[aaronmdjones]

Wrong. 2048-bit RSA has an effective security level of approximately 112 bits, just like 3-DES. If you want 256 bits of security, you go all the way up to 15360-bit RSA. That's why Elliptic Curve systems are so attractive: they involve operations that are more costly per-bit, but the required key sizes to meet a security level are much less. Ofcourse, Elliptic Curve Cryptography as specified by NIST has its own downsides (e.g. the 3 most common curves, prime256v1, secp384r1, and secp521r1 (128 bits, 192 bits, and 256 bits of security respectively) have constants that were chosen arbitrarily by NSA with no explanation).

[rthomas6]

Though when the NSA has done things like this in the past, we've found their choices prevented implementation weaknesses that weren't found (by anyone else) for several more years.

[Bartweiss]

Can you follow up on that? I've never heard that story and I'm really curious.

On the narrower point, though, it's been shown that Dual_EC_DRBG is broken, and that the NSA values compromised the implementation instead of strengthening it.

[hatsunearu]

S boxes in DES were originally nonexistent/vulnerable to differential cryptanalysis when IBM first made Lucifer.

[jschwartzi]

When has this happened? I'm curious about things that could cast the NSA in a positive light.

[danielvf]

The DES standard's S-Boxes were changed by the NSA in the 1970s. It was long thought that this was to weaken them. However in the 1990's differential cryptanalysis was publicly discovered, and the NSA's changes to the S-boxes were found to have hardend DES agaist differential cryptanalysis.

[PeCaN]

Now here's something fascinating. According to https://en.wikipedia.org/wiki/Differential_cryptanalysis#His..., IBM discovered differential cryptanalysis in the 1970s when designing DES. They opted to keep it a secret, given its general applicability against ciphers. It is unclear whether IBM shared it with the NSA or the NSA discovered it independently, but there's strong evidence that both IBM and the NSA were aware of differential cryptanalysis well before the public discovery in the 90s.

¹ This has what looks like a good citation but requires a subscription to access the relevant paper (sigh).