upvote
The obvious counterexample is NOBUS[0] vulnerabilities, and intentional backdoors like the Clipper Chip[1] or Dual_EC_DRBG[2]: if you genuinely believe you are the only one who could possibly exploit it, there's no reason to avoid using it.

A more modern example is probably the NSA aggressively pushing[3] for replacing classical encryption with post-quantum encryption, rather than taking the more conservative and probably-more-secure approach of layering the two - while at the same time mandating the use of two layers of those same algorithms for their own use[4]!

[0]: https://en.wikipedia.org/wiki/NOBUS

[1]: https://en.wikipedia.org/wiki/Clipper_chip

[2]: https://en.wikipedia.org/wiki/Dual_EC_DRBG

[3]: https://blog.cr.yp.to/20251004-weakened.html

[4]: https://defense-solutions.curtisswright.com/capabilities/tec...

reply
The NSA isn't aggressively pushing for PQC; the industry is. Note that the PQC standard we have was the product of a competition won by European academic cryptographers.
reply
> The obvious counterexample is NOBUS[0] vulnerabilities, and intentional backdoors like the Clipper Chip[1] or Dual_EC_DRBG[2]: if you genuinely believe you are the only one who could possibly exploit it, there's no reason to avoid using it.

The problem with these examples is that they weren't used in national security systems, which are the systems for which NSA has a legislated defensive responsibility.

Clipper was designed for use by the public; it was not intended to ever be used to protect classified (or even sensitive unclassified) information at all.

Likewise with Dual_EC_DRBG. The CSfC component requirements drew from the Common Criteria Protection Profiles, where Dual_EC_DRBG was never an option.

reply
>Dual_EC_DRBG

There is no hard evidence that it was backdoored.

reply