BULLRUN seems to be just an overarching name for several wide programs
to obtain plaintext of passively encrypted internet communications by
many different methods.
While there seem to be many non-cryptographic attacks included in the
BULLRUN program, of particular interest is the cryptographic attack
mentioned in the Snowden papers and also hinted at in earlier US
congressional manouverings for NSA funding.
The most obvious target of attack is some widespread implementation of
SSL/TLS, and while it might just be an attack against a reduced
keyspace, eg password-guessing or RNG compromise, I wonder whether NSA
have actually made a big cryptographic break against some cipher, and if
so, against what?
Candidate ciphers are:
and key establishment mechanisms:
I don't think a break in another cipher or KEM would be widespread
enough to matter much. Assuming NSA (or possibly GCHQ) have made a big
I don't think it's against 3DES or RC4, though the latter is used a lot
more than people imagine.
AES? Maybe, but a break in AES would be a very big deal. I don't know
whether hiding that would be politically acceptable.
RSA? Well, maybe indeed. Break even a few dozen RSA keys per month, and
you get a goodly proportion of all internet encrypted traffic. It's just
another advance on factorisation.
If you can break RSA you can probably break DH as well.
ECDH? Again quite possible, especially against the curves in use - but
perhaps a more widespread break against ECDH is possible as well. The
math says that it can be done starting with a given curve (though we
don't know how to do it), and you only need to do the hard part once per
My money? RSA.
But even so, double encrypting with two different ciphers (and using two
different KEMs) seems a lot more respectable now.
-- Peter Fairbrother
The cryptography mailing list