NIST’s) glossary is a useful reference.²

For most of recorded history, encryption was an arcane process used primarily by governments, the military, the Roman Catholic Church, and a few commercial organizations that sought to protect their communications from disclosure.³ Today, cryptography also enables authentication (verifying the identities of people, code, and the origins of transactions), and underlies the safe use of the Internet and computer systems by individuals and organizations worldwide.^4,5,6 Emerging cryptographic technologies offer capabilities such as the ability to process encrypted information without first decrypting it and distributing trust among multiple entities in a way that is

___________________

¹ D. Boneh and V. Shoup, 2020, “A Graduate Course in Applied Cryptography,” Version 0.5, January, http://toc.cryptobook.us.

² National Institute of Standards and Technology (NIST), 2019, Glossary of Key Information Security Terms, NISTIR 7298 Revision 3, https://nvlpubs.nist.gov/nistpubs/ir/2019/NIST.IR.7298r3.pdf.

³ D. Khan, 1967, The Codebreakers: The Story of Secret Writing, New York: Macmillan, pp. 106–107.

⁴ D. Boneh and V. Shoup, 2020, “A Graduate Course in Applied Cryptography,” Version 0.5, January, http://toc.cryptobook.us.

⁵ J. Katz and Y. Lindell, 2021, Introduction to Modern Cryptography, Boca Raton, FL, Chapman & Hall/CRC Press, Taylor & Francis Group.

⁶ O. Goldreich, 2004, Foundations of Cryptography, https://www.wisdom.weizmann.ac.il/~oded/foc.html.

resilient against malicious minorities of participants.^7,8,9,10,11 The emergence of distributed cryptocurrencies is built on these principles, but these technologies have far greater applicability.¹²

The U.S. Intelligence Community, like intelligence organizations worldwide, must use encryption to protect sensitive information from unauthorized disclosure or modification. It must also defeat the encryption of information that it collects as part of its mission. The Intelligence Community also has an interest in creating systems where even if there are malicious insiders, they cannot gain critical information or control. The protective use of encryption is referred to as “defensive” and the task of defeating encryption as “offensive.” The defensive role of the U.S. Intelligence Community extends to setting standards and/or creating systems for the encryption of classified U.S. national security information and advising on the creation of standards for the encryption of unclassified government and private sector information.

The Office of the Director of National Intelligence (ODNI) requested that the National Academies of Sciences, Engineering, and Medicine establish a committee to identify potential scenarios for the balance between encryption and decryption over the next two decades and to assess the national security and intelligence implications of each scenario. The objective of the committee’s effort is not to predict what developments will occur, but to identify the range of possible developments and their implications, and to provide the Intelligence Community with recommended ways of identifying which future scenarios are materializing so that U.S. intelligence and the U.S. government as a whole can respond to and take advantage of these changes.

STATEMENT OF TASK

The National Academies of Sciences, Engineering, and Medicine will convene an ad hoc committee to identify potential scenarios over the next 10 to 20 years for the balance between encryption and decryption (and other data and communications protection and exploitation capabilities). The committee will then assess the national security and intelligence implications of the scenarios it deems most relevant and significant, based on criteria it develops.

The committee will first identify plausible scenarios, and the technological drivers (and other major drivers as deemed relevant by the committee) behind these scenarios, and potential areas of technology surprise. It will consider such factors as likelihood, speed, difficulty of planning and response, and consequence, in order to advise on which scenarios are most worthy of attention. The committee will also consider implications for applications of encryption such as cybersecurity, digital currency, cybercrime, surveillance, and covert communication.

The committee will then assess the national security, intelligence, and broad societal implications of each scenario determined by the committee to be most worthy of attention; identify and assess options for responding to these scenarios; and assess the implications for future Intelligence Community investments. In doing so, it will consider actions common across all scenarios, scenario-dependent actions, and technology developments that the Intelligence Community should monitor in order to narrow the range of possible scenarios in the future. It will also consider how other governments might act in each of the scenarios, and the implications of those actions for the United States. This project will produce a peer-reviewed consensus report.

___________________

⁷ O. Goldreich, S. Micali, and A. Wigderson, 2019, “How to Play Any Mental Game, or a Completeness Theorem for Protocols with Honest Majority,” in Providing Sound Foundations for Cryptography: On the Work of Shafi Goldwasser and Silvio Micali, https://doi.org/10.1145/3335741.3335755.

⁸ M. Ben-Or and A. Wigderson, 1988, “Completeness Theorems for Non-Cryptographic Fault-Tolerant Distributed Computation,” Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing—STOC ‘88, https://doi.org/10.1145/62212.62213.

⁹ D. Chaum, C. Crépeau, and I. Damgard, 1988, “Multiparty Unconditionally Secure Protocols,” Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing—STOC ‘88, https://doi.org/10.1145/62212.62214.

¹⁰ R. Cramer, 2015, Secure Multiparty Computation and Secret Sharing, Cambridge, UK: Cambridge University Press.

¹¹ C. Gentry, 2009, “Fully Homomorphic Encryption Using Ideal Lattices” in Proceedings of the 41st Annual ACM Symposium on Theory of Computing—STOC ‘09, https://doi.org/10.1145/1536414.1536440.

¹² J. Garay, A. Kiayias, and N. Leonardos, 2017, “The Bitcoin Backbone Protocol with Chains of Variable Difficulty,” pp. 291–323 in Advances in Cryptology—CRYPTO 2017, https://doi.org/10.1007/978-3-319-63688-7_10.

THE COMMITTEE’S APPROACH AND PROCESS

The committee’s work was conducted at the unclassified level and dealt only with cryptographic systems described by public sources. However, because governments and national security organizations worldwide are major users of commercial and public systems (including their security mechanisms), the results of this work apply to the challenges facing the Intelligence Community.

As a result of limitations on travel and face-to-face meetings resulting from the COVID-19 pandemic, the committee held short, frequent virtual meetings rather than the longer face-to-face meetings that would be typical for a National Academies’ committee. The committee met virtually 27 times during the period between late August 2020 and September 2021.

The committee began its deliberations with a series of meetings aimed at reviewing the committee’s task, introducing the committee members and their areas of expertise, and identifying issues that merited in-depth investigation. Following these meetings, the committee held eight meetings with experts and stakeholders who were invited to present their views on aspects of the future of encryption. Once the briefings were complete (in early 2021), the committee began the process of identifying scenarios and their implications. The committee’s sponsor from the Office of the Director of National Intelligence met with the committee on two occasions, once during the early stakeholder briefings and later as the committee was refining its approach to identifying scenarios of interest. The full list of speakers and their topics is included in Appendix B.

To identify scenarios of interest to the Intelligence Community, the committee used a mix of approaches based on the work of futures and strategic foresight firms and academic researchers. The committee first identified “drivers” whose possible future states are important to the future of encryption and then used combinations of the extreme states of those drivers to define potential scenarios. The committee then selected the potential scenarios that are most informative and cover the broadest range of realistic futures and explored their possible implications for and impacts on the Intelligence Community.

This report goes into some depth in describing the drivers that determine the potential scenarios. As the committee explored and reviewed those drivers, it determined that some situations and trends in technology and policy have clear implications and impact no matter which direction the future takes. The committee documented those implications in the report’s findings. The implications of and actions in anticipation of and response to the selected scenarios are included in the discussion of each scenario.

TRENDS AND MOTIVATIONS

The committee’s work is well justified by the importance of encryption to the Intelligence Community and by the scope and variety of encryption-related changes in government policies and the commercial marketplace. However, one technical issue stands out as a particular motivator: the potential development of quantum computers that would rely on phenomena of quantum mechanics to perform computation in a fundamentally different way from the computers that have been built since the 1940s. A sufficiently large-scale, fault-tolerant quantum computer could be programmed to defeat almost all of the asymmetric¹³ (i.e., public key) encryption and digital signature systems in current use on the Internet.¹⁴ Specifically, the public-key encryption and digital signature algorithms in common use on the Internet today are based on problems like factoring that would be defeated by a quantum computer.¹⁵ Public-key encryption schemes based on other mathematical hardness assumptions (such as finding

___________________

¹³ Unlike symmetric encryption systems whose origins go back millennia, asymmetric encryption systems apply a public key that can be shared widely to encrypt information, and a separate private key, related to the public key by a hard-to-solve mathematical problem, to decrypt information. Most websites and services on the Internet rely on asymmetric encryption to achieve user authentication and data protection. A loss of public key cryptographic solutions would be difficult to replace, threatening the viability of a ubiquitous Internet.

¹⁴ National Academies of Sciences, Engineering, and Medicine, 2019, Quantum Computing: Progress and Prospects, Washington, DC: The National Academies Press, https://doi.org/10.17226/25196.

¹⁵ P.W. Shor, 1997, Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer,” SIAM Journal on Computing 26(5):1484–1509, https://doi.org/10.1137/s0097539795293172.

a shortest vector in a high-dimensional lattice) are expected to be standardized and deployed within the decade, and have so far resisted efficient attacks even if quantum computers are built at scale.^16,17

Researchers, governments, and industry recognize the potential impact of quantum computers, and work is under way to identify, standardize, and implement “post-quantum” asymmetric encryption (and related digital signature) systems.¹⁸ However, the transition from current public-key systems to post-quantum systems will require the modification of a vast amount of software and the replacement of some hardware that is fundamental to the operation of Internet-connected computer systems. The potential impact of quantum computers and the implications of the transition to post-quantum cryptographic systems were major subjects of the committee’s work.

In addition to the potential impact of quantum computers, the committee addressed the impact of other trends in technology, policy, and society on the encryption issues that will face the Intelligence Community over the next one to two decades. The committee found that the impact of poor software and system design and implementation practices was a more significant threat to defense and a more significant opportunity for offense than the potential development of a quantum computer. Such poor practices are the norm today and offer attackers pervasive weaknesses to exploit. While some efforts are under way to improve design and implementation practices, they do not appear sufficient. This report includes findings on these issues and ways of addressing them.

OVERVIEW OF THE REPORT

Because cryptography is a technical subject, and an arcane one, the body of the report begins in Chapter 2 with an introduction to encryption and decryption (and more broadly, cryptography). Chapter 3 details the process that the committee used to identify potential scenarios for the future of encryption and its approach to selecting the scenarios that would be explored in depth. Chapter 4 provides both summaries and detailed descriptions of each of the three drivers that the committee determined to be critical in setting the path for the future of encryption. Chapter 5 summarizes the range of potential scenarios that the drivers define, presents the committee’s rationale for selecting a specific subset of those scenarios, and describes the scenarios and their implications. Chapter 6 presents a brief discussion of the implications of the drivers and scenarios for the Intelligence Community.

The committee’s findings are included in Chapters 2, 4, 5, and 6 in the context of the specific issues that motivate them. In addition, Chapter 7 summarizes the findings from the entire report.

___________________

¹⁶ Z. Brakerski and V. Vaikuntanathan, 2014, Efficient fully homomorphic encryption from (standard) LWE, SIAM Journal on Computing 43(2):831–871, https://doi.org/10.1137/120868669.

¹⁷ D. Micciancio and S. Goldwasser, 2013, Complexity of Lattice Problems: A Cryptographic Perspective, New York, Springer Science+ Business Media.

¹⁸ NIST, “Post-Quantum Cryptography,” Computer Security Resource Center, Information Technology Laboratory, https://csrc.nist.gov/projects/post-quantum-cryptography, accessed October 12, 2021.