It's important to remember the desired goal - secure cryptography, and in that case even if the NSA is a known-bad actor, they might still be the best option to achieve an optimal outcome.
There is a name for the kind of table below but I have forgotten it. Essentially on the balance of outcomes, a situation (of engineered choices, of course!) where the NSA is involved still produces, given unknown factors, a potentially better outcome than a situation where the NSA is excluded.
Bad = 0.1, Fair = 0.5, Excellent = 1.0
Cipher Author | Known Weak | Security | Likelihood | Security*Likelihood |
Academia | No | Excellent | Bad | 0.1
Academia | Nationally | Fair | Fair | 0.25
Academia | Internationally | BAD | Fair | 0.05
NSA | No | Excellent | Fair | 0.5
NSA | Nationally | Fair | Fair | 0.25
NSA | Internationally | BAD | Bad | 0.01
SUM(academia) = 0.31
SUM(nsa) = 0.76
(Does anyone know what this kind of table is called? Can someone do a version that makes more sense? It's 4am and quite a few beers were involved :))
This isn't how security works. When the term "secure" is used, it is relative only to a threat model. Typically these threat models are implied, but different perspectives, levels of experience and communication barriers often see that this non-precise term causes confusion and mistakes.
In the case of cryptography, the implied "security" of a cipher differs wildly across many different properties (the security margin the design, the caveats to its correct use, the modes it is used with, it's likelihood to be implemented properly, etc.
One of the properties is how the integrity or confidentiality of the schemes fail to different types of adversaries - and who are trusted parties to the data security layer.
All of this is to say that - if our threat model includes intelligence agencies and mass surveillance - the NSA is not able to provide encryption that can be trusted to be secure.
That's the wrong way to read it - their likelihood is bad compared to an agency with secrets that gives it a better chance, and even then, that agency only receives a fair likelihood. At least this part is close to reality - per another comment, the NSA understood differential cryptanalysis years before academia
I guess we could add more score levels to make it more explicit, but I'm pretty sure that beer-addled table has bigger problems
There is a name for the kind of table below but I have forgotten it. Essentially on the balance of outcomes, a situation (of engineered choices, of course!) where the NSA is involved still produces, given unknown factors, a potentially better outcome than a situation where the NSA is excluded.
(Does anyone know what this kind of table is called? Can someone do a version that makes more sense? It's 4am and quite a few beers were involved :))