This Schneier "constants" quote is kind of infamous. Notably, he's referring to elliptic curve writ large (the context is a comment on his blog where someone asks why he promotes FFDH over ECDLP-based crypto). He's not saying he no longer trusts the Dual EC constants (he never did, but he also once suggested it was somewhat unlikely to be a backdoor), or even the P-curve constants (which, for the record, I don't think anyone plausibly claims are themselves backdoored). No, he's saying we should all stay in the 1990s with FFDH, which, ironically, involves even more magic parameters.

It would be better if people avoided citing Schneier on curve cryptography, since he spent his career sort of publicly and vocally avoiding elliptic curves. Cryptography is a big discipline; it's not the case that someone with good ideas on, say, block ciphers necessarily has a lot of insight into elliptic curve or lattice cryptography or isogenies or pairings.

There's been a whole bunch of research and some controversy about SIMON and SPECK, the NSA small-footprint ciphers. The problem with backdooring something as simple as SPECK is twofold: you don't have many degrees of freedom, because block ciphers are so simple, and whatever backdoor you come up with has to be "NOBUS" to be practical --- meaning: your backdoor has to work for the NSA, but not for the GRU.

There was a cool paper last year that proposed a NOBUS-like backdoor mechanism for block cipher designs that embedded a susceptibility to linear cryptanalysis into S-boxes (that paper is also notable for a shout-out to yours truly, for writing an HN comment dumb enough to motivate a whole academic paper to refute it) --- this is Tomer Ashur and Raluca Posteuca's thing. So it's been shown that you can introduce a vulnerability --- nowhere nearly as useful as Dual EC, since linear cryptanalysis is annoying to carry out --- but it's still up in the air whether you can really make them NOBUS, because the backdooring work has to survive its own cryptanalysis to prove that up.

At any rate: I kind of doubt there's really anything sketchy about SIMON or SPECK, but it doesn't matter, because nobody is going to use it (having said this on Hacker News we can now be sure that there's a PR to introduce it to Juniper VPN devices, but I stand by it!) and because there are lots of simple low-footprint cipher designs to choose from now.

To be fair, that just puts it in the company of:

"Information wants to be free."

"I'm not my brother's keeper."

"Those who give up essetial liberty to purchase temporary safety deserve neither and will soon lose both."

as aphorisms that are correct as commonly used despite their original coinage having been in service of bullshit.

> No, he's saying we should all stay in the 1990s with FFDH, which, ironically, involves even more magic parameters.

Which magic parameters are you referring to? Like the choice of groups in RFCs 2409 and 3526?

Yep. I'm just suggesting that it's tricky to evaluate FFDH groups for different applications (for instance, with SRP), and there's less clear guidance about which to use, while with curves the popular curve choices are pretty intensely studied and argued about.

The thing about Speck is a shame if it turns out that it's a good cipher. Speck is trivial to implement, has decent performance and doesn't rely on S-Boxes. It's basically all anyone could ever ask for and a design I can very much appreciate. As a block cipher, it has different trade-offs than the djb ARX ChaCha20, which is a stream cipher.

Bernstein later designed Gimli to address that alternate set of tradeoffs.

Bitcoin is a bounty designed to force the government to reveal which algorithms are secure: https://news.ycombinator.com/item?id=28860239

A bunch of unsupported conjecture does not a conspiracy make.