Back in September, I wrote here about the news that Snowden’s revelations that confirmed suspicions that back in 2005-6 NSA mathematicians had compromised an NIST standard for elliptic-curve cryptography. The new standard was promoted as an improvement using sophisticated mathematical techniques, when these had really just been used to introduce a backdoor allowing the NSA to break encryption using this standard. There still does not seem to have been much discussion in the math community of the responsibility of mathematicians for this (although the AMS this month is running this opinion piece).
After my blog post, some nice detailed descriptions of how this was done and the mathematics involved appeared. See for instance The Many Flaws of Dual_EC_DRBG by Matthew Green, and The NSA back door to NIST by Thomas Hales. The Hales piece will appear soon in the AMS Notices. Hales also has a more recent piece, Formalizing NIST Standards, which argues for the use of formal verification methods to check such standards. Also appearing after my blog post was the news that RSA Security was now advising people not to use one of its products in default mode, the BSAFE toolkit.
One mystery that remained was why the NIST had promulgated a defective standard, knowing full well that experts were suspicious of it. Also unclear was why RSA Security would include a suspicious standard in their products. Back in September they told people that (see here) they had done this because:
The hope was that elliptic curve techniques—based as they are on number theory—would not suffer many of the same weaknesses as other techniques
and issued a statement saying:
RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any backdoors in our products. Decisions about the features and functionality of RSA products are our own.
Today there are new revelations about this (it’s unclear from what source), which explain what helped make RSA swallow the bogus mathematics: a payment from the NSA of \$10 million. I guess there’s a lesson in this: when you can’t figure out why someone went along with a bad mathematical argument, maybe it’s because someone else gave them \$10 million…
Update: For another explanation of the math behind this, see videos here and here featuring Edward Frenkel.
Update: There’s a response to the Reuters story from RSA here. As I read it, it says
- They do have a secret contract with the NSA that they cannot discuss
- They used the NSA back-doored algorithm in their product because they trust the NSA
- They didn’t remove it when it became known because they really are incompetent, not because the NSA was paying them to act incompetent
It’s hard to see why anyone would now trust their products.