# Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"

```On 7/09/13 03:58 AM, Jon Callas wrote:

```
```Could an encryption algorithm be explicitly designed to have properties like this?  I
don't know of any, but it seems possible.  I've long suspected that NSA might want this
kind of property for some of its own systems:  In some cases, it completely controls key
generation and distribution, so can make sure the system as fielded only uses
"good" keys.  If the algorithm leaks without the key generation tricks leaking,
it's not just useless to whoever grabs onto it - it's positively hazardous.  The gun that
always blows up when the bad guy tries to shoot it....
```
```
We know as a mathematical theorem that a block cipher with a back door *is* a
public-key system. It is a very, very, very valuable thing, and suggests other
mathematical secrets about hitherto unknown ways to make fast, secure public
key systems.
```
```

```
I'm not as yet seeing that a block cipher with a backdoor is a public key system, but I really like the mental picture this is trying to create.
```
```
In order to encrypt to that system, one needs the (either) key. If everyone has it (either) the system is ruined.
```
```
A public key system is an artiface where one can distribute the public key, and not have to worry about the system being ruined; it's still perfectly usable. Whereas with a symmetric system with two keys, either key being distributed ruins the system.
```
```
One could argue that the adversary would prefer the cleaner, more complete semantics of the public key system -- maybe that is what the theorem assumes? But if I was the NSA I'd be happy with the compromise. I'm good at keeping *my key secret* at least.
```

iang
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
```