Comment by tptacek
3 years ago
It's just a vanilla FOIA lawsuit, of the kind hundreds of people file every month when public bodies fuck up FOIA.
If NIST puts up any kind of fight (I don't know why they would), it'll be fun to watch Matt and Wayne, you know, win a FOIA case. There's a lot of nerd utility in knowing more about how FOIA works!
But you're not going to get the secrets of the Kennedy assassination by reading this thing.
I will draw to your attention two interesting facts.
First, OpenSSH has disregarded the winning (crystals) variants, and implemented hybrid NTRU-Prime. The Bernstein blog post discusses hybrid designs.
"Use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo."
https://www.openssh.com/releasenotes.html
Second, Daniel Bernstein has filed a public complaint against the NIST process, and the FOIA stonewalling adds more concern and doubt that the current results are fair.
https://www.google.com/url?q=https://groups.google.com/a/lis...
What are the aims of the lawsuit? Can the NIST decision on crystals be overturned by the court, and is that the goal?
We (OpenSSH) haven't "disregarded" the winning variants, we added NTRU before the standardisation process was finished and we'll almost certainly add the NIST finalists fairly soon.
I will eagerly await the new kex and keytypes, and will be sure to sysupgrade.
I will be very curious if the default kex shifts away from NTRU-Prime.
I might also point out that crystals-kyber was coequal to NTRU-Prime at the time that you set your new default kex.
I trust that the changelog will have a detailed explanation of all the changes that you will make, and why.
I will "ssh-rotate" whatever you decide.
https://www.linuxjournal.com/content/ssh-key-rotation-posix-...
What are the aims of the lawsuit? NIST fucked up a FOIA response. The thing you do when a public body gives you an unsatisfactory FOIA response is that you sue them. I've been involved in similar suits. I'd be surprised if NIST doesn't just cough up the documents to make this go away.
"Can NIST's decisions on crystals be overturned by the court?" Let me help you out with that: no, you can't use a FOIA suit to "overturn" a NIST contest.
OpenSSH implemneted NTRU-Prime? What's your point? That we should just do whatever the OpenSSH team decides to do? I almost agree! But then, if that's the case, none of this matters.
I assume that the point was that NSA is against using hybrid algorithms like the one used by OpenSSH, which combine a traditional algorithm with a post-quantum algorithm, arguing that using both algorithms is an unnecessary complication.
The position of D. J. Bernstein and also of the OpenSSH team is that the prudent approach is to use only hybrid algorithms until enough experience is gained with the post-quantum algorithms, to be reasonably certain that they are secure against the possible attacks.
If they obtain the documents requested through FOIA, it is expected that they will support the opinion that the NSA recommendations should be ignored, because they have a very long history in making attempts to convince the public that certain cryptographic algorithms are secure enough, even when they were aware of weaknesses in those algorithms that they could exploit, so it was in their interest that everybody else should use them, to facilitate the NSA's tasks.
As explained at the linked Web page, in the past NSA has forced the standardization of algorithms that had too short keys, i.e. DES and DSA, and has made partially-successful attempts to standardize back-doored algorithms like Clipper and their infamous random bit generator.
Similarly now, they want to enforce the use of only the post-quantum winning algorithm, without the additional protection of combining it with a traditional algorithm.
5 replies →
It's not the first time either and it won't be the last. NIST chose Rijndael over Serpent for the AES standard even though Serpent won. I vaguely recall they gave some smarmy answer. I don't think anyone submitted a FOIA not that it would matter. I've been through that bloated semi-pseudo process and saw how easy it was to stall people not answer a simple question.
Rijndael was selected over Serpent for performance reasons.
3 replies →
>What are the aims of the lawsuit? Can the NIST decision on crystals be overturned by the court, and is that the goal?
It sounds to me like the goal is to find out if there's any evidence of the NSA adding weaknesses into any of the algorithms. That information would allow people to avoid using those algorithms.
I think the fact that NIST refuses yo give any information on that is enough evidence in of itself.
2 replies →