| ▲ | JumpCrisscross a day ago | |
> Secret NSA documents showed that NSA pushed DES in the 1970s to "drive out competitors" while knowing that DES was "weak enough" to break; meanwhile NSA publicly claimed that it would use DES Is this true? The NSA pushed for weaker cryptography it could break versus stronger cryptography our adversaries couldn't? | ||
| ▲ | tptacek a day ago | parent | next [-] | |
It's complicated. The federal government pushed for a smaller DES key size, but also fixed the DES s-boxes to resist differential cryptanalysis. | ||
| ▲ | mswphd 18 hours ago | parent | prev | next [-] | |
as mentioned it's complicated, but the general trend of the NSA pushing cryptography they can break and others can't is well-known. https://en.wikipedia.org/wiki/NOBUS note that there is no even candidate way the NSA would have a NOBUS-type vulnerability for ML-KEM. DUAL_EC_DRBG was known to plausibly have a NOBUS-style backdoor prior to standardization, provided you used a certain "default" generator (vs freshly generating your own). It was later discovered that the NSA payed RSA (the company) to do this. While this payment was private, the possibility of a back door was publicly known. There are no publicly known candidate backdoors for ML-KEM. The broad design of an ML-KEM-like scheme permits one ("static" matrix A), but ML-KEM was specifically designed to make this impossible ("ephemeral" matrix A). | ||
| ▲ | philodeon 17 hours ago | parent | prev | next [-] | |
DJB wrote a short history of NSA’s malicious meddling in the cryptography we all use, based on a declassified internal history of the NSA. | ||
| ▲ | rurban a day ago | parent | prev [-] | |
Sure. Everbody knows that | ||