From eugen@leitl.org Sun Sep 22 12:11:53 2013 From: Eugen Leitl To: cypherpunks@lists.cpunks.org Subject: Re: [cryptography] Dual_EC_DRBG was cooked, but not AES? Date: Sun, 22 Sep 2013 18:11:50 +0200 Message-ID: <20130922161150.GN10405@leitl.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5203585874090761643==" --===============5203585874090761643== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable ----- Forwarded message from ianG ----- Date: Sun, 22 Sep 2013 16:39:36 +0300 From: ianG To: cryptography(a)randombit.net Subject: Re: [cryptography] Dual_EC_DRBG was cooked, but not AES? User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130= 801 Thunderbird/17.0.8 On 22/09/13 16:05 PM, Ed Stone wrote: > Why has AES escaped general suspicion? Are we to believe that NIST tested, = selected, endorsed and promulgated an algorithm that was immune to NSA's tool= set, without NSA participation and approval? NSA involvement in DES is known,= but we await cryptanalysis or Snowdenesque revelations before having skeptic= ism about AES? NIST didn't really "test, select, endorse and promulgate" the AES algorithm, and neither did the NSA. The process was a competition for open cryptographers, not agencies. It was done this way because we strongly suspected DES interference. Some 30 algorithms were accepted in the first round, and subject to a year or so worth of scrutiny by the same submitting teams. This then led to a second round of 5 competitors and another long-ish period of aggressive scrutiny. The scrutiny was quite fierce because the reputations of the winners would be made, so the 5 teams did their darndest to undermine the competition. Many famous names were hoping for the prize. It is the case that NIST (and probably the NSA) selected Rijndael from the 5 finalists. But they did so on the basis of a lot of commentary, and all the critics was agreed that all 5 were secure [0]. So, claiming that the NSA perverted the AES competition faces a much higher burden. They would have had to have done these things: * pervert some of the early teams, * pervert the selection process to enable their stooges through, * and designed something that escaped the aggressive scrutiny of the losers. It's possible, but much harder to get away with. In contrast, with the DRBG adventure, NSA designed the process, and tacked it onto a more internal NIST standards process. Little or minimal scrutiny from outside, and little or minimal perversion of outsiders necessary in the standardisation phase (but that did come later). iang [0] At the time, myself and my team followed it, and we predicted that Rijndael would be the winner ... just by reading all the comments. Note we weren't serious cryptographers, but we provided the Java framework for the competition, so it was a _______________________________________________ cryptography mailing list cryptography(a)randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- --=20 Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 --===============5203585874090761643== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjEuNC4xMiAoR05V L0xpbnV4KQoKaVFJY0JBRUJBZ0FHQlFKU1B4YkdBQW9KRVBSdU5JbXNpVTdGVGNZUC9BNmZPMms1 c0x6QzJNWGxrdVFHWlJ4TgoyS25ndUpPd2RNTWJlWXRvMHhIcXQ5aVkweUhla0NjSEhTUXVzTXZi cnY5cGVaamtLdVJ0WHM1U095Nk4zbHlwClJqWDAyejFsVUc3Rm45bHVqMVlJN0d5T1NZWmx3TExI MHNOYkJwVjJTMWJKS2NiMW1FNzRPOUJMM2cvanNhS1cKSTROYldLbHNaa0hrb2xYMDNxc2lSeFZH K2R3cHRZcm1Cc2RKU2o0c2hJb2t0a3duR0VZd0ZlZkYvRENNWHhzSApDMjZhR1J3ZXJFYjlXQ3dr NWQxT05VT3AvKzNMUjVLU2EyZXhGYzRvQUZlcC9nNm5rdmtvOEVvQ3JRWVZOWHJ6CnJXY1ArNURq NXh1aFF2eFNTbHF0c1NOcUtNQ0NIZzZMc1o0blViQ0t2MTZQOC9WU2VKRHN0clViRFNaTE5TZzQK TzIwbDcwL2h4UGJFQW9POXlTYTFJZWlFV012Y2FERURkTVNoNWVGK1pIdkJOSHNRN2ZydGJ6OVNs UEJmZEV4SAp1Rzk4VW5sMVlTZWxsQ0UxZVFNblF6elZJMHo5K0tLcWdlQWlnSTN5dEJQODJKcit2 ejhxTHh4cnB6aHQ4WnJWCkhsbi8wN2prV2t2UGRRUGhxSVcxNnRaQ1M2TFlERGFsUlZ0bCtyWWRQ bjhmdHo3SmxQckpIYTZXeDVzSGp6SUoKRW5OMGVJand3NG9BbkdmQUVJTjZtWnFLSzErSlplYmdI bGhTNUc0emxjVzNDbHFSSWVrOWQ2a2NVK285TnY0KwpzUjROQmNTc2U1YWpjZ1N2dVN0N0liNE5i VWdwY2RNTlpLS0x5bE1pOGtDY2Rsa3NqUkY2cVZLNGxXL2xGdXFNCldBM3M4WVdscENRc1lheXd6 NVBaCj1LM3FqCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============5203585874090761643==--