Comment by tptacek

3 years ago

This is the least compelling argument Bernstein makes in the whole post, because it's simply not the job of the NIST PQC program to design or recommend hybrid classical/PQC schemes. Is it fucky and weird if NSA later decides to recommend against people using hybrid key establishment? Yes. Nobody should listen to NSA about that, or anything else. But NIST ran a PQC KEM and signature contest, not a secure transport standardization. Sir, this is a Wendy's.

7 comments

tptacek

Reply
sigil  3 years ago

It’s compelling in context. If the NSA influenced NIST standards 3x in the past — DES, DSA, Dual EC — then shouldn’t we be on high alert this 4th time around?

That NSA is already recommending against hybrid, instead of waiting for the contest results, might signal they’ve once again managed to game the standardization process itself.

At the very least — given the exhaustive history in this post — you’d like to know what interactions NSA and NIST have had this time around. Thus, djb’s FOIA. And thus the lawsuit when the FOIA went unanswered. It all seems very reasonable to me.

What’s that old saying, “fool me thrice…”?

  • tptacek  3 years ago

    Everybody is on high alert. Being on high alert doesn't make Bernstein right.

    I don't even support the premise of NIST crypto standardization, let alone trust them to do it.

    • blueprint  3 years ago

      > Everybody is on high alert. Being on high alert doesn't make Bernstein right.

      What exactly are you arguing for, with this? Pretty sure the dude you're replying to knows about the existence of cognitive biases, thanks.

      4 replies →