[Cryptography] Simon, Speck and ISO

dj at deadhat.com dj at deadhat.com
Wed Oct 22 16:17:59 EDT 2014


The entirely non cryptographic issue goes like this:

If country X doesn't like county Y's backdoored RNG standard, they can
write their own backdoored RNG spec and refuse import of devices not
complying with the local national standard. The WTO will be fine with

However if there's an international standard (E.G. an ISO standard),
approved by the national bodies, then when they try to ban imports, the
WTO will not be fine with it.

It so happens that one well known backdoored RNG spec is copy-and-pasted
into ISO/IEC 18031. So this spec is being opened up again.

So if you're in the business of selling chips around the world that
contain hopefully non-backdoored parts of said specs, you want to be able
to keep selling your products, so you're interested in fixing the steaming
pile that is currently in ISO/IEC 18031.

That's why I'm here in Mexico City.

In passing, the NSA turned up and proposed added Simon and Speck as the
only lightweight block ciphers in ISO.

It not ideal that the only internationally standardized lightweight block
ciphers come directly from the organization that gave us the dual-ec-drbg.

Since I expect to be at the next meeting, I'd be happy to propose some
alternatives with better provenance and I don't know a better place to
find a pithy put down of dodgy standards than right here on this list.

More information about the cryptography mailing list