8 April 1997
Dear John,
In your letter of 13 February you state that the export of encryption is limited to:
(i) 40-bit key lengths for symmetric algorithms;In addition to this Carolyn Forsyth told the National Business Review that "an export permit would normally only be required for encryption if it was 40-bit or stronger. Most commercial algorithms are well below 40-bit strength. Almost all New Zealand exporters of software are unaffected".
(ii) 512 bits for asymmetric algorithms;
(iii) 56-bit DES for dedicated financial algorithms
Both these statements indicate that if the encryption is held below these limits there is no need to go through the lengthy and complicated export approval process. What I'm trying to determine here is what's OK to export without requiring a permit, which really slows down the export process. To take two examples, would it be correct to state that a monoalphabetic substitution cipher (a symmetric algorithm with a 2048-bit key which falls under (i) above) would not be exportable without a permit, whereas an elliptic curve cipher (an asymmetric algorithm with a 255-bit key which falls under (ii) above) would be exportable without a permit? [1]
In addition, would these conditions apply to future exports as well? There appears to have been a lot of fluctuation in conditions for exports in the last year [2], which make it a bit difficult to figure out exactly what's OK and what isn't. Are these exact conditions going to be valid for, say, the next half year or year, or are they going to change again? I'm just trying to find a particular target I can stick with which will cause the least problems [3].
Yours sincerely,
Peter Gutmann