[Ach] NSA stops recommending AES-128, curve P-256, and SHA-256

ianG iang at iang.org
Wed Sep 2 17:45:55 CEST 2015

On 2/09/2015 12:43 pm, Alan Orth wrote:
> I'm not sure if you folks saw this, but a few weeks ago the NSA updated
> their Suite B recommendations. They now recommend AES-256, curve P-384,
> and SHA-384. Here's a before and after of their "Suite B" cryptography
> recommendations:
> Before (web archive):
> https://web.archive.org/web/20150403110658/https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
> <https://web.archive.org/web/20150403110658/https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml>
> After:
> https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
> <https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml>
> Now you need to decide to yourself if this is worth updating your
> infrastructure configuration. :)

My understanding of the facts (?) is this.

1.  NSA has mandate to protect USG agencies.  It also has a mission to 
breach everyone (else) but let's ignore that for the moment.

2.  NSA knows more about quantum than anyone else, in the sense that it 
has the budget to know, and has been spending that budget.

3.  (we suspect) NSA is worried about quantum.

4.  NSA guidelines protect out to a 25 years.  So if NSA can't rule out 
a quantum attack in the 25 year++ horizon, then they have to protect 
against a quantum attack.

5.  Current understanding is that a quantum attack reduces the 
bit-strength of an algorithm by the square-root - much like a birthday 

6.  So in essence, take previous minimum strengths (128, etc) and double 
(to baseline 256, etc).

So, what does this mean for everyone else?  Not a lot.

The problem is that NSA is mandated to protect US government agencies 
and not the rest of the world.  Following standard threat modelling, 
they built their list of threats, not your list of threats.  Their list 
of threats include a very well funded Chinese / Russian attack.  Eg, 
state of the art, monster-grade quantum supercomputer.  Which is only 
going to be used against the juciest of targets - the USA.  Lets call 
this the Bletchley Park Attack.

Our list of threats doesn't include that computer.  Because, if any 
government wants our data, they'll spend $1000 to hire a local thief, 
not $1000000000 to deploy their monster machine on us.

The NSA, by its own methodology and logic and customer, cannot afford to 
be wrong on this.  We can afford to wait, and we can afford to be wrong. 
  Wait and see.  When ordinary people (botnet operators) can buy quantum 
computers that can crack keys, we'll know about it.


ps; the key flaw in this debate is this:  using someone else's threat 
model and not realising it's wrong for you.  A common failing.

More information about the Ach mailing list