In some places, there's a formal or quasi-formal breakout of who is doing what.
For example, in the UK, they have GCHQ and CESG. Even though they're in the
same buildings, there's an FLA for each, so you can talk about offense vs.
defense.
In the US, the offense and defense portions of the NSA. At least some of the
defense folks in the NSA are called the "IA" (Information Assurance) people,
but there's also NIAP (who primarily deal with Common Criteria etc.) and NIST,
who are a completely different organization, being both civilian and part of
Commerce.
When you talk about the NSA employing mathematicians, they are not IA, NIAP,
etc. As Paul has pointed out, NIST is not the NSA, and calling them an "open
partner" is not accurate at all. If you rush back to DES days, you have a
point, but as they say, "that was Zen, this is Tao."
Certainly, NIST will respect what the NSA has to say, but the NSA is not the
only player. Not only will other parts of the Intelligence Community freely
disagree with the NSA, but other people like Treasury, DHS, and even NIST
themselves have their own smart people who often don't like anyone dictating to
them. Heck, even in the Army, they often just say that the NSA can have
whatever opinions it wants, but. All of these entities will use their own
deployment expertise to argue what they like and use the very things you said
to fight back. (Well, those *mathematicians* may know what's best in theory,
but let me tell you a thing or two about the real world.) These days, even the
FTC has its own expertise, and quangos like BITS make their own policy as well,
albeit starting from NIAP and NIST.
The whole elliptic curve issue is a place where competing interests are
dancing. If you want to crypto-balance past 128 bits, you either go to EC or
end up with very large RSA keys. We all agree on this, the question is when we
need to go beyond 128 bits. That itself matters, but matters only because of
intellectual property.
NIST is certainly carrying water for EC, by implying that RSA 2048 is going to
somehow be vulnerable in the next handful of years. But it isn't even clear
that they're carrying water for the NSA. It's just as reasonable to say that
they're carrying water *against* 8-15Kb RSA keys. They're also smart enough to
know that if you really want to have EC by 2020, start with saying that we
really ought to move there by 2013.
No matter how you slice it, we want to move away from RSA to EC by 2050-2060.
(Yes, yes, quantum, blah, lattice, blah, Lamport blah.) The only question is
when. I think NIST is smart enough to know that if they wait until 2040, it's
going to take until 2100.
Jon
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
