← Back to context

Comment by tptacek

3 years ago

Fucking everybody's position is to combine classical key exchanges with PQC KEMs. It wasn't NIST's job to standardize a classical+PQC construction. The point of the contest is to figure out which PQC constructions to use. NIST also didn't recommend that everyone implement their cryptographic handshakes in a memory-safe language. But not doing that is going to get a bunch of people owned by NSA too. Do you see how silly this argument is?

4 comments

tptacek

Reply
adrian_b  3 years ago

Of course it was not NIST's job to standardize a hybrid algorithm and nobody claims such a thing.

However the silly position is that of the NSA, as shown in

https://web.archive.org/web/20220529202244im_/https://pbs.tw...

which attempts to strongly discourage the use of any "crypto redundancy" and says that they will not approve such algorithms.

  • tptacek  3 years ago

    Obviously people do claim that the NIST contest is suspect because it doesn't approve hybrid schemes; there are people who claim it on this thread.

    • chasil  3 years ago

      Ostensibly, nistpqc is about finding safe crypto, first for TLS, second for ssh. You will argue differently, but we all expect the same end product.

      NIST has specifically asked for guidance on hybrid crypto (as well you know), as I documented elsewhere on this page.

      You assert that NIST only accepts pure post-quantum crypto. They ask for hybrid.

      Color me jaded.

      EDIT: Just for you, my fine fellow!

      'For example, in email to pqc-forum dated 30 Oct 2019 15:38:10 +0000 (2019), NIST posted technical comments regarding hybrid encryption modes and asked for feedback “either here on the pqc-forum or by contacting us at pqc-comments@nist.gov” (emphasis added).'

      https://www.google.com/url?q=https://groups.google.com/a/lis...

      1 reply →