The Reuters headline “Distrustful U.S. allies force spy agency to back down in encryption fight“ actually sounds good for those of us who are upset of the NSA’s history of pushing insecure and backdoored cryptography into standards (see also these nice sounding headlines ). However, when having a closer look these headlines are actually quite misleading. The truth is rather that the NSA gets away with pushing two block ciphers into an international ISO standard despite i) its recent history of undermining standards and ii) the fact that they ignored best-practices in publishing the two ciphers.
What is behind these headlines in an effort by the NSA to standardize two lightweight block ciphers: Simon and Speck. Lightweight block ciphers are a very active research field in cryptography at the moment. There are several proposals for Lightweight block ciphers and two of those have already been standardized in ISO, PRESENT and CLEFIA (ISO/IEC 29192-2:2012). What makes the Simon and Speck case unique are two facts: They were proposed and published by the NSA shortly after we learned they included backdoors into public standards (see the Dual EC case). And secondly, the NSA published the ciphers without a security analysis and an explanation of the design criteria of the ciphers. Publishing a security analysis and a description of the design decisions when proposing a new cipher can be considered mandatory best practice. Indeed, a cipher without such an analysis would not be published in an international crypto conference or journal and could not participate in public competitions to choose cryptographic algorithms such as the AES or SHA-3 competition.
But the NSA, of course, is above such an analysis. The NSA published the ciphers in late 2013 and started the standardization in 2014, when no security analysis of the cipher was public. So the only security argument at that time was: trust us, we are the NSA and deem it secure. Considering the recent history this is absolutely striking to me.
To recall, in 2013 Edward Snowden leaked documents that clearly stated that the NSA is actively undermining international security standards. In the 2013 Budget of the NSA SigInit program ($250m annually) it states that some of the money is used to “Influence policies, standards, and specification for commercial public key technologies“.
And that this is being done shows the infamous Dual EC random number generator that has an in-built NSA backdoor.
So not even half a year after publishing Simon and Speck, the NSA was allowed to start a standardization process of two new block ciphers without a security analysis as is usually mandatory when publishing new ciphers. The Reuter report shows that there was (and is) some resistance against the standardization but at the end it seems NSA gets their way. The headlines you read online suggest that the NSA had to drop two ciphers from standardization. But what actually happened is that two versions of Simon and Speck have been dropped because they use security levels and block sizes that are not in-line with current state-of-the-art. The main versions of Simon and Speck are still up for standardization. This is the first part of the NSA “compromise” to get Simon and Speck standardized. The second part of the compromise seems to be that the NSA has now – with a four year delay – published a security analysis with their design criteria. If you expect new insight, don’t get your hopes up. The report is basically a summary of work published by other researchers with the conclusion that this is what the NSA knew all along and why the NSA is of the opinion that Simon and Speck are secure. What a great concession on the NSA’s part, dropping algorithms far below the state-of-the-art security level and publishing a paper without any news that should have been published four years ago.
But according to Reuters the “opponents saw that as a major if partial victory, and it paved the way to compromise.” To quote Reuters further: “In another nation-by-nation poll last month, the sturdiest versions advanced to the final stage of the approval process, again by a single vote, with Japan, Germany and Israel remaining opposed. A final vote takes place in February. ”
So this last paragraph is why my headline is so different from those you read elsewhere at the moment. To me, this is not a victory but a clear defeat for the international IT-Security and cryptography community. So let’s see how the story unfolds, but to me it looks as if soon the NSA will have their standard. And if they get this standard, how much resistance will there be for their next proposals? And who knows what will be hidden in them”¦.
Right now it seems that only Israel, Japan and Germany are still opposed. So who is supporting it? Most interesting is for example that Prof. Chris Mitchell from the British delegation is not noted as someone opposing — but rather supporting — the standardization of Simon and Speck by Reuters. This is a bit strange considering his slides from last year that make him look like someone opposing Simon and Speck. Very strange”¦