[Cryptography] Opening Discussion: Speculation on "BULLRUN"

Jon Callas jon at callas.org
Fri Sep 6 00:33:31 EDT 2013

Hash: SHA1

On Sep 5, 2013, at 8:24 PM, Jerry Leichter <leichter at lrw.com> wrote:

>>> Another interesting goal:  "Shape worldwide commercial cryptography marketplace to make it more tractable to advanced cryptanalytic capabilities being developed by NSA/CSS." ... This makes any NSA recommendation *extremely* suspect.  As far as I can see, the bit push NSA is making these days is toward ECC with some particular curves.  Makes you wonder.
>> Yes, but. The reason we are using those curves is because they want them for products they buy. 
> They want to buy COTS because it's much cheap, and COTS is based on standards.  So they have two contradictory constraints:  They want the stuff they buy secure, but they want to be able to break in to exactly the same stuff when anyone else buys it.  The time-honored way to do that is to embed some secret in the design of the system.  NSA, knowing the secret, can break in; no one else can.  There have been claims in this direction since NSA changed the S-boxes in DES.  For DES, we now know that was to protect against differential cryptanalysis.  No one's ever shown a really convincing case of such an embedded secret hack being done ... but now if you claim it can't happen, you have to explain how the goal in NSA's budget could be carried out in a way consistent with the two constraints.  Damned if I know....
>>> (I know for a fact that NSA has been interested in this area of mathematics for a *very* long time:  A mathematician I knew working in the area of algebraic curves (of which elliptic curves are an example) was recruited by - and went to - NSA in about 1975....
>> I think it might even go deeper than that. ECC was invented in the civilian world by Victor Miller and Neal Koblitz (independently) in 1985, so they've been planning for breaking it even a decade before its invention. 
> I'm not sure exactly what you're trying to say.  Yes, Miller and Koblitz are the inventors of publicly known ECC, and a number of people (Diffie, Hellman, Merkle, Rivest, Shamir, Adelman) are the inventors of publicly known public-key cryptography.  But in fact we now know that Ellis, Cocks, and Williamson at GCHQ anticipated their public key cryptography work by several years - but in secret.
> I think the odds are extremely high that NSA was looking at cryptography based on algebraic curves well before Miller and Koblitz.  Exactly what they had developed, there's no way to know.  But of course if you want to do good cryptography, you also have to do cryptanalysis.  So, yes, it's quite possible that NSA was breaking ECC a decade before its (public) invention.  :-)

What am I trying to say?

I'm being a bit of a smartass. I'm sorry, it's a character flaw, but it's one that amuses me. I'll be blunt, instead.

There is a lot of discussion here -- not really so much from you but in general --  that in my opinion is fighting the last war. Sometimes that last war is the crypto wars of the 1990s, but sometimes it's WWII. Yeah, yeah, if you don't remember history you'll repeat it, but we need to look through the windshield, not the rear view mirror.

My smartassedness was saying that by looking at the past, gawrsh, maybe we're seeing a time machine!

The present war is not the previous one. This one is not about crypto. It involves crypto, but it's not *about* it. The bright young things of 1975 who went to work for the NSA wrote theorems and got lifetime employment. The bright young things of 2010 write shellcode and are BAH contractors.

There are two major trends that are happening. One is that they're hitting the network, not the crypto. Look at Dave Aitel's career, not your mathematician friend. Aitel is one of the ones that got away, and what he talks about is what we're seeing that they are doing. If you have to listen to one of the old school mathematicians, listen to Shamir -- they go around crypto. (And actually, we need to look not at Aitel as he left in 2002, but the bright young thing who left last year, but I think I'm making my point.)

The other major trend is that outsourcing, contracting and other things ruined the social contract between them and the people who work there. (This reflects the other other problem which is that the social contract between them and us seems to be void.) Nonetheless, Aitel and others left and are leaving because no longer do they tap you on the shoulder in college and then there's the mutual backscratching of a lifelong career. Now a contractor knows that when the contract is over, they're out of a job. And when the contractor sees malfeasance that goes all the way up to the Commander-in-Chief, they look at what their employment agreement said, as well as the laws that apply to them.

If you're in that environment and you see malfeasance, you go to your superior and it's a felony not to. If your superior is part of the malfeasance, you go to your superior's superior. If it goes all the way up to the CiC, then some sharp, principled kid who is just a contract sysadmin just might put a lot of files on a laptop and decide they have to go to We The People, who are, after all, the ultimate superior.


Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii


More information about the cryptography mailing list