
Distrustful U.S. allies force spy agency to back down in encryption fight - petethomas
http://www.reuters.com/article/us-cyber-standards-insight/distrustful-u-s-allies-force-spy-agency-to-back-down-in-encryption-fight-idUSKCN1BW0GV
======
tptacek
SIMON and SPECK are both pretty straightforward block cipher designs. You can
implement them in less than 100 lines of code. There are no s-boxes or weird
constants. Unlike a lot of what NSA designs, they were published formally,
with design papers that included rationales. The software-optimized cipher
(SPECK) is a simple ARX design. The hardware-optimized cipher (SIMON) uses
bitwise operations instead of AND. This is pretty mainstream stuff. It is very
unlikely that they harbor backdoors.

(The point of both algorithms is to provide scalable low-profile crypto,
instantiable at very small key and block sizes; this is something you'd want
if you were, for instance, building an encrypted IOT scheme on
microcontrollers).

That doesn't mean they should be international standards; maybe it makes sense
that after Dual EC, the NSA doesn't have a shot at producing a global standard
for low-profile encryption. But however well justified, it's mostly a
political decision, not a technical one.

~~~
wallace_f
>it's mostly a political decision, not a technical one.

Is there a good reason to trust the NSA's motivations?

The NSA's stated motivation from the article:

>encryption tools [...] without requiring a lot of computer processing power.

But it was noted that:

>“There are probably some legitimate questions around whether these ciphers
are actually needed,” said Curtis Dukes, who retired earlier this year.
Similar encryption techniques already exist, and the need for new ones is
theoretical, he said.

The NSA's purpose is as a spy agency. No matter how effective that clear coat
they're selling you might actually be, they're probably selling you on
something you really don't need because it has a benefit to their purpose.

~~~
tptacek
No, there's no reason to trust the NSA's motivations. I'm just not sure what
the NSA's motivations have to do with this.

If you're asking, "do we actually need lightweight ciphers", well, the NSA
isn't the only organization designing them; it's a whole field of research. If
you want cryptographic security on machines that don't have multipliers and
count their capacity for program text space in single-digit kilobytes, you're
probably going to reach for special-purpose designs.

~~~
Programmatic
Running an algorithm chosen by an attacker with extensive resources is
foolhardy, because you can never be certain that your resources are sufficient
to detect a trap carefully hidden by their resources. We have a history of the
NSA performing attacks and standards subversion. Why accept their potential
trojan horse when you can have algorithms designed by those without that
checkered past, keep up the same amount of scrutiny for potential trojan
horses, and have decreased odds of a backdoor being present if the provider is
more trustworthy?

It seems that taking motivations into account could lead you into a false
sense of security, but that if you keep up the same amount of security and
distrust known bad actors that you increase it.

~~~
tptacek
See
[https://news.ycombinator.com/item?id=15304634](https://news.ycombinator.com/item?id=15304634).

------
phkahler
This article is full of choice quotes. The TL;DR is that the NSA through its
own actions has violated peoples trust:

“I don’t trust the designers,” Israeli delegate Orr Dunkelman, a computer
science professor at the University of Haifa, told Reuters, citing Snowden’s
papers. “There are quite a lot of people in NSA who think their job is to
subvert standards. My job is to secure standards.”

Chris Mitchell, a member of the British delegation, said he supported Simon
and Speck, noting that “no one has succeeded in breaking the algorithms.” He
acknowledged, though, that after the Dual EC revelations, “trust, particularly
for U.S. government participants in standardization, is now non-existent.”

“How can we expect companies and citizens to use security algorithms from ISO
standards if those algorithms come from a source that has compromised
security-related ISO standards just a few years ago?” - Christian Wenzel-
Benner.

These are coming from Israel, Britain, and Germany - all close US allies.

I'm not a crypto guy, but I looked at Speck. The code is really clean and
efficient. If it's secure that's really awesome. But how is anyone supposed to
trust it given the past actions of its creator?

~~~
betterunix2
Keep in mind that the past actions of the NSA also include _strengthening_ DES
and _strengthening_ SHA-1. The NSA also designed Skipjack for public use (in
the Clipper chip), which was eventually declassified, and which was apparently
designed in good faith and remains secure (up to the 80 bit level it was
designed for).

Also keep in mind that the DUAL_EC backdoor was discovered within a year of
its publication; SIMON and SPECK were published years ago and nobody has found
or suggested a backdoor (plenty of people have been analyzing the ciphers).
ARX designs have been proposed by plenty of other cryptographers, so nothing
about the SIMON or SPECK designs would immediately raise eyebrows _other than
the fact that the NSA proposed them_.

Personally, I doubt that the effort to subvert standards involves backdoors,
which are pretty hard to hide and pretty easy to avoid (DUAL_EC is the only
credible candidate for a backdoor, it was discovered quickly, and it was not
widely used). It seems more likely that the effort involves (this is all
speculation):

1\. Making standards more complex than necessary.

2\. Making standards more sensitive to bad randomness (e.g. DSA signatures).

3\. Making standards where constant-time implementations are harder or slower.

In other words, they have pushed for standards that are harder to securely
implement and easy to use insecurely. Why bother with backdoors when you can
exploit common and easy-to-make mistakes? Given their expertise in spotting
and exploiting these kinds of bugs, the NSA can probably satisfy the
"information assurance" mission by vetting / correcting implementations used
by the government, at least for the most important government secrets (most
government communication would just use COTS; of course, most government
communication is of limited value to foreign governments).

~~~
phkahler
Agreed. My non-expert suspicion is that Speck is secure and simple. The point
is that we can no longer assume that's the case coming from the NSA and people
in other countries don't trust them.

One could get out their tinfoil hat (as another posterdid) and suggest that
the allies are publicly questioning it so people don't adopt simple and secure
encryption. After all, the result of their vote is that it does not become a
standard.

In the end we have to go by actual analysis. As it should be.

------
sowbug
This is a short 2013 Bruce Schneier article about SIMON and SPECK:
[https://www.schneier.com/blog/archives/2013/07/simon_and_spe...](https://www.schneier.com/blog/archives/2013/07/simon_and_speck.html)

They're "lightweight" block ciphers; SIMON is designed for optimal performance
in hardware implementations, and SPECK for software. According to the NSA PDF,
"The relatively new field of lightweight cryptography addresses security
issues for highly constrained devices." Indeed, SIMON is about a third of the
hardware gate requirement of AES, and SPECK is about 15% the number of flash
bytes. Some of the space savings is from skipping ciphertext/plaintext
whitening.

~~~
pbhjpbhj
I hadn't heard of whitening before: sounds like it's a simple change of the
plaintext prior to full encryption, in the example at Wikipedia it's an XOR
operation.

[https://en.m.wikipedia.org/wiki/Key_whitening](https://en.m.wikipedia.org/wiki/Key_whitening)

Presumably something like rot13 would count as whitening? Also, assuming the
name comes from analogy with "white noise", ie reducing signal quickly,
cheaply?

~~~
alexbeloi
Key whitening is about expanding the key space, not changing the plaintext
prior to encryption (which might be called data whitening).

Say you encrypt a message M with key K1 and get encrypted message E:
encrypt(M, K1) = E. An attacker might brute force your encryption, if your key
space is small this might be an issue. So what you can do is XOR the message
with another key K2 before encryption and a third key K3 after encryption to
get: E = encrypt(M XOR K2, K1) XOR K3. Now the attacker has three keys to
brute force. (though I think the actual effective key size is between 2x and
3x the length if the attacker knows the message distribution)

I'm not an expert but I imagine XOR is popular because it's a basic logical
operator and so has gate level hardware implementations.

~~~
eadmund
I suspect that XOR is popular because of the property that XORing data cannot
reduce its entropy: 128 truly random bits XOR zero* are still 128 truly random
bits. The benefit you get if you XOR is that _if_ there are mathematical
correspondences in your data, you are likely to hide them by XORing with some
key.

------
kbutler
It seems like the compromise (dispose of the more lightweight versions while
retaining the "most robust" version) still leaves the possibility of an NSA-
known vulnerability.

Maybe the "most robust" version is harder for the NSA to break, maybe the NSA
doesn't know of a way to break it, or maybe the NSA just proposed the
lightweight versions so they'd have room to negotiate, and have just achieved
exactly what they hoped.

I'm glad other countries are suspicious of the NSA, but I'm not sure that
distrust goes far enough.

Bruce Schneier's [thanks tptacek] 2013 opinion on the presence of an NSA-known
backdoor: "maybe, but I don't think so."

His post today is also interesting, saying the ISO "rejects" (which seems a
bit stronger than the source article):
[https://www.schneier.com/blog/archives/2017/09/iso_rejects_n...](https://www.schneier.com/blog/archives/2017/09/iso_rejects_nsa.html)

He concludes [2017]: "I don't trust the NSA, either."

~~~
tptacek
It's "Schneier", not "Schneider".

This is one of those things where, if NSA can break 128/128 SPECK, we probably
have bigger problems than SPECK.

------
Panino
If SIMON and/or SPECK are NOBUS-breakable, then NSA probably has an unknown
cryptanalytic technique that would likely threaten other widely used ciphers.
Certainly possible but unlikely. However, that's not the issue IMO.

Instead of blindly supporting or rejecting an author, we should insist on
public crypto competitions which are the best route for obtaining well-tested,
studied, and trusted ciphers.

There are decent correlations between:

    
    
      * crypto that's been de jure standardized before deployment and bad crypto (DUAL EC, DNSSEC, etc.)
    
      * crypto that's been through a public competition before deployment and good crypto (Salsa20, Argon2)
    
      * crypto that's been de facto standardized and good crypto (Curve25519, Signal protocol, etc.)
    

As an aside, high-level APIs like in NaCl, libsodium, libtls (from LibreSSL),
etc. are a new, in-progress form of de facto standardization. It would be hard
to introduce a new low-level general-purpose crypto library and attract major
adoption.

~~~
tptacek
Nacl/Sodium and libtls aren't suitable for small-footprint computing. That's
probably why there's so much interest in lightweight ciphers: it's hard to get
a lot of real-world attention for a new block cipher design targeting general-
purpose computers, but there's no (de facto or de jure) standard lightweight
cipher.

~~~
CiPHPerCoder
Have you had a chance to look at libhydrogen?

[https://github.com/jedisct1/libhydrogen](https://github.com/jedisct1/libhydrogen)

------
b3lvedere
Why do they need to use encryption mechanisms that were invented by an
organization which has been known to abuse these mechanisms?

"The Americans distributed a 22-page explanation of its design and a summary
of attempts to break them"

That doesn't really sound like a peer review :)

~~~
tptacek
SIMON and SPECK have received peer review:

[https://scholar.google.com/scholar?hl=en&q=speck+cipher&btnG...](https://scholar.google.com/scholar?hl=en&q=speck+cipher&btnG=&as_sdt=1%2C14&as_sdtp=)

~~~
Chaebixi
Peer review isn't a panacea. It's totally possible that the NSA knows of a
vulnerability or class of vulnerabilities that the rest of the peer review
community doesn't. The cipher could be bad but still pass peer review (or it
could be better than publicly known, like DES was).

In any case, it seems like the NSA was dragging its feet in trying to fully
explain the designs (from the OP):

> Finally, at a March 2017 meeting in Hamilton, New Zealand, the Americans
> distributed a 22-page explanation of its design and a summary of attempts to
> break them - the sort of paper that formed part of what delegates had been
> seeking since 2014.

Given they're more recent history, I'd be mistrustful. It seems to me that the
design of a good cipher should be done totally in the open, so any
vulnerabilities are inadvertent. This includes explaining the design and the
decisions and trade-offs that brought you there.

~~~
ethbro
_> It seems to me that the design of a good cipher should be done totally in
the open, so any vulnerabilities are inadvertent. This includes explaining the
design and the decisions and trade-offs that brought you there._

Implausible, considering that the mathematical attacks NSA is aware of but
designing ciphers to be resistant to are still classified and currently being
used by the NSA against older generation ciphers.

See history of differential cryptanalysis and DES design.

[https://en.m.wikipedia.org/wiki/Differential_cryptanalysis](https://en.m.wikipedia.org/wiki/Differential_cryptanalysis)

~~~
throwaway2048
This is speculation, based upon a time when the academic cryptoanalysis
community was pretty much nonexistent.

I find it exceedingly unlikely that the NSA is years ahead of public efforts
on this front in 2017.

~~~
compiler-guy
I find it plausible due to the asymmetry of information flow.

Everything known by the public is also known by the NSA, but the NSA only
tells the public what it wants them to know.

That practically guarantees that there is a lot they know that we don't.

Of course that proves nothing about this specific instance, and measuring "how
far ahead" in years is hard, but I think it is likely the NSA has some
extremely sophisticated techniques that we know nothing about.

~~~
ethbro
The devil's advocate to that is offered by tptacek in other thread: that NSA's
efforts are simultaneously hurt by the fact they don't openly engage with the
academic cryptography community.

Whereas the public community is made stronger by its interactions.

------
mtgx
Everytime I hear about "lightweight" algorithms being standardized for IoT and
such, I worry about their security. There is usually a reason why the
"lightweight" variants weren't adopts for PCs, too, in the first place.

------
bemused-peabody
What's it take for an organisation to get kicked out of this standardisation
body?

You'd think deliberately compromising the goals of the body in such a cavalier
fashion would do it.

------
mzs
[https://eprint.iacr.org/2017/560.pdf](https://eprint.iacr.org/2017/560.pdf)

Notes on the design and analysis of Simon and Speck

Ray Beaulieu Douglas Shors Jason Smith Stefan Treatman-Clark Bryan Weeks Louis
Wingers

June 8, 2017

Note. This document was prepared by the designers of Simon and Speck in order
to address questions regarding the design rationale and analysis of the
algorithms.

------
ropman76
I can understand about being suspicious of the NSA after the whole
Dual_EC_DRBG fiasco. However these designs are not unknown throughout the
industry (ARX having gotten some heat lately from the Keccak people). Is there
some technical reasons these designs should be disallowed aside from "We don't
like the NSA".

~~~
dfox
My technical (but probably mostly insignificant and unexploitable) issue with
speck/simon is with the key schedule, which has somewhat slow diffussion with
key length >2 words.

~~~
dfox
Also the key schedule is trivially invertible (I intended to include that fact
in my original comment, but wasn't sure of that, now I'm).

On the other hand this seems like deliberate design choice in order to remove
any unexplained constants from the design (the counter in the key schedule
seems "explainable"). Alternative with the same design would be to supply the
key into the key schedule as subkeys (cyclically or so), which would then mean
that initial state is some kind of unexplained constant (there is good reason
why {0,0} is not good initial state and given the fact that it comes from NSA
any other value will seem suspect)

Edit: the fact that key schedule is invertible does not decrease the security
as long as it is used as block cipher (in fact on this level of analysis it
slightly increases the confidence in the design as long as it is only meant as
block cipher). On the other hand it means that insecure constructions of hash
function from block cipher are probably not only theoretically insecure, but
readily breakable by NSA. (I wouldn't be surprised if this was the motivation
of NSA, because for many IoT applications one is more interested in
authentication than in confidentiality)

------
EternalData
This gets back to how innovation is often advanced under military/security
circumstances -- it's unfortunate that so much money stems to those reasons
for research such that the intent of the researchers is always a tiny bit
questionable.

------
snakeanus
DJB actually made a post on twitter about Simon/Speck
[https://twitter.com/hashbreaker/status/719884030796177409](https://twitter.com/hashbreaker/status/719884030796177409)

------
billphipps
Why should one nation have the power to set a single global standard for
anything?

~~~
likelynew
What do you mean by a global standard?

------
TomK32
How about the NSA make all US government agencies use their Simon and Speck
algorythms and we (rest of the world) see in a few years what the outcomes
(and their so-called secret documents) look like.

------
tryingagainbro
_not because they were good encryption tools, but because it knew how to break
them_

Both NSA and CIA had their crown jewels stolen and exposed, yet they assume
that states like China and Russia (to name a few) don't have the ability to
find these bugs. Heads should roll

