I have read in Applied Cryptography that the NSA is the largest hardware buyer a
ID: 651493 • Letter: I
Question
I have read in Applied Cryptography that the NSA is the largest hardware buyer and the largest mathematician employer in the world.
- How can we reason about the symmetric ciphers cryptanalysis capabilities of code-breaking agencies like the NSA or GCHQ given that they have performed first class unpublished cryptographic research for the last ~40 years?
- What sort of computational lower bounds can we establish on an attack against these ciphers given that these agencies may have unpublished and unknown cryptanalysis techniques of equivalent utility as differential cryptanalysis (we only know about differential cryptanalysis because someone outside the NSA/IBM rediscovered it)?
For example, could we have developed a good lower bound on the ease of finding collisions in md5 without knowledge of differential cryptanalysis?
This question is restricted to symmetric ciphers.
Explanation / Answer
Most vulnerabilities in block ciphers are related to key security. Successful attacks have not been practical against anything except smaller keysizes than 256 bits or fewer rounds of encryption.
Since there are no variables to be selected for AES except the S-box and the P-box, the Holy Grail is key management. Lateral attacks against AES rely on bad management or mistakes in implementation (weak PRNGS, timing attacks, bit injection, selective plaintexts, etc.).
Given this, one would assume an attacker would not spend resources on breaking the harder problem (AES), but rather attacking the easier problem (lateral attacks). Reading the slides for PRISM the cost of the program is way too low to include any sort of computationally intensive pursuits. It's not a far leap to infer PRISM being a key sharing effort.
Several accounts seem to indicate the NSA are actively subverting security on the standards level or in collusion with software developers. If either proposition is true, any serious cryptographer needs to use systems where every component is known and excludes closed source operating systems and software black boxes.
These are all concerns that would weight more heavily on my mind than the feasibility of the NSA having anything less than a brute-force vector against AES.
Luminaries of the field concur, even in light of the Snowden expositions. Bruce Schneier has access to the Snowden documents and says that the math is sound but the software is buggy and that is how the NSA decrypts the forked datastreams.