Peter Gutmann
24 Durness Pl.

8 April 1997

John Borrie
International Security and Arms Control Division
Ministry of Foreign Affairs and Trade
Private Bag 18 901

Dear John,

In your letter of 13 February you state that the export of encryption is limited to:

(i) 40-bit key lengths for symmetric algorithms;
(ii) 512 bits for asymmetric algorithms;
(iii) 56-bit DES for dedicated financial algorithms

In addition to this Carolyn Forsyth told the National Business Review that "an export permit would normally only be required for encryption if it was 40-bit or stronger. Most commercial algorithms are well below 40-bit strength. Almost all New Zealand exporters of software are unaffected".

Both these statements indicate that if the encryption is held below these limits there is no need to go through the lengthy and complicated export approval process. What I'm trying to determine here is what's OK to export without requiring a permit, which really slows down the export process. To take two examples, would it be correct to state that a monoalphabetic substitution cipher (a symmetric algorithm with a 2048-bit key which falls under (i) above) would not be exportable without a permit, whereas an elliptic curve cipher (an asymmetric algorithm with a 255-bit key which falls under (ii) above) would be exportable without a permit? [1]

In addition, would these conditions apply to future exports as well? There appears to have been a lot of fluctuation in conditions for exports in the last year [2], which make it a bit difficult to figure out exactly what's OK and what isn't. Are these exact conditions going to be valid for, say, the next half year or year, or are they going to change again? I'm just trying to find a particular target I can stick with which will cause the least problems [3].

Yours sincerely,

Peter Gutmann

[1] The intent was to determine whether MFAT (who wouldn't know a monoalphabetic substition cipher from a hole in the ground) or the GCSB were running things.

[2] This is a considerable understatement. Since they were making the policy up as they went along, it changed every time I asked about it.

[3] The intent was to determine whether the current situation was just a transient condition, or was likely to continue for some time.