des history nsa
Updated Sat, 25 Jun 2022 09:55:50 GMT

Aside from DES, has the NSA ever strengthened algorithms?

When DES was originally developed, the NSA changed the s-boxes. For decades, people thought that their changes introduced a backdoor, but then it was discovered that their changes actually strengthened DES against differential cryptoanalysis.

The NSA is well known for it's placement of backdoors into algorithms. In a way, they did this with DES when they reduced its key strength, but Dual_EC_DBRG is the most famous contemporary example of this.

Are there any other examples of the NSA strengthening non-classified cryptographic algorithms?


Almost certainly, at least once.

It is a mistake to think of the NSA merely as a SIGINT (signals intelligence) operation. They also do defense, especially at the Information Assurance Directorate (IAD), as seen on this link to the NSA:

IAD has developed partnerships with government, industry, and academia in order to commercialize Information Assurance (IA) technology and products. By setting standards and encouraging vendors to build to those standards, IA ensures that secure devices and networks are not only available to customers, but keep pace with current technologies.

What is information assurance (IA)?

IA identifies and corrects security vulnerabilities before our adversaries exploit them...

In 2011, the Cybersecurity Operations Center (this links to the NSA) was created.

The Cybersecurity Collaboration Center is NSAs groundbreaking hub for engagement with the private sector. These partnerships help NSA to prevent and eradicate foreign cyber threats to National Security Systems (NSS), the Department of Defense (DoD), and the Defense Industrial Base (DIB).

On this page, the CCC describes its job, and among the points is this:

Develop guidance and technologies [boldface mine] to improve the security and capabilities of cross domain solutions

The case in point--that shows what must have been NSA involvement--is the identification and elimination of a weakness in the Secure Hash Standard (SHS).

On July 11, 1994, the NIST proposed an interesting revision to FIPS 180, about the Secure Hash Standard:

A revision of Federal Information Processing Standard (FIPS) 180, Secure Hash Standard (SHS), is being proposed. This proposed revision corrects a technical flaw that made the standard less secure than had been thought. The algorithm is still reliable as a security mechanism, but [sic] the correction returns the SHS to the original level of security.

FIPS PUB 180-1 it explains:

A circular left shift operation has been added to the specifications in section 7, line b, page 9 of FIPS 180 and its equivalent in section 8, line c, page 10 of FIPS180. This revision improves the security provided by this standard. The SHA-1 is based on principles similar to those used by Professor Ronald L. Rivest of MIT when designing the MD4 message digest algorithm 1, and is closely modelled [sic] after that algorithm.

NSA surely had a hand in this, and it was likely done to protect users (or was it?). Given the mandated roles of the IAD and CCC, and especially that the CCC develops technologies, it is reasonable to conclude that these technologies are sometimes shared--in order to protect U.S. critical infrastructure and correct security vulnerabilities. As far as the question goes, about strengthening algorithms, there is at least this one instance that we know about since it is unclassified.