Comment by tptacek
3 years ago
The peer review NIST is refereeing happened in the open. Thus far, Bernstein is the only person making these claims. For all the words he burns on NIST's sordid history, he chose to participate in this NIST-run process, and imploded publicly only after the results were announced. There are dozens of cryptographers with reputations in the field comparable to Bernstein's who also participated. Bernstein is the only one suggesting that NSA bribed the contest winners.
From what I can tell, nobody who actually works in this field is taking any of this seriously; what I see is a whole lot of eye rolling and "there he goes again". But you don't get any of that on HN, because HN isn't a forum for cryptography researchers. All you get is Bernstein's cheering section.
I was part of Bernstein's cheering section! I understand the feeling. And, like, I'm still using ChaPoly and 25519 in preference to any of the alternatives! He's done hugely important work. But he has, not to put too fine a point on it, a fucked up reputation among his peers in cryptography research, and he's counting on you not to know that, and to confuse a routine, workaday FOIA lawsuit with some monumental new bit of litigation.
It's a deeply cynical thing for him to be doing.
He could have just announced, in his lovably Bernsteinian† way, that NIST had failed in its FOIA obligations, and he was holding them to account. I'd be cheering too. But he wrote a screed that culminated in an allegation that NSA had bribed members of PQC teams to weaken their submissions. Simply risible; it's embarrassing to be part of a community that dignifies that argument, even if I absolutely get why it's happening. I have contempt for him for exploiting all of you.
None of this is to take anything away from his FOIA suit. I stan his FOIA attorneys. The suit, boring as it is, is a good thing. He should win, and he almost certainly will; L&L wouldn't have taken the case if he wasn't going to. Just keep in mind, people sue and win over FOIA mistakes all the time. In Illinois, you even get fee recovery when you win. This isn't Bernstein v United States!
† I'm not being snarky; I was a multiple-decades-long admirer of that style.
The main concern that I have is the NIST refusal to consider a hybrid design as described in the blog, coupled with the fact that OpenSSH has disregarded NIST and standardized on hybrid NTRU-Prime.
There had to be substance to accomplish this, and it moves all of UNIX plus Microsoft away from crystals. It would seem hugely damaging to crystals as the winner of the latest round.
I don't think you understand what's going on here. The point of the PQC "contest" is to figure out which PQC constructions to use. It's not to design hybrid classical/PQC schemes: everybody already knows how to do that. The idea that NIST should have recommended CRYSTALS-Kyber+Curve25519 is a little like suggesting that they should have recommended Rijndael+DES-EDE.
It's simply not NIST's job to tell tls-wg how to fit PQC into HTTPS, or the OpenSSH team how to fit it into SSH.
If you trust the OpenSSH team more than NIST, that's fine. I think that's a reasonable thing to do. Just do whatever OpenSSH does, and you don't have to worry about how corrupt NIST's process is. I don't even think NIST is corrupt, and I still think you'd be better off just paying attention to whatever OpenSSH does.
That would make it seem that the lengthy hybrid discussion in the blog is a misdirection.
I will grant you that this does support your argument.
EDIT: Actually, what you have said does not seem at all correct.
In DJB's Apon complaint, we find this text:
'For example, in email to pqc-forum dated 30 Oct 2019 15:38:10 +0000 (2019), NIST posted technical comments regarding hybrid encryption modes and asked for feedback “either here on the pqc-forum or by contacting us at pqc-comments@nist.gov” (emphasis added).'
If hybrid encryption is entirely beyond the purview of the NIST PQC competition, then why did this discussion and feedback request ever take place?
3 replies →
Repeating this here. We (OpenSSH) have not disregarded NIST, we just added a PQ algorithm before NIST finished their competition and we'll almost certainly add support for the finalist fairly soon.
I will eagerly await their arrival, and be sure to sysupgrade.