[cryptography] NSA's position in the dominance stakes

Jon Callas jon at callas.org
Mon Nov 15 19:38:29 EST 2010

In some places, there's a formal or quasi-formal breakout of who is doing what. For example, in the UK, they have GCHQ and CESG. Even though they're in the same buildings, there's an FLA for each, so you can talk about offense vs. defense.

In the US, the offense and defense portions of the NSA. At least some of the defense folks in the NSA are called the "IA" (Information Assurance) people, but there's also NIAP (who primarily deal with Common Criteria etc.) and NIST, who are a completely different organization, being both civilian and part of Commerce.

When you talk about the NSA employing mathematicians, they are not IA, NIAP, etc. As Paul has pointed out, NIST is not the NSA, and calling them an "open partner" is not accurate at all. If you rush back to DES days, you have a point, but as they say, "that was Zen, this is Tao."

Certainly, NIST will respect what the NSA has to say, but the NSA is not the only player. Not only will other parts of the Intelligence Community freely disagree with the NSA, but other people like Treasury, DHS, and even NIST themselves have their own smart people who often don't like anyone dictating to them. Heck, even in the Army, they often just say that the NSA can have whatever opinions it wants, but. All of these entities will use their own deployment expertise to argue what they like and use the very things you said to fight back. (Well, those *mathematicians* may know what's best in theory, but let me tell you a thing or two about the real world.) These days, even the FTC has its own expertise, and quangos like BITS make their own policy as well, albeit starting from NIAP and NIST.

The whole elliptic curve issue is a place where competing interests are dancing. If you want to crypto-balance past 128 bits, you either go to EC or end up with very large RSA keys. We all agree on this, the question is when we need to go beyond 128 bits. That itself matters, but matters only because of intellectual property. 

NIST is certainly carrying water for EC, by implying that RSA 2048 is going to somehow be vulnerable in the next handful of years. But it isn't even clear that they're carrying water for the NSA. It's just as reasonable to say that they're carrying water *against* 8-15Kb RSA keys. They're also smart enough to know that if you really want to have EC by 2020, start with saying that we really ought to move there by 2013.

No matter how you slice it, we want to move away from RSA to EC by 2050-2060. (Yes, yes, quantum, blah, lattice, blah, Lamport blah.) The only question is when. I think NIST is smart enough to know that if they wait until 2040, it's going to take until 2100.


More information about the cryptography mailing list