[Cryptography] NIST Workshop on Elliptic Curve Cryptography Standards

Thu May 21 16:25:37 EDT 2015

On Wed, 20 May 2015 10:13 Ray Dillinger (Bear) wrote:

> According to the histories I've read, differential analysis
> was known at IBM.  They called it the "Tickle attack" and
> had not published a paper about it because the NSA was
> working with them on DES and had asked them not to.
> 
> Also there was not much prestige in publishing crypto papers
> at the time; as you note, the civilian crypto community was
> almost nonexistent. As far as I know cryptography wasn't a
> category in which papers were accepted by journals at that
> time, although the fundamentals behind a particular new
> crypto attack would sometimes get published in a math journal.
> 
> It certainly wasn't a category in which papers were sought
> or awards were given, nor in which civilian conferences and
> symposia were occurring.

I believe that understates the situation. I was crypto-curious when I was a grad student in math at MIT in the late 1960s and there was almost nothing in the MIT libraries on the topic except Shannon’s paper and pre-WWII hobby stuff. David Kahn’s 1967 Codebreakers was groundbreaking, but basically covered up to the 1950s and did not have much technical detail on even WW-II systems. I remember one textbook on shift register sequences that looked relevant, but had no crypto discussion. The buzz I remember was that working on cryptography could get you a visit from the government and your work could be classified with you denied clearance to see it.

I attended a  briefing in 1971 by BB&N on the ARPA net where I asked about encryption. I was told that they specifically did not incorporate encryption into their work because if they did the entire project would be classified and they did not want that. Instead they intended to rely on link encryption when it was fielded for the military.

The publication of DES in 1975 was highly anticipated. I think I still have the copy I made from the Federal Register as soon as it became available. It wasn’t the first block cipher. Horst Feistel had an article on Lucifer in Scientific American in May 1973, but DES would tell us what the NSA considered strong. RSA appeared two years later in 1977.

The significance of a 56-bit key was understood almost immediately. NSA was giving us security but only so strong. But it was a benchmark and work on what could be done to do better began immediately. The publication of RSA in 1977 added another dimension to public cryptography, but DES was the big starting point.

There have been comments on the list that this was the last time NSA helped public cryptography. I don’t see how to square that with SHA-1, which was a major improvement over MD% and SHA-2 which still seems secure. Note that both used “nothing up my sleeve numbers”, unlike the NIST elliptic curves, to reduce suspicion that they had backdoors. 

Arnold Reinhold

PS: True story: A friend of mine was working on having PCs communicate across air gaps using ultrasound. He was testing out his implementation of the concept when his kids came home and said “Dad, that’s really loud.” Lends a whole new purpose to take your kids to work day.