[cryptography] Dual_EC_DRBG was cooked, but not AES?

Eugen Leitl eugen at leitl.org
Sun Sep 22 09:11:50 PDT 2013


----- Forwarded message from ianG <iang at iang.org> -----

Date: Sun, 22 Sep 2013 16:39:36 +0300
From: ianG <iang at iang.org>
To: cryptography at randombit.net
Subject: Re: [cryptography] Dual_EC_DRBG was cooked, but not AES?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130801 Thunderbird/17.0.8

On 22/09/13 16:05 PM, Ed Stone wrote:
> Why has AES escaped general suspicion? Are we to believe that NIST tested, selected, endorsed and promulgated an algorithm that was immune to NSA's toolset, without NSA participation and approval? NSA involvement in DES is known, but we await cryptanalysis or Snowdenesque revelations before having skepticism about AES?


NIST didn't really "test, select, endorse and promulgate" the AES
algorithm, and neither did the NSA.

The process was a competition for open cryptographers, not agencies.
It was done this way because we strongly suspected DES interference.

Some 30 algorithms were accepted in the first round, and subject to a
year or so worth of scrutiny by the same submitting teams.  This then
led to a second round of 5 competitors and another long-ish period of
aggressive scrutiny.  The scrutiny was quite fierce because the
reputations of the winners would be made, so the 5 teams did their
darndest to undermine the competition.  Many famous names were hoping
for the prize.

It is the case that NIST (and probably the NSA) selected Rijndael from
the 5 finalists.  But they did so on the basis of a lot of commentary,
and all the critics was agreed that all 5 were secure [0].

So, claiming that the NSA perverted the AES competition faces a much
higher burden.  They would have had to have done these things:

   * pervert some of the early teams,
   * pervert the selection process to enable their stooges through,
   * and designed something that escaped the aggressive scrutiny
     of the losers.

It's possible, but much harder to get away with.

In contrast, with the DRBG adventure, NSA designed the process, and
tacked it onto a more internal NIST standards process.  Little or
minimal scrutiny from outside, and little or minimal perversion of
outsiders necessary in the standardisation phase (but that did come
later).



iang



[0]  At the time, myself and my team followed it, and we predicted
that Rijndael would be the winner ... just by reading all the
comments.  Note we weren't serious cryptographers, but we provided the
Java framework for the competition, so it was a
_______________________________________________
cryptography mailing list
cryptography at randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20130922/a2af6c4f/attachment-0001.sig>


More information about the cypherpunks mailing list