Or National Institute of Standards and Technology for short. And yes, NIST itself is a problem.
Robert A. Heinlein said “Love your country, but never trust its government.” Bernstein et al consider primitives like AES and ChaCha to be secure. Others consider properly selected elliptical curve cryptography to be secure. The folks at crypto.stackexchange.com believe most things originating from NIST. Indeed some seem to even champion NIST’s products. And see later…
Imagine a world where the F-35 Lightning fighter was kept top secret by a top secret government (come with me). The public would then think that it’s completely impossible for civilian academics to design and construct a stealth supersonic STOVL fighter jet. Yet they exist because they are built by nation states. One nation state actually. Nobody but the US can design and build one. NOBUS.
A civilian academic tried to land a space probe on Mars called Beagle 2. It landed but the mission ultimately failed. You might then be persuaded that it is impossible to successfully operate a mission on Mars, had state agencies not done so. NOBUS (+ China + USSR).
How can the security services spy on the civilian government if the civilian government had access to NIST’s unbreakable cryptography? Non sibi obstetur (“one does not generally thwart oneself”). NOBUS.
Civilian mathematicians and cryptographers do not believe that AES or SHA are currently invertible. Nor does NIST publicly. But mathematical re-linearisation exists. Construct sufficient simultaneous equations from many I/Os across a cryptographic function, solve and you might be able to invert that function. The civilian world presently can’t with any useful advantage, but can the NSA with it’s $81.5B national intelligence budget? Or via some other exotic as yet unpublished technique? Note that GCHQ had public-key cryptography seven years before Whitfield Diffie and Martin Hellman published in 1976. Similarly and equally incriminating, IBM knew of differential cryptanalysis approximately 14 years before it was re-discovered by Eli Biham and Adi Shamir in the late 1980s.
Whitfield Diffie said “If you are designing cryptosystems, you’ve got to think about long-term applications. You’ve got to try to figure out how to build something that is secure against technology in the next century that you cannot even imagine.” Like post-quantum computation. Even now, the civilian world has access to computer systems capable of over an Exaflop/s. Pragmatism, cynicism and scepticism forces us to speculate whether the NSA can go any better. Only the one time pad meets Whitfield’s long term vision.
Notice that from the first few pages of NIST’s 800-90x special publications (very boring whilst very telling):-
“This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems”.
Which itself says:-
“§ 3553. Authority and functions of the Director and the Secretary:-”
“(d) NATIONAL SECURITY SYSTEMS. Except for the authorities and functions described in subsection (a)(5) and subsection (c), the authorities and functions of the Director and the Secretary under this section shall not apply to national security systems”.
“(e) DEPARTMENT OF DEFENSE AND INTELLIGENCE COMMUNITY SYSTEMS. (1) The authorities of the Director described in para-graphs (1) and (2) of subsection (a) shall be delegated to the Secretary of Defense in the case of systems described in paragraph (2) and to the Director of National Intelligence in the case of systems described in paragraph (3)”.
Good enough for the people, but not (US) national security? And why the specific shout out to NSA? Is it a warning or an apology? NIST may be a cryptographic feint intended to create a false confidence regarding security. Promote AES as the only secure algorithm, and all intelligence agencies resources can be focused on that one primitive. Perhaps it’s even already broken in real time, never mind polynomial time.
For example, conversations regarding NIST’s latest Lightweight Cryptography Standardization Process: NIST Selects Ascon tend go like this:-
“Would your contact be able to say which (if any) other external agencies were instrumental in the final selection process? "
“This is an absolute trashy comment, [REDACTED].” – Daniel Apon, stackexchange.com/ ex-NIST. Perhaps an example of GCHQ’s The Art of Deception, Training For A New Generation Of Online Covert Operations. You decide 😕
Furthermore, NIST’s SP 800-90A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, SP 800-90B, Recommendation for the Entropy Sources Used for Random Bit Generation and SP 800-90C, Recommendation for Random Bit Generator (RBG) Constructions total 282 pages of convoluted and inexplicable guidelines for designing and building a random number generator. Not following those guidelines means no US certification and no major sales.
Why exactly are 282 pages necessary to build a TRNG when all that is provably required is a web page, a breadboard and nails? It’s almost as if NIST was discouraging people from building their own TRNGs to generate their own one time pads. Which is not surprising if you learn that Whitfield Diffie also said ”If you can make random numbers, you can have a private conversation.” Many in government and the security services vehemently argue that only paedophiles and terrorists want privacy. There’s nothing to fear if you have nothing to hide, eh?
It all becomes a little clearer when we look at NIST’s Cryptographic Standards and Guidelines Development Process document which sets out the principles, processes and procedures that drive cryptographic standards and guidelines development efforts at NIST. Not a particularly enthralling read other than for the fact that “NSA” appears 12 times within it. That seems to unequivocally prove that the NSA has a firm grip on NIST’s cryptographic work.
The doubts and suspicions run far and wide indeed. John Woods (@JohnAlanWoods) Tweeted 24 Jul 2020:-
“Precisely, it’s becoming a circus. Despite this ridiculousness, P-256 [elliptical curve cryptography] is still the only curve sanctioned by major banks, and most US firms. Apple for example, only allow P-256 keys on their “Secure Enclave”. It’s really quite a hoot.””
and Bernstein’s (aged) presentation:- https://cr.yp.to/talks/2013.05.31/slides-dan+tanja-20130531-4x3.pdf slams NIST processes. Even the Linux community doesn’t trust NIST. The NIST SHA-1 algorithm has now been removed from the Linux randomness driver and replaced by Blake2.
Via allegory: Remove a “centrally controlled core of overseers”. This is what the Electronic Freedom Foundation (EFF) posits will drive innovation, growth, and freedom from its users and their contributions in EFF’s fight against big tech. Break up NIST’s overarching responsibility for most of the world’s cryptographic standardisation of a small handful of primitives and unfathomably bendy curves. As was AT&T. That heralded a tide of new entrants and communications products all to the benefit of consumers.
A great potato grows within current cryptography, deliberately farmed by NIST and fed by the NSA. No other field of human endeavour successfully creates a mono culture for any significant period of time. We do not prosper by putting all our eggs into one basket. Just ask an Irish potato or Dust Bowl farmer. We would do better by more of us rolling our own cryptography. Not all of us, just some of us.
They say that there’s no smoke without fire. Just don’t try to use a NIST fire extinguisher. It’s true purpose might not be to put out the fire. So if you look closely enough, you’ll see the NSA’s mark all over NIST. And therein lies the problem.