[Cryptography] Speculation on the origin of Speck and Simon

[Arnold Reinhold]

I have been playing with NSA’s Speck cipher on ATtiny85 microprocessors and I happened upon Bruce Schneier’s 2013 blog on Speck and Simon’s introduction. He asks “Why was the work done, and why is it being made public? I'm curious.” This question provoked a long discussion thread. The comments fell pretty much into two schools of thought, the sneaky NSA must have some backdoor or the noble NSA is acting in its communication security role protecting the future Internet of Things. 

Here is a third possible explanation, based on the Snowden leak of NSA’s Tailored Access Organization catalog of implantable devices for compromising communications. Jacob Appelbaum revealed that NSA is using RC6 in those implants. Initial reactions to that tidbit included claims that NSA must not trust AES, but it turns out the leaked documents were written before the AES selection process was completed. RC6 was a finalist in that competition. 

Since the implants, once deployed, are out of NSA’s physical control, it is inevitable that some will be discovered by their targets and reverse engineered. So it makes sense to use a publicly available algorithm rather than a classified one. But RC6 (and AES) have relatively large code footprints. Presumably NSA wants those implants to be as small and inexpensive as possible. Small commercially available microprocessors like the Atmel AVR line have limited program space and even more limited RAM. 

So I can easily imagine that NSA would develop a suite of lighter weight ciphers for use with its implants. Publishing those ciphers eliminates any need to treat devices carrying the ciphers as sensitive material. It also provides some deniability if a device is captured.  Note that NSA not only published the algorithms themselves (https://eprint.iacr.org/2013/404.pdf), but several ways to implement them in AVR assembly code: https://eprint.iacr.org/2014/947.pdf. 

If my reasoning is correct, it suggests that these ciphers are not just curiosities from the research lab but important production tools that NSA would have put put considerable effort into validating, and that these ciphers deserve to be taken seriously.

BTW, for what its worth, the Speck 128/128 source code in the Wikipedia article works without modification on an ATtiny85. The published 128/128 test vector validates once one realizes that the 128-bit constants must stored with the low order word as the zero element of the long long word arrays. Decryption is a little trickier since one has to run the round keys in reverse. As far as I can see, the NSA has not published decryption pseudocode. Perhaps their implants have no need to decrypt, so decryption is left as an (easy enough) exercise for the reader..

Arnold Reinhold

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150818/ea6ec4a3/attachment.html>