[Programmatic]

Referred from your reply to my comment[0]; Algorithms can be backdoored due to having a novel technique to defeat them that you have not disclosed and has not otherwise been discovered yet. We are constantly adopting and discarding encryption algorithms that have not withstood the test of time.

If someone has gotten a jump on research and found a novel attack against their math, but the math looks good enough to convince others to use, that is an enormous advantage.

[0]: https://news.ycombinator.com/item?id=15305331

[tptacek]

And my rebuttal to that notion is that if the NSA has secret math that breaks a simplified, stripped down standard ARX/Feistel design, we probably have bigger problems than the NSA's preferred lightweight cipher. I'm not fond of citing Schneier, but he's an authority to a lot of people here, and look what he has to say about Speck: that it's basically an improved version of Threefish.

The "unknowable secret math" argument works both ways. As I said upthread: if you believe this, how do you rule out the possibility that ARX designs are the ones NSA can't break, that they have secret math that only works against iterated ciphers built solely on bitwise primitives, and that they published this particular cipher --- something they rarely do! --- precisely to create the kind of suspicion we're seeing on the thread?

If you want to play Kremlinology instead of talking about engineering, arguments like that are fair game too. I'd rather rule both of them out.

[Drdrdrq]

Of course, this could be NSA's test of community trust and an attempt to gain some goodwill. Surely they know they are not the most popular kid on the block... :)