[aftbit]

That used to be the norm! My personal favorite story along those lines was how they proposed changes to DES S-boxes without any detailed explanation. The open community was skeptical but it later turned out that the changes they proposed protected against differential cryptanalysis[1], which was at the time not known outside the intelligence community. That said, they did cut the key size dramatically which ended up weakening DES to the point that it could be trivially brute forced by the early 2000s, which led to 3DES and AES.

1: https://www.schneier.com/blog/archives/2004/10/the_legacy_of...

[kragen]

they did strengthen the s-boxes against differential cryptanalysis, yes, but since 02004 we have evidence that they also sabotaged it as part of a deliberate policy they'd put in place in 01968: https://blog.cr.yp.to/20220805-nsa.html

[tptacek]

The sleight of hand here is to equate publicly reducing the key size, which was known (presumably at the time as well) to be a weakening of the system, with a supposed weakness injected cryptically into the S-boxes --- which we now know is the opposite of what happened.

Further, the truncated version of DES that got standardized far outlasted its expected lifetime --- the National Bureau of Standards expected DES to have a useful lifetime of about 5 years. And even at the time it was understood that you could expand the keysize by tripling up the DES core.

I think there's a really big difference between publicly weakening a standard, in effect telling the world "we want a standard that is adequate for commercial purposes but inadequate for military purposes, so as to retain our national edge", and doing what they did with Dual-EC, where it was impossible (apparently) for people to reason about what NSA was up to.

[philodeon]

> and doing what they did with Dual-EC, where it was impossible (apparently) for people to reason about what NSA was up to.

Schneier was clearly able to reason about what NSA was up to, and told everyone in 2007 not to use Dual-EC, 6 years before the Snowden revelations.

I believe you have admitted that you thought that “Dual-EC has a backdoor” was a wild conspiracy theory until the Snowden revelations? Which makes the “impossible (apparently)” part a classic case of projection.

[tptacek]

The (apparently) was a dunk on me.

(I thought nobody should use Dual EC! But that was my reason for thinking it wasn't an NSA backdoor, because it was too dumb to be one. I underestimated the industry's capacity for "dumb". Also: I was dumb! I am dumb a lot.)

[philodeon]

And now you believe it’s impossible for any of the NIST PQC submissions to have been backdoored or weakened. I feel safer already. :D

[tptacek]

NIST didn't design any of the PQC submissions. It did design Dual EC.

[aftbit]

I never understood the Dual-EC backdoor. What was the point? Who would be dumb enough to use that as their CSPRNG when so many simpler, faster, and less sus options were available?

I supposed they did (allegedly) pay RSA Security to make this the default choice in BSAFE but that seems like an awful lot of work to hack one product.

[tptacek]

That was my take too, but in fairness to everyone else who was right about this, once you stepped back and looked at the design for what it was, rather than as a weird concoction that happened to spit out random numbers, it was extremely obvious what the purpose of the design was. Another thing happening with me and Dual EC: I just know a lot more about cryptography today than I did 13 years ago. (I'm not a cryptographer; I'm a vulnerability person that happens to specialize a bit in cryptography vulnerabilities. It's a great rhetorical hedge.)

Another thing I was very certain (and certainly wrong) about was that no competent team was using BSAFE in 2010. The more I've learned about cryptography the less confidence I've held onto in industry cryptography practices outside of Google, Apple, and Microsoft. I would have assumed the major networking vendors were playing at roughly the same level. Yikes, no.

[adastra22]

Yeah they unfortunately abused the good will they got from that. Once differential cryptanalysis was known and it was clear the NSA had strengthened the DES S-boxes, people started trusting them. And they started making lots of suggestions to various standards. Only now they were inserting back doors. It wasn’t until Snowden that the pendulum of public paranoia swung back the other way.

[tptacek]

You're using the plural for "backdoors" there; what's the other one you're aware of?

[adastra22]

https://www.atlasobscura.com/articles/a-brief-history-of-the...

[tptacek]

Unless you count Clipper as a "backdoor", this article asks the same question I am. The whole point of Clipper, of course, was that keys were escrowed.

[adastra22]

Clipper was deliberately backdoored (the key exchange had a trap door), with that backdoor only publicly found after its release. This was more the a just key escrow. Why would that not count?

[tptacek]

The entire point of Clipper was to field cryptography that NSA could break. That wasn't a later revelation. It was the understanding at the time. It's why there were "the crypto wars".

[dekhn]

the morris hexabox shunt