Comment by onetimeusename
3 years ago
You wrote a large number of comments on this so I am asking this here since it's fresh.
Can you comment on why you think djb thinks it is worth investigating if the NSA is attempting to destroy cryptography with weak pqc standards? I read through some of the entries NIST just announced and there are indeed attacks, grave attacks, that exist against Kyber and Falcon. I have no reason to believe the authors of those specs work with the NSA. Wouldn't a more reasonable conclusion be that we need to do more work on pqc? Maybe I have it wrong and he is just trying to rule out that possibility but his long rant which was 80% about NIST and their history with the dual EC backdoor really points at djb concluding the NSA is deliberately trying to weaken crypto by colluding with a bunch of people who probably don't care about money or the NSA's goals that much.
You'd have to ask Bernstein. I think it's helpful to take a bit of time (I know this is a big ask) to go see how Bernstein has comported himself in other standards groups; the CFRG curve standardization discussion is a good example. The reason I said there's a lot of eye-rolling about this post among cryptographers is that I think this is pretty normal behavior for Bernstein.
I used to find it inspiring; he got himself crosswise against the IETF DNS working group, which actively ostracized him, and I thought the stance he took there was almost heroic (also, I hate DNSSEC, and so does he). But when you see that same person get in weird random fights with other people, over and over again, well: there's a common thread there.
Is it worth investigating whether NSA is trying weaken PQC? Sure. Nobody should trust NSA. Nobody should trust NIST! There's value in NIST catalyzing all the academic asymmetric cryptography researchers into competing against each other, so the PQC event probably did everybody a service. But no part of that value comes from NIST blessing the result.
It's probably helpful for you to know that I think PQC writ large is just a little bit silly. Quantum computers of unusual size? I don't believe they exist. I think an under-appreciated reason government QC spending happens is because government spending is a goal in and of itself; one of NSA's top 3 missions is to secure more budget for NSA --- it might even be the #1 goal. Meanwhile, PQC is a full-employment program for academic cryptographers working on "Fun" asymmetric schemes that would otherwise be totally ignored in an industry that has more or less standardized on the P-curves and Curve25519.
Be that as it may: whether or not NSA is working to "weaken" CRYSTALS-Kyber is besides the point. NSA didn't invent CRYSTALS. A team of cryptographers, including some huge names in modern public key crypto research, did. Does NSA have secret attacks against popular academic crypto schemes? Probably. You almost hope so, because we pay them a fuckload of a lot of money to develop those attacks. But you can say that about literally every academic cryptosystem.
You probably also don't need me to tell you again how much I think formal cryptographic standards are a force for evil in the industry.
ok, thanks. I didn't know that about djb's history as far as picking fights with standards groups. I don't know much about him outside of the primitives he designed. That makes some sense in context now because the implication just seemed like a stretch. Cryptosystems break and have flaws in them, that's nothing new. It's just strange to leap to "The NSA did it", but again, I didn't know he just tends to accuse people of that.
I agree about the PQC stuff and committees. Anyways, thanks for clarifying this.
Just bear in mind that this is just opinions and hearsay on my part. Like, I think there's value in relaying what I think I know and what I've heard, but I'm not a cryptographer, I paid almost no attention to the PQC stuff (in fact, I pretty much only ever swapped PQC into my resident set when Bernstein managed to start drama with other cryptographers whose names I knew), and there are possibly other sides to these stories. I've seen Bernstein drama where it's pretty clear he's deeply in the wrong, and I've seen Bernstein drama where it's pretty clear he wasn't.
The suit is good. NIST isn't allowed to clown up FOIA; they have to do it right.