2¹²⁷ nanoseconds would be only 390 billion times longer than the universe has existed so far (13.79 billion years). If you wanted to crack AES-128 with brute force using one-billion-key-per-second cracking computers and could only wait a year, you would need 5.4 sextillion computers. If each of those computers weighed 100 milligrams, in the neighborhood of many current chips, their total mass would be 539 trillion tonnes (5.39 × 10¹⁸ kg, 539 exagrams).
That's only about a hundred thousandth of the mass of the Moon, and there are dozens of asteroids larger than this. Since it's clearly physically possible to disassemble an asteroid, or even the entire Moon, and build computers out of it, AES-128 should not be considered secure against currently known attacks. However, currently, it is not publicly known that the NSA has converted any asteroids into computers, and it seems unlikely to have happened secretly.
It's worth noting that when the NSA invented DES, they took a cipher from IBM and made it more resistant (to differential cryptanalysis, a technique that at the time wasn't known outside the NSA itself).
> NSA gave Tuchman a clearance and brought
him in to work jointly with the Agency on
his Lucifer modification. . . . NSA tried to
convince IBM to reduce the length of the
key from 64 to 48 bits. Ultimately, they
compromised on a 56-bit key.
> The cryptographic core of NSA's sabotage of DES was remarkably blunt: NSA simply convinced Tuchman to limit the key size to 56 bits, a glaring weakness.
> Whit Diffie and Marty Hellman wrote a paper explaining in considerable detail how to build a machine for $20 million that would break each DES key with an amortized cost of just $5000/key using mid-1970s technology. They predicted that the cost of such a brute-force attack would drop "in about 10 years time" to about $50/key, simply from chip technology improving.
> Diffie and Hellman already distributed drafts of their paper before DES was standardized. Did NSA say, oh, oops, you caught us, this isn't secure?
> Of course not. NSA claimed that, according to their own estimates, the attack was 30000 times more expensive: "instead of one day he gets something like 91 years".
The main source here is https://archive.org/details/cold_war_iii-nsa/cold_war_iii-IS..., "American Cryptology during the Cold War, 1945-1989", DOCID: 523696, REF ID: A523696, a declassified internal NSA history. Longer version of the quote above, originally classified TOP SECRET UMBRA, from p.232 (p.240/271)
> (S CCO) The decision to get involved with NBS was hardly unanimous. From the SIGINT standpoint, a competent industry standard could spread into undesirable areas, like Third World government communications, narcotics traffickers, and international terrorism targets. But NSA had only recently discovered the large-scale Soviet pilfering of information from U.S. government and defense industry telephone communications. This argued the opposite case - that, as Frank Rowlett had contended since World War II, in the long run it was more important to secure one's own communications than to exploit those of the enemy.
> (FOUO) Once that decision had been made, the debate turned to the issue of minimizing the damage. Narrowing the encryption problem to a single, influential algorithm might drive out competitors, and that would reduce the field that NSA had to be concerned about. Could a public encryption standard be made secure enough to protect against everything but a massive brute force attack, but weak enough to still permit an attack of some nature using very sophisticated (and expensive) techniques? NSA worked closely with IBM to strengthen the algorithm against all except brute force attacks and to strengthen substitution tables, called S-boxes. Conversely, NSA tried to convince IBM to reduce the length of the key from 64 to 48 bits. Ultimately, they compromised on a 56-bit key.
This may sound like a paranoid conspiracy theory, but it is the point of view of an NSA insider, writing in 01998 for an audience of NSA cryptoanalysts and cryptographers to educate them on the history of cryptology during the Cold War. It is understandable that Schneier and others believed that the overall influence of the NSA on DES was to increase its security, because they did not have access to this declassified material when they formed those opinions; it wasn't declassified until July 26, 02013.
That's true, but the fact that NSA wanted to make brute force cheaper also suggests that they didn't have any particular offensive tricks up their sleeve (they had differential cryptanalysis but they used their knowledge defensively) like they did with Dual_EC_DRBG.
Yes; also, if they had had such tricks, they probably would have mentioned them in that document, perhaps in a following paragraph that was censored from the declassified version. But there seems to have been no such paragraph, further supporting your inference.
