[Cryptography] Opening Discussion: Speculation on "BULLRUN"

Peter Fairbrother zenadsl6186 at zen.co.uk
Thu Sep 5 21:19:43 EDT 2013

BULLRUN seems to be just an overarching name for several wide programs 
to obtain plaintext of passively encrypted internet communications by 
many different methods.

While there seem to be many non-cryptographic attacks included in the 
BULLRUN program, of particular interest is the cryptographic attack 
mentioned in the Snowden papers and also hinted at in earlier US 
congressional manouverings for NSA funding.

The most obvious target of attack is some widespread implementation of 
SSL/TLS, and while it might just be an attack against a reduced 
keyspace, eg password-guessing or RNG compromise, I wonder whether NSA 
have actually made a big cryptographic break against some cipher, and if 
so, against what?

Candidate ciphers are:


and key establishment mechanisms:


I don't think a break in another cipher or KEM would be widespread 
enough to matter much. Assuming NSA (or possibly GCHQ) have made a big 

I don't think it's against 3DES or RC4, though the latter is used a lot 
more than people imagine.

AES? Maybe, but a break in AES would be a very big deal. I don't know 
whether hiding that would be politically acceptable.

RSA? Well, maybe indeed. Break even a few dozen RSA keys per month, and 
you get a goodly proportion of all internet encrypted traffic. It's just 
another advance on factorisation.

If you can break RSA you can probably break DH as well.

ECDH? Again quite possible, especially against the curves in use - but 
perhaps a more widespread break against ECDH is possible as well. The 
math says that it can be done starting with a given curve (though we 
don't know how to do it), and you only need to do the hard part once per 

My money? RSA.

But even so, double encrypting with two different ciphers (and using two 
different KEMs) seems a lot more respectable now.

-- Peter Fairbrother

More information about the cryptography mailing list