[Cryptography] composing EC & RSA encryption?

[Phillip Hallam-Baker]

On Thu, Oct 29, 2015 at 11:22 PM, Peter Gutmann
<pgut001 at cs.auckland.ac.nz> wrote:
> ianG <iang at iang.org> writes:
>
>>Before, we seemed comfortable with the trend to ECC as the future.  Now, it's
>>not clear.
>
> Well, only of you're a dedicated NSA entrails-reader.  If you look at the
> NSA's recent decision about Suite B, there are two things there, the move off
> Suite B and the attempt to find a replacement.  The move off Suite B is no
> surprise, the NSA are simply admitting that after a decade of fruitless
> attempts to get anyone interested in it (outside of organisations with a
> government gun pointed at their heads, who had no choice), no-one wanted it.
> They were in the same position they were in before Suite B in terms of people
> not being able to take advantage of COTS products, it still didn't solve the
> Type-1-algorithm product problem.  So this is just admitting defeat after a
> decade of not making any progress, not some admission of hitherto-unknown
> security holes in Suite B.
>
> The second issue is what to replace Suite B with.  They could have said "AES,
> '25519, and SHA2, and we're done".  Instead, they're pushing yet another white
> elephant to follow on from their previous herd.  After all this time they
> still don't understand how COTS actually works.

They now have a pretty unique challenge. They are charged with
protecting information security for the US govt. while simultaneously
having been caught boasting internally about their attempts to
undermine those efforts.

The NSA is not a monolithic organization and it doesn't have a single
view. The folk we talk to are almost exclusively from the civilian
side where all the expertise lies. The folk who set policy are the
management class who are exclusively military. And those are the
people who represent the organization in Congress and the WH.

The US military hasn't really thought about defense except in terms of
attacking and annihilating the enemy since the civil war. If you read
the Snowden papers as a group of majors campaigning for promotion to
colonel by stroking the egos of the generals with stories of their
daring conquests. War is so much more fun when you don't have to even
mention to the President what you are up to. Cyberwar is their new
growth opportunity. The US govt already spends a trillion dollars a
year on militarism and the generals would very much like to add cyber
as a new, fifth domain with a 25% increase in funds to match.

They aren't used to accountability either, or having their ideas
challenged. The US culture of deference to the military is peculiar
and dangerous: We will honor the sacrifices of the enlisted man of
life and limb by never questioning the actions of the generals who
decided those sacrifices were necessary. Of course, not being a US
citizen, I have a somewhat different perspective to those who are. We
went through the imperial phase once as well.

The civilian side knows about this of course and so do many retired
senior NSA generals. They understand that cyber isn't like any other
form of warfare, it is like terrorism, a domain where the great powers
and in particular the West are uniquely vulnerable. We can't terrorize
ISIS and not for lack of trying. The torture chambers of Abu Ghraib,
Gulag at Guantanamo, the daily drone strikes only make them worse. We
can't win an offensive cyber-war but we keep trying. Stuxnet may have
delayed the Iranian nuclear program by a month. It is still launched
daily with payloads targeting us.

If you are in a glass house, it is a bad plan to throw stone throwers
with an inexhaustible supply of ammunition.

So the NSA is in the position of having unique expertise in the field
and is uniquely untrustworthy and they are trying to lead without
being visible.

The Suite B advice does make sense as input from the civil side. Right
now it is clear that ECC is suddenly starting to move. I expect to see
ECC become the default in crypto apps in the next 5 years. Suite B was
developed a decade ago, it reflects a different era of cryptographic
assumptions.

At this point it is clear that Suite B isn't going to be the standard
for public key crypto. The CFRG algorithms will - unless they do
something deranged. But those aren't finished yet and certainly not in
a form that the US govt can endorse. So the NSA move makes perfect
sense, they withdraw the advice that is about to be rendered obsolete
rather than suffer a visible defeat and they remind folk that they
have expertise and knowledge the rest of us don't. Specifically, they
know if they have a Quantum Computer and we do not.

I expect that what we will see is that when CFRG is completed, those
algorithms will be endorsed by NIST. Then there will be a major
bureaucratic fight in 2017 when the next administration takes over and
attempts to transfer responsibility for cyber-defense from NSA being
the primary lead to NIST or some new agency in the civil sector.