Comment by lmeyerov
3 years ago
I'm not sure about corrupting NIST nor corrupting individual officials of NIST, but I can easily imagine NIST committees not understanding something, being tricked, not looking closely, protecting big orgs by default (without maliciousness), and overall being sloppy.
Running standards without full transparency, in my experiences of web security standards + web GPU standards is almost always due to hiding weaknesses, incompetence, security gaps of big players, & internal politics of these powerful incumbents. Think some hardware vendor not playing ball without guarantee of privacy, some Google/Apple committee member dragging their feet because of internal politics & monopoly plays. Seperately, mistakes may come from standards committee member glossing over stuff in emails because they're busy: senior folks are the most technically qualified yet also most busy. Generally not because some NSA/CIA employee is telling them to do something sneaky or lying. Still FOIA-worthy (and why I rather public lists for standards), but for much lamer reasons.
> ...but I can easily imagine NIST committees not understanding something, being tricked, not looking closely, protecting big orgs by default (without maliciousness), and overall being sloppy.
I agree with this. And I think that this is more likely to be the case. But I really think with all that we now know about US governmental organisations the possibility of backdoors or coercion should not be ruled out.
Even when you're trying to be charitable, you're wildly missing the point. I don't give a fuck about NIST or NSA. I don't trust either of them and I don't even buy into the premise of what NIST is supposed to be doing: I think formal cryptographic standards are a force for evil. The point isn't that NIST is trustworthy. The point is that the PQC finalist teams are comprised of academic cryptographers from around the world with unimpeachable reputations, and it's ludicrous to suggest that NSA could have compromised them.
The whole point of the competition structure is that you don't simply have to trust NIST; the competitors (and cryptographers who aren't even entrants in the contest) are peer reviewing each other, and NIST is refereeing.
What Bernstein is counting on here is that his cheering section doesn't know the names of any cryptographers besides "djb", Bruce Schneier, and maybe, just maybe, Joan Daemen. If they knew anything about who the PQC team members were, they'd shoot milk out their nose at the suggestion that NSA had suborned backdoors from them. What's upsetting is that he knows this, and he knows you don't know this, and he's exploiting that.
My reading wasn't that he thinks they built backdoors into them, but that the NSA might be aware of weaknesses in some of them, and be trying to promote the algorithms they know how to break.
1 reply →
"I think formal cryptographic standards are a force for evil."
May I ask what you view as the alternative? (No formal cryptographic standard, or something else?)
9 replies →
Thank you for actually explaining your POV. I don't understand how you expected me or the other commenters to gather this from your original comment.
If it's worth anything, you have changed my opinion on this. You raise very good points.
7 replies →
> If they knew anything about who the PQC team members were, they'd shoot milk out their nose at the suggestion that NSA had suborned backdoors from them.
Please point to this suggestion.
1 reply →