[ziddoap]

I haven't forgotten about it, no, and I stand by my original comment.

If you introduce a deliberate weakness to your encryption, the overall security is reduced to the security level of that weakness.

Relying on NOBUS ("nobody but us") is hubris (see shadow brokers, snowden, etc.).

[tarlinian]

This just doesn't make technical sense. I completely agree that backdooring encryption standards is a bad thing. But Dual EC DRBG is a clear example of a NOBUS backdoor actually being that. The backdoor is equivalent to "knowing" a private key. The weakness is not some sort of computational reduction. Using this logic, you would say that no encryption method is possibly secure because you can't rely on its security once the key is exposed.

[ziddoap]

The reason it remained a "NOBUS" backdoor is because the whole world noticed something was funky with it pretty much immediately (even prior to standardization), and security researchers loudly told people not to use it. At that point the value of cracking open the backdoor is reduced significantly. It was standardized, and barely used except where mandated by governments, for less than 10 years.

There's no reason to think it would have remained a "NOBUS" backdoor forever. Especially if it was more widely used (i.e. higher value), and/or used for longer.

>Using this logic, you would say that no encryption method is possibly secure

I mean, to an extent that a little waterboarding will beat any encryption method, yes I would say that.

But, for 99.99% of people, your data isn't worth the waterboarding. On the flipside, a backdoor to, say, all TLS communication, would be very worth waterboarding people.