# [Cryptography] Opening Discussion: Speculation on "BULLRUN"

ianG iang at iang.org
Sat Sep 7 03:30:20 EDT 2013

```On 7/09/13 03:58 AM, Jon Callas wrote:

>> Could an encryption algorithm be explicitly designed to have properties like this?  I don't know of any, but it seems possible.  I've long suspected that NSA might want this kind of property for some of its own systems:  In some cases, it completely controls key generation and distribution, so can make sure the system as fielded only uses "good" keys.  If the algorithm leaks without the key generation tricks leaking, it's not just useless to whoever grabs onto it - it's positively hazardous.  The gun that always blows up when the bad guy tries to shoot it....
>
> We know as a mathematical theorem that a block cipher with a back door *is* a public-key system. It is a very, very, very valuable thing, and suggests other mathematical secrets about hitherto unknown ways to make fast, secure public key systems.

I'm not as yet seeing that a block cipher with a backdoor is a public
key system, but I really like the mental picture this is trying to create.

In order to encrypt to that system, one needs the (either) key.  If
everyone has it (either) the system is ruined.

A public key system is an artiface where one can distribute the public
key, and not have to worry about the system being ruined;  it's still
perfectly usable.  Whereas with a symmetric system with two keys, either
key being distributed ruins the system.

One could argue that the adversary would prefer the cleaner, more
complete semantics of the public key system -- maybe that is what the
theorem assumes?  But if I was the NSA I'd be happy with the compromise.
I'm good at keeping *my key secret* at least.

iang
```