If it's breakable by them, it's breakable by anyone. Full stop. It is not possible to create an encryption scheme only breakable by NIST (or NSA, or whatever 3-4 letter agency).
It's not at all impossible to put a backdoor in a protocol which requires knowledge of a key in order to exploit. This isn't even the only example where this is thought to have occured.
This just doesn't make technical sense. I completely agree that backdooring encryption standards is a bad thing. But Dual EC DRBG is a clear example of a NOBUS backdoor actually being that. The backdoor is equivalent to "knowing" a private key. The weakness is not some sort of computational reduction. Using this logic, you would say that no encryption method is possibly secure because you can't rely on its security once the key is exposed.
The reason it remained a "NOBUS" backdoor is because the whole world noticed something was funky with it pretty much immediately (even prior to standardization), and security researchers loudly told people not to use it. At that point the value of cracking open the backdoor is reduced significantly. It was standardized, and barely used except where mandated by governments, for less than 10 years.
There's no reason to think it would have remained a "NOBUS" backdoor forever. Especially if it was more widely used (i.e. higher value), and/or used for longer.
>Using this logic, you would say that no encryption method is possibly secure
I mean, to an extent that a little waterboarding will beat any encryption method, yes I would say that.
But, for 99.99% of people, your data isn't worth the waterboarding. On the flipside, a backdoor to, say, all TLS communication, would be very worth waterboarding people.
I wonder what other countries do? Do their agencies trust NIST or they recommend their own and run their programs for algorithms. I am thinking of say Germany, France, Britain etc.
