Comment by jmprspret
3 years ago
> ...but I can easily imagine NIST committees not understanding something, being tricked, not looking closely, protecting big orgs by default (without maliciousness), and overall being sloppy.
I agree with this. And I think that this is more likely to be the case. But I really think with all that we now know about US governmental organisations the possibility of backdoors or coercion should not be ruled out.
Even when you're trying to be charitable, you're wildly missing the point. I don't give a fuck about NIST or NSA. I don't trust either of them and I don't even buy into the premise of what NIST is supposed to be doing: I think formal cryptographic standards are a force for evil. The point isn't that NIST is trustworthy. The point is that the PQC finalist teams are comprised of academic cryptographers from around the world with unimpeachable reputations, and it's ludicrous to suggest that NSA could have compromised them.
The whole point of the competition structure is that you don't simply have to trust NIST; the competitors (and cryptographers who aren't even entrants in the contest) are peer reviewing each other, and NIST is refereeing.
What Bernstein is counting on here is that his cheering section doesn't know the names of any cryptographers besides "djb", Bruce Schneier, and maybe, just maybe, Joan Daemen. If they knew anything about who the PQC team members were, they'd shoot milk out their nose at the suggestion that NSA had suborned backdoors from them. What's upsetting is that he knows this, and he knows you don't know this, and he's exploiting that.
My reading wasn't that he thinks they built backdoors into them, but that the NSA might be aware of weaknesses in some of them, and be trying to promote the algorithms they know how to break.
"I think formal cryptographic standards are a force for evil."
May I ask what you view as the alternative? (No formal cryptographic standard, or something else?)
Peer review and "informal standards". Good examples of things that were, until long after their widespread adoption, informal standards include Curve25519, Salsa20 and ChaCha20, and Poly1305. A great example of an informal standard that remains an informal standard despite near-universal adoption is WireGuard. More things like WireGuard. Less things like X.509.
8 replies →
Thank you for actually explaining your POV. I don't understand how you expected me or the other commenters to gather this from your original comment.
If it's worth anything, you have changed my opinion on this. You raise very good points.
You're probably right about my original comment, and I apologize. These threads are full of very impassioned, very poorly-informed comments --- I'm not saying I'm well-informed about NIST PQC, because I'm not, but, I mean, just, wow --- and in circumstances like that I tend to play my cards very close to my chest; it's just a deeply ingrained message board habit of mine. I can see how it'd be annoying.
I spent almost 2 decades as a Daniel Bernstein ultra-fan --- he's a hometown hero, and also someone whose work was extremely important to me professionally in the 1990s, and, to me at least, he has always been kind and cheerful; he even tried to give us some ideas for ECC challenges for Cryptopals. I know what it's like to be in the situation of (a) deeply admiring Bernstein and (b) only really paying attention to one cryptographer in the world (Bernstein).
But talk to a bunch of other cryptographers --- and, also, learn about the work a lot of other cryptographers are doing --- and you're going to hear stories. I'm not going to say Bernstein has a bad reputation; for one thing, I'm not qualified to say that, and for another I don't think "bad" is the right word. So I'll put it this way: Bernstein has a fucked up reputation in his field. I am not at all happy to say that, but it's true.
6 replies →
> If they knew anything about who the PQC team members were, they'd shoot milk out their nose at the suggestion that NSA had suborned backdoors from them.
Please point to this suggestion.
Reload the page, scroll to the top, and click the title, which will take you to the blog post we're commenting on, which makes the suggestion.