Remix.run Logo
JumpCrisscross a day ago

> Secret NSA documents showed that NSA pushed DES in the 1970s to "drive out competitors" while knowing that DES was "weak enough" to break; meanwhile NSA publicly claimed that it would use DES

Is this true? The NSA pushed for weaker cryptography it could break versus stronger cryptography our adversaries couldn't?

tptacek a day ago | parent | next [-]

It's complicated. The federal government pushed for a smaller DES key size, but also fixed the DES s-boxes to resist differential cryptanalysis.

mswphd 18 hours ago | parent | prev | next [-]

as mentioned it's complicated, but the general trend of the NSA pushing cryptography they can break and others can't is well-known.

https://en.wikipedia.org/wiki/NOBUS

note that there is no even candidate way the NSA would have a NOBUS-type vulnerability for ML-KEM. DUAL_EC_DRBG was known to plausibly have a NOBUS-style backdoor prior to standardization, provided you used a certain "default" generator (vs freshly generating your own). It was later discovered that the NSA payed RSA (the company) to do this.

While this payment was private, the possibility of a back door was publicly known. There are no publicly known candidate backdoors for ML-KEM. The broad design of an ML-KEM-like scheme permits one ("static" matrix A), but ML-KEM was specifically designed to make this impossible ("ephemeral" matrix A).

philodeon 17 hours ago | parent | prev | next [-]

DJB wrote a short history of NSA’s malicious meddling in the cryptography we all use, based on a declassified internal history of the NSA.

https://blog.cr.yp.to/20220805-nsa.html

rurban a day ago | parent | prev [-]

Sure. Everbody knows that