Comment by ignoramous
2 years ago
An interesting set of comments (by tptacek) from a thread in 2022 (I wonder if they still hold the same opinion in light of this latest post on NIST-PQC by djb):
> The point isn't that NIST is trustworthy. The point is that the PQC finalist teams are comprised of academic cryptographers from around the world with unimpeachable reputations, and it's ludicrous to suggest that NSA could have compromised them. The whole point of the competition structure is that you don't simply have to trust NIST; the competitors (and cryptographers who aren't even entrants in the contest) are peer reviewing each other, and NIST is refereeing.
> What Bernstein is counting on here is that his cheering section doesn't know the names of any cryptographers besides "djb", Bruce Schneier, and maybe, just maybe, Joan Daemen. If they knew anything about who the PQC team members were, they'd shoot milk out their nose at the suggestion that NSA had suborned backdoors from them. What's upsetting is that he knows this, and he knows you don't know this, and he's exploiting that.
---
> I spent almost 2 decades as a Daniel Bernstein ultra-fan --- he's a hometown hero, and also someone whose work was extremely important to me professionally in the 1990s, and, to me at least, he has always been kind and cheerful... I know what it's like to be in the situation of (a) deeply admiring Bernstein and (b) only really paying attention to one cryptographer in the world (Bernstein).
> But talk to a bunch of other cryptographers --- and, also, learn about the work a lot of other cryptographers are doing --- and you're going to hear stories. I'm not going to say Bernstein has a bad reputation; for one thing, I'm not qualified to say that, and for another I don't think "bad" is the right word. So I'll put it this way: Bernstein has a fucked up reputation in his field. I am not at all happy to say that, but it's true.
---
> What's annoying is that [Bernstein is] usually right, and sometimes even right in important new ways. But he runs the ball way past the end zone. Almost everybody in the field agrees with the core things he's saying, but almost nobody wants to get on board with his wild-eyed theories of how the suboptimal status quo is actually a product of the Lizard People.
I don't think the "these finalist teams are trustworthy" argument is completely watertight. If the US wanted to make the world completely trust and embrace subtly-broken cryptography, a pretty solid way to do that would be to make competition where a whole bunch of great, independent teams of cryptography researchers can submit their algorithms, then have a team of excellent NSA cryptographers analyze them and pick an algorithm with a subtle flaw that others haven't discovered. Alternatively, NIST or the NSA would just to plant one person on one of the teams, and I'm sure they could figure out some clever way to subtly break their team's algorithm in a way that's really hard to notice. With the first option, no participant in the competition has to that there's any foul play. In the second, only a single participant has to know.
Of course I'm not saying that either of those things happened, nor that they would be easy to accomplish. Hell, maybe they're literally impossible and I just don't understand enough cryptography to know why. Maybe the NIST truly has our best interest at heart this time. I'm just saying that, to me, it doesn't seem impossible for the NIST to ensure that the winner of their cryptography contests is an algorithm that's subtly broken. And given that there's even a slight possibility, maybe distrusting the NIST recommendations isn't a bad idea. They do after all have a history of trying to make the world adopt subtly broken cryptography.
If the NSA has back-pocketed exploits on the LWE submission from the CRYSTALS authors, it's not likely that a purely academic competition would have fared better. The CRYSTALS authors are extraordinarily well-regarded. This is quite a bank-shot theory of OPSEC from NSA.
It's true that nothing is 100% safe. And to some degree, that makes the argument problematic; regardless of what happened, one could construct a way for US government to mess with things. If you had competition of the world's leading academic cryptographers with a winner selected by popular vote among peers, how do you know that the US hasn't just influenced enough cryptographers to push a subtly broken algorithm?
But we must also recognize a difference in degree. In a competition where the US has no official influence over the result, there has to be a huge conspiracy to affect which algorithm is chosen. But in the competition which actually happened, they may potentially just need a single plant on one of the strong teams, and if that plant is successful in introducing subtle brokenness into the algorithm without anyone noticing, the NIST can just declare that team's algorithm as the winner.
I think it's perfectly reasonable to dismiss this possibility. I also think it's reasonable to recognize the extreme untrustworthiness of the NIST and decide to not trust them if there's even a conceivable way that they might've messed with the outcome of their competition. I really can't know what the right choice is.
6 replies →
This of course means we should ignore reasonable criticism of the contestants in this contest.
1 reply →
I hope he finds all sorts of crazy documents from his FOIA thing. FOIA lawsuits are a very normal part of the process (I've had the same lawyers pry loose stuff from my local municipality). I would bet real money against the prospect of him finding anything that shakes the confidence of practicing cryptography engineers in these standards. Many of the CRYSTALS team members are quite well regarded.
> actually a product of the Lizard People
Nobody says that (not that I've seen).
My reading is that he's a combative academic, railing against a standards body that refuses to say how they're working, with a deserved reputation for dishonesty and shenanigans.
I'm pretty sure that was a humorous exaggeration, and just means "conspiratorial bent". I don't think anyone really believes in Lizard People except David Icke.