**BM-2cVnBJ1HwbFMdTeT25tubAxhHfE2HpJcci**

May 31 11:55 [raw]

What is secure? People often ask me “is this or that secure” questions about ciphers and products… Rather than trying to answer those questions directly, which can spark flames of endless arguments and may sound like paranoia or a conspiracy theory, I like to present rhetorical questions, which help people determine what is and what isn’t secure for themselves. These are some of the questions: Hasn’t it always been the NSA’s duty to maintain cryptographic superiority being able to decrypt communications of all the US adversaries while no one else can? Remember their giving away Enigma machines after the WWII? Isn’t it the NSA’s duty to make sure that they are the only ones who can decrypt communications of their own government? Remember the Clipper chip backdoor? Isn’t it the NSA’s duty to enforce digital signatures to ensure tracking of individuals? Since when do authentication or message integrity require the use of digital signatures? Why is AES-128 not accepted as a Type-1 cipher [not allowed to secure top secret documents or communications] while the 64-bit secure Skipjack with its 80-bit keys and a 16-bit NSA backdoor is [along with AES-192 and AES-256]? Since brute-force of a single AES-128 key would take a thousand years on a quadrillion of 10 GHz microchips, what is wrong with it? If the NSA could break the DES in 10 microseconds, how fast could they break 3DES? Why is algebraic cryptanalysis the most under-developed type of cryptanalysis by the academia, while most of the academic efforts are thrown into linear and differential cryptanalysis requiring infinitely large numbers of chosen plaintexts and which have not been responsible for a single known practical break of a cipher? Who influences the lemminghood? Why was Rijndael chosen as the AES against all the warnings that it has the weakest structure of all the AES candidates against algebraic attacks, the only type of attacks that could be of a real practical threat requiring minimal amounts of information about the plaintext? Why is RSA in GPG’s “expert” mode limited to 4096-bit? Are 8192-bit RSA keys too much to ask? Why are the same mysterious prime moduli used in PGP, GPG and all the US government Diffie-Hellman standards and why is there no explanation of how they were generated? Are provably pseudorandom DH moduli too much to ask? Why are the prime moduli over 112 bits chosen for the ECC standards have such very special and obviously weak form (1000…0001) even though the actual difference in speed between implementations of those and pseudorandom moduli is so small? [~18ms vs ~26ms for 128-bit secure 256-bit keys, mere 30% faster] If the higher speed is in fact the key factor and if this special form does not affect security, shouldn’t the 112-bit and shorter prime moduli also have the same special form? Why are those pseudorandom? Why are the random-looking prime ECC moduli up to 112 bits listed in the US standards in hexadecimal form, and the special prime moduli over 112 bits are presented there in decimal form in which they appear random? Why hide all the zeros? Why was there a backdoor in the US government standard for random number generation (DUAL_EC_DRBG)? If there is obviously at least one backdoor, who says every one of those standards does not contain a backdoor? Shouldn’t they? If it is the NSA’s responsibility to include hidden backdoors in the US cryptographic standards, how can anyone else trust any of them?

BM-2cWdaAUTrGZ21RzCpsReCk8n86ghu2oY3v