> Of course, one should not conclude that cryptographic algorithms using similar constants are systematically insecure (certainly, some designers are honest!) and we will not dispute the right to trust those algorithms.
I'm reminded a controversial aspect of the design of DES. The values of the S-Boxes were unjustified, and some people feared they constituted a backdoor (much like what's alleged with Dual-EC-DRGB). It turns out that in fact they were specially chosen to strengthen DES against a cryptographic attack that the NSA was trying to keep secret.
My crypto prof in uni commented on this. (This is from memory). Apparently, the number of rounds (16) seemed to have been chosen arbitrarily. Many years later, when attacks on Feistel(?) ciphers (of which DES is one) became public, it turned out that these attacks only worked up to .... 15 rounds! So the speculation was that the NSA knew about the attack, and chose to set the round number just out of reach...
This story is kind of true, but is missing some detail. The first differential attack on DES broke up to 15 rounds, that is correct [1]. 2 years later, however, the same team broke the full 16 rounds, albeit with a hefty amount of chosen plaintexts [2]. Coppersmith disclosed the DES design choices a year after that, showing that the S-boxes had been changed to increase resistance to differential attacks, in 1994 [3]. Additionally, Matsui's linear cryptanalysis of DES didn't seem to have been taken into account and also broke through the full DES [4].
Another interesting anecdote is the tale of Skipjack, which unlike DES was an entirely NSA-designed block cipher. After it was disclosed in 1998, an impossible differential attack broke exactly 31 out of 32 rounds, and I believe that is still the best known result today [5].
My understanding is that NSA's changes to DES were all in the s-boxes, and that it was the s-box changes that hardened it against differential cryptanalysis. I think there's even a story that tries to explain how they did it (randomly generating s-boxes selecting the ones least vulnerable to the attack).
The attack is "differential analysis" -- essentially, if you have a black box encoder, carefully chosen plaintexts sent through the system can leak information, and substantially weaken DES as described.
Academic literature started discussing differential analysis in the early '90s if memory serves -- NSA helped harden against it in the 1970s!
Current wisdom is that the NSA is not nearly so far ahead of the cryptography curve these days. But, it could just be speculation. :)
That's less about advances NSA may have made ahead of industry/academia and more about the operational advantages NSA has in deploying already-plausible attacks.
I'm reminded a controversial aspect of the design of DES. The values of the S-Boxes were unjustified, and some people feared they constituted a backdoor (much like what's alleged with Dual-EC-DRGB). It turns out that in fact they were specially chosen to strengthen DES against a cryptographic attack that the NSA was trying to keep secret.
https://en.wikipedia.org/wiki/Data_Encryption_Standard#NSA.2...