[Cryptography] NIST Workshop on Elliptic Curve Cryptography Standards
Ray Dillinger
bear at sonic.net
Sat May 16 15:20:22 EDT 2015
On 05/15/2015 07:09 PM, Ryan Carboni wrote:
> And AFAIK, the NSA curves (besides Dual_EC_DRBG) have not been proven to be
> backdoored, they've only been proven to be suspicious. How would you know
> that the NSA didn't choose the constants for additional security, like the
> DES s-boxes?
You have just named the only known intervention by the NSA to
result in stronger civilian encryption. Literally EVERYTHING
else they've done "for the public" has not been shown to
result in stronger cryptography, and in many cases has definitely
resulted in weakened cryptography. Their strengthening LUCIFER's
S-boxes to make DES can only be regarded as a singular anomaly
which has never been and will never be repeated.
Further, the improvement in resistance to differential analysis
came at the same time as a reduction in its resistance to brute
force, making DES equally vulnerable to less sophisticated
opponents. Given that they (and IBM) had the advantage of
differential cryptanalysis at the time this is a direct
violation of their current "NOBUS" policy, and definitely
would not be repeated today.
The NSA, since people were still taking them seriously at the
time, could as easily have extended LUCIFER's rounds to justify
its (pathetic) 64-bit key with 64 bits of security, but they
chose instead to shorten the key to an (even more pathetic) 56
bits reflecting its security level (given its improved S-Boxes)
to an opponent aware of differential cryptanalysis - making it
no more resistant to joe sixpack coding a brute-force attack
than it was to sophisticated opponents using differential
cryptanalysis.
The only real benefit to that was that it didn't have a key
size that actively misled people about its security level,
and the "obvious" attack was in fact the best attack. Under
the NOBUS policy they would happily have left the key length
deceptively long allowing people to believe their encryption
64-bit secure, probably with the "benefit" of holding off
3DES' adoption for an additional couple of years.
So whatever reputation capital they got for strengthening
DES, they spent long ago. And overspent. Their reputation
on strengthening civilian crypto at this point? They are
the adversary, not the defender. That's how deep the hole
they've dug themselves into has gotten.
Bear
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150516/587a2ad5/attachment.sig>
More information about the cryptography
mailing list