It appears that you’re saying that PX-1000cr isn’t an example NSA backdoor or that the article breaking the cipher in the PX1000cr is incorrect?
It seems like you’re either very aware of how NSA backdoors work and you’re misleading people for some reason or you don’t know what you’re talking about, you’re being hopeful and you are ignoring the evidence that NSA inserts backdoors which can be broken by others. Assuming the latter in good faith, I’m afraid to inform you that you’re simply incorrect.
Do you dispute that the secret key for the Q Parameter in Dual EC may be recovered by anyone with a CRQC? This is assuming that they exist, and if they don’t or won’t exist, why does NSA concern themselves with pq crypto? I agree that someone stealing the key is a different effort but either could have answered your question of what the key is - so the technique is largely irrelevant, but I take your more narrow point and will engage it.
If NSA isn’t misleading us to deploy broken crypto with their pq standardia push, then they probably don’t consider the Q parameter in Dual EC to be a NOBUS backdoor. After all, by your argumentation NOBUS is forever, isn’t it?
There are other backdoored systems pushed by NSA and some are still in use. I assure you, they can be broken in a weekend by someone with the relevant computer science and mathematical background. The trick for finding it is to realize your core assumption is wrong.
One system NSA built was purpose built to trick a community of interest, and it worked. The core break is in the RNG - the RNG only generates keys from a small subset of all possible keys. The users of this system have no clue.
Do you really suggest that this kind of NSA backdoor doesn’t exist and that evidence of it means that it isn’t NSA who did it? It again seems ahistorical of you.
It seems like you’re either very aware of how NSA backdoors work and you’re misleading people for some reason or you don’t know what you’re talking about
I am explaining that I see two options and I pick the second in good faith. I believe I am participating according to the rules, or at least I am attempting to do so in good faith.
One is innuendo, the second one is an insult. In good faith or not, neither is 'participating according to the rules' since both are explicitly mentioned there as things not to do.
I respectfully disagree. It certainly isn’t intended as an insult!
One looks like astroturfing performed without a valid basis against cited examples shared in good faith, the other appears to be a mistake in analysis which I am pointing out in good faith. It’s probably an honest mistake, the history here is intentionally obscured by large-scale adversaries.
I do believe that the second is just a mistake and I do not intend it as an insult. I would appreciate it if you could please assume good faith with my responses and additionally hear me when I say it is in good faith a mistake of analysis. I think that his analysis is simply wrong, and my citations are evidence for why I think this is so.
You don't have to agree but you can't call people NSA shills and you can't tell people they don't know what they're talking about. That's just how this forum works - don't put that kind of thing in your comments. It's not a high or difficult bar to meet.
I did not intend, nor do I think I called the parent an NSA shill. If it comes across as that, I apologize.
The parent clearly says that it is hard to get a bead on what he is arguing. I tried to explain what people may hear or see and I do believe that some people might not be able to see the latter but only the former, fair or not, but I only endorsed the latter.
I guess I should make clear that I think the parent is simply mistaken and that I don’t think he is a shill. It’s not intended as an insult to say there is a mistake of analysis, as I said the topic is very difficult and also often very contentious.
I’m saying this in response to the parents claim of it being hard to get a bead on what he is arguing. I’m answering that as two possible ways to read it and I emphasize the latter. I did not accuse, I tried to explain what I think people take from his argumentation.
My words included two options, one of which includes those words — and I disowned the first option. Please read it again and then read his comment again. Selective quoting won’t change that I was providing a reflection of two possible reads of his comments, and I endorsed the latter in good faith. If you think my first option is unreasonable as a characterization to write down, I’m not sure how I can more clearly express that this is a reading that someone can fairly arrive at - I just think it’s wrong. I provided these two options because he could rephrase his comments to avoid the first one entirely to sharpen his argument. If the parent hadn’t expressed that it was “hard to get a bead” I wouldn’t have provided the first option as feedback to try to express the possible “beads” in question.
If you don’t think there are people who are actively misleading people on this topic or that a comment can’t be read that way, I think we should agree to disagree. People will read a lot of things in this area in bad faith and they are also often wrong because there is intentional obfuscation by large-scale adversaries.
Look, dude, I don't care about this NSA shill stuff, and you're not doing your arguments any favors trying to super-duper-duper explain what you really meant by dropping innuendo into the thread. Just stop talking about it and move on. Now you know that HN is super picky about "shillage" arguments. We can be done talking about it.
I'm having trouble even following what you're saying here. A cryptographically-relevant quantum computer breaks all conventional elliptic curve cryptography, not just NSA's backdoor. Everything we're talking about is irrelevant if NSA can break curves with quantum computers.
The point is that if the RNG didn’t artificially add elliptic curves in the form of a back door, even a CRQC wouldn’t be able to break the RNG. Grover can be assumed to reduce the security by roughly ~N/2. A design with a sufficiently large N isn’t going to fall to a CRQC generally. The design of Dual EC which includes a backdoor is strictly worse than a design without a low hanging Q to attack.
NSA expects and is pushing the idea that there will be a CRQC. NSA does not say they will be the only people with a CRQC, and so their hold on a monopoly to exploit Dual EC isn’t forever and will someday be in the domain of a person with a laptop (and access to a CRQC).
I think your entire argument boils down to "there's no such thing as a NOBUS backdoor because practical quantum computing breaks Dual EC". OK. Super interesting point.
I pointed out two specific cryptographic backdoors. One follows from your premise - a regular person can’t just bust Dual EC because it is based on a hard problem. That’s true for now but it’s also the exception as far as I can tell. Other backdoors by NSA don’t all share that property.
The other example of an NSA backdoor is the DES replacement known as the PX-1000cr cipher. It is claimed also to be a backdoor from NSA but by your framing, it can’t be an NSA backdoor because it was broken by Stef on his laptop without much of a budget. Your framing suggests that because someone found it and broke it, it can’t be an NSA NOBUS backdoor. But as I pointed out even the Dual EC backdoor has limits and so your standard seems unreasonable.
Then there is DES itself which was intentionally weakened by NSA. IBM wanted 64 bits, NSA wanted fewer bits and at the time, Hellman said DES should have twice the bits. Between Hellman and NSA, I guess we know who won.
NSA doesn’t only want NOBUS backdoors. They want almost anything that gets them plaintext first in a reliable manner, and things related to long term security come a far distant second, if at all, as we see in the analysis of the PX-1000cr research.
Also yeah, having a quantum computer will give everyone the secret key for the Q in Dual EC. Recording that traffic now will probably have pay off for non NSA adversaries later if a CRQC is really coming. Who knows if that will happen, but we know NSA is exploiting fear of that happening to push for new cryptography that isn’t a hybrid design including some kind of ECC.
It appears that you’re saying that PX-1000cr isn’t an example NSA backdoor or that the article breaking the cipher in the PX1000cr is incorrect?
It seems like you’re either very aware of how NSA backdoors work and you’re misleading people for some reason or you don’t know what you’re talking about, you’re being hopeful and you are ignoring the evidence that NSA inserts backdoors which can be broken by others. Assuming the latter in good faith, I’m afraid to inform you that you’re simply incorrect.
Do you dispute that the secret key for the Q Parameter in Dual EC may be recovered by anyone with a CRQC? This is assuming that they exist, and if they don’t or won’t exist, why does NSA concern themselves with pq crypto? I agree that someone stealing the key is a different effort but either could have answered your question of what the key is - so the technique is largely irrelevant, but I take your more narrow point and will engage it.
If NSA isn’t misleading us to deploy broken crypto with their pq standardia push, then they probably don’t consider the Q parameter in Dual EC to be a NOBUS backdoor. After all, by your argumentation NOBUS is forever, isn’t it?
There are other backdoored systems pushed by NSA and some are still in use. I assure you, they can be broken in a weekend by someone with the relevant computer science and mathematical background. The trick for finding it is to realize your core assumption is wrong.
One system NSA built was purpose built to trick a community of interest, and it worked. The core break is in the RNG - the RNG only generates keys from a small subset of all possible keys. The users of this system have no clue.
Do you really suggest that this kind of NSA backdoor doesn’t exist and that evidence of it means that it isn’t NSA who did it? It again seems ahistorical of you.