Distrustful US Allies Force Spy Agency To Back Down In Encryption Fight

schwit1 shares a report from Reuters: An international group of cryptography experts has forced the U.S. National Security Agency to back down over two data encryption techniques it wanted set as global industry standards, reflecting deep mistrust among close U.S. allies. In interviews and emails seen by Reuters, academic and industry experts from countries including Germany, Japan and Israel worried that the U.S. electronic spy agency was pushing the new techniques not because they were good encryption tools, but because it knew how to break them. The NSA has now agreed to drop all but the most powerful versions of the techniques -- those least likely to be vulnerable to hacks -- to address the concerns.

You reap what you sow

[93+Escort+Wagon]

" In interviews and emails seen by Reuters, academic and industry experts from countries including Germany, Japan and Israel worried that the U.S. electronic spy agency was pushing the new techniques not because they were good encryption tools, but because it knew how to break them."

The NSA is widely believed to have done exactly this when it recommended particular elliptic curve constants quite a few years back.

Once you've betrayed people's trust, you're going to have a hard time convincing them you're worth trusting with anything that matters ever again.

Re:Dual EC DRBG stuff...old news

[swillden]

New "ciphers".

Specifically, two new families of block ciphers called SIMON and SPECK. These ciphers are designed to be extremely fast, which is good because although AES is fairly fast on "big" hardware" or on large quantities of data, it can be a bit sluggish when used in extremely constrained environments on small amounts of data. In particular, its key schedule its heavy, so changing keys is slow. SIMON has been designed to make it particularly cheap in purpose-built hardware while SPECK is designed for very fast software implementations. Both are very, very fast on both hardware and software, though. The 128-bit version (block size and key size) of SPECK, for example, encrypts at about 1.25 cycles per byte on an i5 on long messages, and is almost as good on short messages. That's crazy fast.

Academic cryptanalysis of the ciphers has so far shown them to be quite solid, with a very good margin of security (meaning that cryptanalysts have only been able to break significantly cut-down versions of the ciphers, quite far from full versions).

Same trick.

Possible, but doubtful. In fact, the experience with Dual EC DRBG actually makes it significantly less likely, IMO. They tried to pull the trick with that, but it didn't work because academics discovered the mathematical structure that made the backdoor possible. That has to make them worried that the same thing would happen again, and in fact the trick would be much harder to pull off with symmetric block ciphers. The thing about elliptic curves is that they have rich mathematical structure which can be exploited in clever ways (this is what makes them useful for public key cryptography) by choosing the right curves. But symmetric key block ciphers like SIMON and SPECK don't have that, making it much harder to design back doors in.

It's not impossible that the NSA has some technique that can break these ciphers -- which are actually quite similar to ciphers produced by public cipher designers -- but it really seems unlikely. Nevertheless, once burned twice shy. I don't blame standards bodies for being reluctant and waiting for public cipher designers to produce algorithms with the desirable properties of SIMON and SPECK, but without the concern about origin.

Re:One time pads

[HiThere]

The key doesn't need to be the same length as the cleartext, it can be considerably shorter. This does weaken the encoding, but not fatally. You just need to encrypt the message before you encode it with the one-time pad with a code that's difficult to recognize. The more you shorten the key, the weaker the encoding, but shortening it by 50% is still quite safe if you use a decent encryption of the cargo.

Perfection isn't impossible, but is hideously expensive.

That said, any code that depends on factoring large primes is weak when used against quantum computers. And they may not be here today, but I wouldn't make strong bets about next year in secret government offices. So if it's worth it to you, by all means use one-time pads. And most of the expense of using them is in the transmission of the info, so you might as well use the most secure version. You can get a pretty good set of random numbers by processing a web cam of a candle flame, but turning that into terabytes of good random numbers could take awhile.