I was talking shop with a colleague yesterday and the topic turned to cryptography and then to the challenges of properly implementing core cryptographic systems and I reflected back to the dual ec drbg fiasco.
It was a pretty amazing crash for the NSA. They had been cultivating the trust of the cryptography community ever since the changes to the S-Box structure of DES were found to have strengthened it against differential cryptographic attacks.
For some years following that it seemed that NSA had established some credibility with the community. They still pushed for legal limitations on export and requirements for back-doors (clipper) but they did not appear to be lying to the technical community about the mechanics of things.
Elliptic curve cryptosystems started the erosion as there seemed to be substantial suspicion of the strength of some of the constructs and the NSA appeared to be pushing them rather hard as a replacement for the existing designs.
The dual ec drbg was a design for an elliptic curve based random number generator that the NSA pushed into standards and drove the adoption of by a number of organizations. It turned out to be (likely intentionally) flawed such that the output samples appear random and well distributed if examined but knowledge of the control points (which need to be chosen carefully) can allow an attacker to predict values in the stream.
The NSA’a role in this process was significant and it appears that they were aware of (and interested in widely disseminating) the weaknesses inherent in the design before they began pushing it.
At this point this randomizer has featured prominently in several security issues and has (I believe) been formally repudiated for real use. The Juniper issue was partially related to a failed attempt to remedy the issues with this generator (and partially appears to have been intentional sabotage of their designs).
At this point, I expect that the academic cryptography community will likely be assuming that any input from the NSA is toxic (and any organization would likely run screaming from an algorithm that had NSA input). I expect it will be decades (if ever) before government security agencies can shake the damage done in the last couple…