Home > Uncategorized > Peter Woit: The NSA, NIST and the AMS

Peter Woit: The NSA, NIST and the AMS

January 19, 2015

This was crossposted from Not Even Wrong and written by Peter Woit.

Last summer I wrote here about an article in the AMS Notices which appeared to make misleading claims about the NSA’s involvement in putting a backdoor in an NIST cryptography standard known as DUAL_EC_DRBG. The article by Richard George, a mathematician who worked at the NSA, addressed the issue of the NSA doing this kind of thing by discussing an example of past history when they were accused of doing this, but were really actually strengthening the standard. He then went on to claim that:

I have never heard of any proven weakness in a cryptographic algorithm that’s linked to NSA; just innuendo.

This appears to be a denial of an NSA backdoor in the standard, while not saying so explicitly. If there is a backdoor, as most experts believe and the Snowden documents indicate, this was a fairly outrageous use of the AMS to mislead the math community and the public. At the time I argued with some at the AMS that they should insist that George address explicitly the question of the existence of the backdoor, but didn’t get anywhere with that. One of their arguments was that George was speaking for himself, not the NSA.

The question of fact here is a very simple and straightforward mathematical one: how was the choice used in the standard of points P and Q on an elliptic curve made? There is a known way to do this that provides a backdoor. Did the NSA use this method, or some other one for which no backdoor is known? The NSA refused to cooperate with the NIST investigation into this question. The only record of what happened when the NIST asked about how P and Q were chosen early on in the development of the standard is this, which indicates that people were told by the NSA that they were not allowed to publicly discuss the question.

Remarkably, the latest AMS Notices has a new article with an extensive discussion of the DUAL_EC_DRBG issue, written by mathematician Michael Wertheimer, the NSA Director of Research. At first glance, Wertheimer appears to claim that the NSA was unaware of the possibility of a backdoor:

With hindsight, NSA should have ceased supporting the dual EC_DRBG algorithm immediately after security researchers discovered the potential for a trapdoor. In truth, I can think of no better way to describe our failure to drop support for the Dual_EC_DRBG algorithm as anything other than regrettable.

On close reading though, one realizes that Wertheimer does not address at all the basic question: how were P and Q chosen? His language does not contain any actual denial that P and Q have a backdoor.

For a careful examination of the Wertheimer piece by an expert, see this from Matthew Green. Green concludes that

… it troubles me to see such confusing statements in a publication of the AMS. As a record of history, Dr. Wertheimer’s letter leaves much to be desired, and could easily lead people to the wrong understanding.

In a recent podcast on the subject Green states

I think it’s still going on… I think that the NSA has really adopted a policy of tampering with cryptographic products and they’re not going to give that up. I don’t think that this is a time that they want to go out admitting what they did in this particular case as a result of that.

Given that this is now the only official NSA statement about the DUAL_EC_DRBG issue, the Notices article has drawn a lot of attention, see for instance here. The Register summarizes the story with the headline NSA: So sorry we backed that borked crypto even after you spotted the backdoor.

The publication of the George and Wertheimer pieces by the AMS has created a situation where there are just two possibilities:

  • Despite what experts believe and Snowden documents indicate, the NSA chose P and Q by a method that did not introduce a backdoor. For some reason though they are unwilling to state publicly that this is the case.
  • P and Q were chosen with a backdoor, and the AMS has been now repeatedly been used to try and mislead the mathematics community about this issue.

I’ve contacted someone at the AMS to try and find out whether the question of a backdoor in P and Q was addressed in the refereeing process of the article, but been told that they won’t discuss this. I think this is an issue that now needs to be addressed by the AMS leadership, specifically by demanding assurances from Wertheimer that the NSA did not choose a backdoored P and Q. If this is the case I can see no reason why such assurances cannot be provided. If the NSA and Wertheimer won’t provide this, I think the AMS needs to immediately cut off its cooperative programs with the agency. There may be different opinions about the advisability of such programs, but I don’t think there can be any argument about the significance of the AMS being used by the NSA to mislead the mathematics community.

Categories: Uncategorized
  1. January 19, 2015 at 7:58 pm

    2 quick things:

    1) I certainly don’t doubt that NSA may have a cryptographic backdoor, BUT if they DON’T, it just may be to their advantage NOT to acknowledge the lack of one, instead keeping people guessing (or even believing there is one).

    2) just my naivete here: the first quote from Wertheimer refers to a “trapdoor” — I’m not familiar with that term; is it precisely identical to a backdoor or something different?


    • January 19, 2015 at 10:55 pm

      1) Given the motivation of the NSA culture, the way the PRNG was set up to have two unknown parameters, it would have been negligent and foolhardy from their point of view to NOT have created the backdoor capability : As their “Vision” states publicly: establish “Global Cryptologic Dominance through Responsive Presence{i.e. crackstering} and Network Advantage{i.e. backdooring}. In reality, it is appallingly stupid and arrogant to assume it would not be discovered and someday broken and revealed.

      2) I think years ago “trapdoor” was preferred as better indicating its secrecy. As far as usage I’ve seen, it’s identical to “backdoor”.


  2. January 19, 2015 at 10:53 pm

    Shecky R,
    I just can’t see what’s in it for the NSA to have everyone believing they corrupted the NIST standards process when they didn’t (or have people believing they have a backdoor to this standard when they don’t).

    The terminology Wertheimer uses is very unusual. A cryptographic trapdoor is normally something quite different (a one-way function) than a backdoor, but in this context what he says only seems to make sense if backdoor=trapdoor.


  3. January 20, 2015 at 8:28 am

    Thanks for the reply Peter; what I’m thinking (in a very general way) is that sometimes powers-that-be instill more fear/respect/submissiveness by being credited with more power or abilities than they actually have. To make a crude analogy, an oft-heard rumor was that, until push-came-to-shove, Saddam Hussein wanted Americans & others to believe he had WMDs even if he did not, because it strengthened his position.


  4. January 24, 2015 at 1:33 pm

    Excellent analogy, Shecky R, sometimes such have real meaning. The UN-AIEA evidence seems to show that was indeed the tragic intention of the rope-beheaded sadist-but-secular Saddam.

    Back to the NSA, often an entity of deception is served best by remaining silent rather than denying the obvious, or making an ambiguous, disingenuous denial that also serves to allow megamedia treatment that both makes money and promotes the desired latest Neo-Con adventurism.


  1. No trackbacks yet.
Comments are closed.
%d bloggers like this: