[Cryptography] Opening Discussion: Speculation on "BULLRUN"

ianG iang at iang.org
Sat Sep 7 03:30:20 EDT 2013

On 7/09/13 03:58 AM, Jon Callas wrote:

>> Could an encryption algorithm be explicitly designed to have properties like this?  I don't know of any, but it seems possible.  I've long suspected that NSA might want this kind of property for some of its own systems:  In some cases, it completely controls key generation and distribution, so can make sure the system as fielded only uses "good" keys.  If the algorithm leaks without the key generation tricks leaking, it's not just useless to whoever grabs onto it - it's positively hazardous.  The gun that always blows up when the bad guy tries to shoot it....
> We know as a mathematical theorem that a block cipher with a back door *is* a public-key system. It is a very, very, very valuable thing, and suggests other mathematical secrets about hitherto unknown ways to make fast, secure public key systems.

I'm not as yet seeing that a block cipher with a backdoor is a public 
key system, but I really like the mental picture this is trying to create.

In order to encrypt to that system, one needs the (either) key.  If 
everyone has it (either) the system is ruined.

A public key system is an artiface where one can distribute the public 
key, and not have to worry about the system being ruined;  it's still 
perfectly usable.  Whereas with a symmetric system with two keys, either 
key being distributed ruins the system.

One could argue that the adversary would prefer the cleaner, more 
complete semantics of the public key system -- maybe that is what the 
theorem assumes?  But if I was the NSA I'd be happy with the compromise. 
  I'm good at keeping *my key secret* at least.


More information about the cryptography mailing list