[kragen]

they did strengthen the s-boxes against differential cryptanalysis, yes, but since 02004 we have evidence that they also sabotaged it as part of a deliberate policy they'd put in place in 01968: https://blog.cr.yp.to/20220805-nsa.html

[tptacek]

The sleight of hand here is to equate publicly reducing the key size, which was known (presumably at the time as well) to be a weakening of the system, with a supposed weakness injected cryptically into the S-boxes --- which we now know is the opposite of what happened.

Further, the truncated version of DES that got standardized far outlasted its expected lifetime --- the National Bureau of Standards expected DES to have a useful lifetime of about 5 years. And even at the time it was understood that you could expand the keysize by tripling up the DES core.

I think there's a really big difference between publicly weakening a standard, in effect telling the world "we want a standard that is adequate for commercial purposes but inadequate for military purposes, so as to retain our national edge", and doing what they did with Dual-EC, where it was impossible (apparently) for people to reason about what NSA was up to.

[philodeon]

> and doing what they did with Dual-EC, where it was impossible (apparently) for people to reason about what NSA was up to.

Schneier was clearly able to reason about what NSA was up to, and told everyone in 2007 not to use Dual-EC, 6 years before the Snowden revelations.

I believe you have admitted that you thought that “Dual-EC has a backdoor” was a wild conspiracy theory until the Snowden revelations? Which makes the “impossible (apparently)” part a classic case of projection.

[tptacek]

The (apparently) was a dunk on me.

(I thought nobody should use Dual EC! But that was my reason for thinking it wasn't an NSA backdoor, because it was too dumb to be one. I underestimated the industry's capacity for "dumb". Also: I was dumb! I am dumb a lot.)

[philodeon]

And now you believe it’s impossible for any of the NIST PQC submissions to have been backdoored or weakened. I feel safer already. :D

[tptacek]

NIST didn't design any of the PQC submissions. It did design Dual EC.

[philodeon]

NIST didn’t design Dual-EC, NSA did. But NIST did the really hard work, which involved slapping their organization’s name on it, and not asking any inconvenient questions.

Thankfully we found a better way that ensures cryptographic security, which is to get former NSA interns to write the PQC standards, instead of proper NSA employees.

[aftbit]

I never understood the Dual-EC backdoor. What was the point? Who would be dumb enough to use that as their CSPRNG when so many simpler, faster, and less sus options were available?

I supposed they did (allegedly) pay RSA Security to make this the default choice in BSAFE but that seems like an awful lot of work to hack one product.

[tptacek]

That was my take too, but in fairness to everyone else who was right about this, once you stepped back and looked at the design for what it was, rather than as a weird concoction that happened to spit out random numbers, it was extremely obvious what the purpose of the design was. Another thing happening with me and Dual EC: I just know a lot more about cryptography today than I did 13 years ago. (I'm not a cryptographer; I'm a vulnerability person that happens to specialize a bit in cryptography vulnerabilities. It's a great rhetorical hedge.)

Another thing I was very certain (and certainly wrong) about was that no competent team was using BSAFE in 2010. The more I've learned about cryptography the less confidence I've held onto in industry cryptography practices outside of Google, Apple, and Microsoft. I would have assumed the major networking vendors were playing at roughly the same level. Yikes, no.