
The Mathematics Community and the NSA [pdf] - Paananen
http://www.ams.org/notices/201502/rnoti-p165.pdf
======
Conduit19
The author repeatedly refers to the NSA operating within the bounds of the law
and set policy. Do not be fooled by that decoy. Yes, they may be operating
legally;but there in lies the fundamental problem: the law and policy is lax,
to put it gently.

~~~
briandear
And thus, we are to blame. When was the last time anyone voted for a candidate
based on their privacy stance? Can anyone name a presumptive presidential
candidate who has spoken out against NSA abuses? I can name one but I'd get
downvotes just for mentioning his name.

The simple tragedy is that most Americans don't have the time or inclination
to understand the nuances of the issue -- at least not to a degree that they'd
vote on that issue.

Most people seem to think "higher taxes bad; tax the rich; end welfare;
increase welfare; no free school lunches; more free lunches.." People seem to
be almost binary in their understanding of the issues of the day.

Let's hope that changes. The fact is that most people can at least understand
the idea of online privacy, but when issues like illegal file sharing or
similar things that aren't in the mainstream of your average person, then the
passion for the issue is muted.

If, for example, there were high profile cases that made the national news
about Grandma getting violated in a detrimental way by the NSA, then maybe the
issue would gain traction. However, privacy violations typically happen to
either a "criminal" or "someone else." So the issue is ignored.

It's everyone's issue, but the issue hasn't been well framed. It's the same
logic used to get traffic camera installed: "If you ain't doing anything
wrong, then it shouldn't matter."

Frustrating.

~~~
abecedarius
I did vote for Obama in 2008 because he promised no more warrantless wiretaps
and in general seemed the least-bad 'realistic' (as in Schelling-point) choice
for civil liberty. (I did not in 2012.) I agree that not nearly enough people
give creeping totalitarianism its proper priority in voting; for the
foreseeable future some other sort of action is needed.

------
Perseids
Whatever justifications the NSA comes up with, the crux with Dual_EC_DRBG
remains: Either they are as malicious as is now publicly believed and those
points were indeed generated with an included backdoor. Or they are stupid
enough to endorse an RNG that is slow, not provably secure and may even
contain a backdoor.

Extending on the provably secure part: There actually are constructions that
allow you to reduce the discrete logarithm problem to the one-way property and
to the pseudo randomness property of the RNG. And without such a proof, what
is the benefit of a slow elliptic curve RNG anyway?

Regarding the backdoor part: Even for the NSA the potential of a backdoor is a
problem, because every division has to trust the person that has actually
generated the points. And as the Dual_EC_DRBG was used by the DoD, this person
potentially has the keys to some very sensitive parts of the kingdom.

~~~
AngrySkillzz
Pardon me if I'm misinterpreting you, but isn't the existence of one-way
functions equivalent to P != NP? So far we definitely haven't proved/disproved
that one-way functions exist, so any primitive that relies on them is not
provably secure.

More generally, I don't think there are any CSPRNGs that are actually provably
secure; please correct me if I'm wrong. The proofs all rely in some way on
problems that are conjectured to be hard, which depends on P != NP. This isn't
necessarily the case, if we could devise an algorithm that depends on a
decidable problem harder than NP-complete, but I don't think we have proved if
any such problems exist.

Edit: On reflection, I think the parent is saying that there was never a proof
published that Dual_EC_DRBG is reducible to a hard problem, and without that
we cannot even say whether Dual_EC_DRBG is as secure as other PRNGs that can
be shown to be related to hard problems.

~~~
swordswinger12
To say that something is reducible to a conjectured hard problem is what
'provably secure' means in cryptography. Also, cryptographic hardness is not
trivially relatable to P vs. NP, especially for hardness assumptions used to
build public-key systems. For example, a poly-time factoring algorithm would
_not_ prove P == NP, but it would break RSA.

~~~
AngrySkillzz
Good point, thanks. It looks like a few of them, including factorization and
the discrete log problem, are conjectured to be NP-intermediate; that is, NP
but neither P nor NP complete. However, this class may actually be empty, and
is only non-empty if P != NP.

If P = NP, NP-intermediate is necessarily empty, so problems like
factorization would be P = NP = NP-complete. You're right, though: the
existence of a (classical) polynomial-time factorization algorithm doesn't
solve P = NP.

------
pfortuny
"The international war on terrrorism" (by the end). Sorry: despite whatever he
says, this is totally out of place. As long as you use the (buzz)word war, you
open the door to exceptional "security" measures

~~~
bainsfather
He also mentions 'piracy' (the data sharing kind, I presume) - it seems he
will stoop to using any convenient buzzword/bogeyman.

~~~
wtbob
Why would you assume 'piracy' doesn't refer to actual piracy? It's a fairly
big deal in several parts of the world.

~~~
black_beard
Because you don't need a strong cipher to send text messages like "Yo-ho-ho,
and a bottle of rum."

~~~
schoen
Presumably pirates favor arrrr-C4 or arrrr-SA (both of them invented by Ronald
Rivest.)

------
bainsfather
"The remaining 25 percent" [of reported 'illegal' interceptions] ", about 700
in total, were human error (e.g., typing mistakes). Put into perspective, the
average analyst at NSA makes a compliance mistake once every ten years."

This does not reassure me.

First, those are only the 'mistakes' that were detected and reported - which
independent body is doing the oversight?

Secondly, he says that their staff are just about perfect (an error rate of 1
per 10 years) whilst at the same time saying that the errors were typing
mistakes.

It is sad to see a Mathematician reduced to such deceit.

~~~
xnull1guest
First, note how the only numbers addressed are the '2,776 instances publicly
known'. So from the start we're working with unreasonable numbers. But let's
run with it.

Hmm. If the average number of mistakes an analyst makes is 0.1 per year and
there were 700 mistakes only, this means 7000 analysts (or do we need to model
this as a poisson distribution?). Is 7,000 analysts reasonable? Anyone have
more details on this?

The NSA has said that it performs about 20 million queries a month, or 240
million queries a year. If these are done by analysts that's 16 manual queries
an hour or 130 a day assuming a standard work week. That seems reasonable. Or
at least reasonable"ish". [240,000,000 / 7,000 / (5/7 * 8 * 365)]

But it would also imply an error rate of 700/24,000,000 = 0.000002917 (which
is absurd, if the error are presumably due to 'typos').

------
nabla9
>Using aggregate numbers, of the exceedingly small proportion of the world’s
foreign communications we access, NSA algorithms filter out approximately
99.998 percent of the data it sees.

Keeping 0.002% seems like just little bit of data, but is it?

79% of the Internet traffic is video. If you filter out almost all video
content and other uninteresting transfer to everyone (50 companies deliver
more than half of all Internet traffic), I think you can retain all metadata
and all or most unique text based communications. Speech to text filter can
keep metadata and at least huge number of keywords from all phone
conversations.

~~~
Terr_
"Don't worry. Sure, the thief left with all your cash, jewelry, IDs, tax
information, and private documents... But 99.998% of the mass contained by
your house is still there! Honestly, if it's less than 100kg it's not even
worth getting upset about."

Yeah, it's a stupid statistic designed to mislead, since the metric bears no
real relationship to the impact or severity of the act.

I wonder how the NSA would react if a spy browsed all their top-secret
documents, but made copies of "only 0.002%" of them?

------
jackmaney
In 2007--8, I was trying to leave my academic position and join the NSA as a
mathematician. It didn't end up working out. That was an enormous blow at the
time: with the cycle of academic contracts, I had to choose whether to not
sign or to defer the NSA job until the end of the next academic year. I chose
the former, and the provisional job offer fell through.

In the end, though, it was probably for the best. When Snowden first hit the
news, all I could think of was "there but for the grace of the gods go I."

------
schoen
See also Matthew Green's response:

[http://blog.cryptographyengineering.com/2015/01/hopefully-
la...](http://blog.cryptographyengineering.com/2015/01/hopefully-last-post-
ill-ever-write-on.html)

~~~
jdp23
and yesterday's discussion at
[https://news.ycombinator.com/item?id=8888635](https://news.ycombinator.com/item?id=8888635)

------
charonn0
> Filtering algorithms decide what material is defeated, i.e., neither
> collected nor stored for analysis.

This is one of the NSA's definitions I disagree with. Filtering _is_
collection and analysis, the only difference is the government agent
performing the search is an algorithm.

------
discardorama
I'm sorry, but to me this reads like an apology[* ] letter targeted to future
(and current) employees, because of all the bad publicity they have received.
They're probably having a hard time recruiting, hence this smoke.

[* ] for some very weak definition of 'apology'

------
cyphunk
The author sounds like a nice guy/gal but they seem to have selectively forgot
several facts. First the NSA's Dual_EC_DRBG was used as the default in some
RSA products. Is it debatable that the RSA was not paid for this (the $10m
claim)? But this is not the only episode quoted as reason to consider NSA
malice. The Bullrun program? And his/her employers constant lies?

If your employer is using your work for malice without telling you, and lying
to many of their clients (the public)... stop kidding yourself just because
they were nice to you and paid for your PhD.

------
jackgavigan
It's good that the NSA are seeking to be more open and transparent.

A few things I'm curious about, though...

 _> The NSA-generated elliptic curve points were necessary for accreditation
of the Dual_EC_DRBG but only had to be implemented for actual use in certain
DoD applications._

Why were the NSA-generated elliptic curve points have to be included in the
standard for it to be accredited?

Why did those points _have_ to be used for certain DoD applications? Why not
use random points?

And why was it necessary for those points to be included in the standard? Why
not leave it up to the implementer to decide what points to use?

