Comment by tptacek
3 years ago
Even when you're trying to be charitable, you're wildly missing the point. I don't give a fuck about NIST or NSA. I don't trust either of them and I don't even buy into the premise of what NIST is supposed to be doing: I think formal cryptographic standards are a force for evil. The point isn't that NIST is trustworthy. The point is that the PQC finalist teams are comprised of academic cryptographers from around the world with unimpeachable reputations, and it's ludicrous to suggest that NSA could have compromised them.
The whole point of the competition structure is that you don't simply have to trust NIST; the competitors (and cryptographers who aren't even entrants in the contest) are peer reviewing each other, and NIST is refereeing.
What Bernstein is counting on here is that his cheering section doesn't know the names of any cryptographers besides "djb", Bruce Schneier, and maybe, just maybe, Joan Daemen. If they knew anything about who the PQC team members were, they'd shoot milk out their nose at the suggestion that NSA had suborned backdoors from them. What's upsetting is that he knows this, and he knows you don't know this, and he's exploiting that.
My reading wasn't that he thinks they built backdoors into them, but that the NSA might be aware of weaknesses in some of them, and be trying to promote the algorithms they know how to break.
"I think formal cryptographic standards are a force for evil."
May I ask what you view as the alternative? (No formal cryptographic standard, or something else?)
Peer review and "informal standards". Good examples of things that were, until long after their widespread adoption, informal standards include Curve25519, Salsa20 and ChaCha20, and Poly1305. A great example of an informal standard that remains an informal standard despite near-universal adoption is WireGuard. More things like WireGuard. Less things like X.509.
Both formal and informal peer review are why I like the FOIA, and standards / competition discussion to be open in general. I actually dislike closed peer review, or at least without some sort of time-gated release.
Likely scenarios, and that closed review hides:
- Peer review happened... But was lame. Surprisingly common, and often the typical case.
- If some discussion did come up on a likely attack... What? Was the rebuttal and final discussion satisfactory?
It's interesting if some gov team found additional things... But I'm less worried about that, they're effectively just an 'extra' review committee. Though as djb fears, a no-no if they ask to weaken something... And hence another reason it's good for the history of the alg to be public.
Edit: Now that storage and video are cheap, I can easily imagine a shift to requiring all emails + meetings to be fully published.
Edit: I can't reply some reason, but having been an academic reviewer, including for security, and won awards for best of year/decade academic papers, I can say academic peer review may not be doing what most people think, eg, it is often more about novelty and trends and increments from a 1 hour skim. Or catching only super obvious things outsiders and fresh researchers mess up on. Very diff from say a yearlong $1M dedicated pentest. Which I doubt happened. It's easy to tell which kind of review happened when reading a report... Hence me liking a call for openness here.
1 reply →
As much as I like the design of WireGuard, the original paper made stronger claims of security than were achieved with respect to key exchange models. Peer review and informal standards failed in catching this. From my perspective, the true benefit of a formal standardisation process such as this is that it dangles such a publishable target in front of researchers that we formally verify/disprove these claims out in the open.
5 replies →
Thank you for actually explaining your POV. I don't understand how you expected me or the other commenters to gather this from your original comment.
If it's worth anything, you have changed my opinion on this. You raise very good points.
You're probably right about my original comment, and I apologize. These threads are full of very impassioned, very poorly-informed comments --- I'm not saying I'm well-informed about NIST PQC, because I'm not, but, I mean, just, wow --- and in circumstances like that I tend to play my cards very close to my chest; it's just a deeply ingrained message board habit of mine. I can see how it'd be annoying.
I spent almost 2 decades as a Daniel Bernstein ultra-fan --- he's a hometown hero, and also someone whose work was extremely important to me professionally in the 1990s, and, to me at least, he has always been kind and cheerful; he even tried to give us some ideas for ECC challenges for Cryptopals. I know what it's like to be in the situation of (a) deeply admiring Bernstein and (b) only really paying attention to one cryptographer in the world (Bernstein).
But talk to a bunch of other cryptographers --- and, also, learn about the work a lot of other cryptographers are doing --- and you're going to hear stories. I'm not going to say Bernstein has a bad reputation; for one thing, I'm not qualified to say that, and for another I don't think "bad" is the right word. So I'll put it this way: Bernstein has a fucked up reputation in his field. I am not at all happy to say that, but it's true.
Can you elaborate on his reputation?
5 replies →
> If they knew anything about who the PQC team members were, they'd shoot milk out their nose at the suggestion that NSA had suborned backdoors from them.
Please point to this suggestion.
Reload the page, scroll to the top, and click the title, which will take you to the blog post we're commenting on, which makes the suggestion.