Comment by jcranmer
2 years ago
Notwithstanding DJB's importance to cryptography, and the fact that I'm ignorant of a large number of details here, there was a point where he lost a lot of credibility with me.
Specifically, when he gets to the graphs, he says "NIST chose to deemphasize the bandwidth graph by using thinner red bars for it." That is just not proven by his evidence, and there is a very plausible explanation for it. The graph that has the thinner bars is a bar chart that has more data points than the other graph. Open up your favorite charting application, and observe the difference in a graph that has 12 data points versus one with 9... of course the one with 12 data points has thinner lines! At this point, it feels quite strongly to me that he is trying to interpret every action in the most malicious way possible.
In the next bullet point, he complains that they're not using a log scale for the graph... where everything is in the same order of magnitude. That doesn't sound like a good use case for log scale, and I'm having a hard time trying to figure out why it might be justified in this case.
Knowing that DJB was involved in NTRU, it's a little hard to shake the feeling that a lot of this is DJB just being salty about losing the competition.
>At this point, it feels quite strongly to me that he is trying to interpret every action in the most malicious way possible.
Given the long and detailed history of various governments and government agencies purposefully attempting to limit the public from accessing strong cryptography, I tend to agree with the "assume malice by default" approach here. Assuming anything else, to me at least, seems pretty naive.
Eh, it goes both ways. Back in the 1970's and 1980's there was a whole lot of suspicion about changes that the NSA made to DES S-boxes with limited explanation- was it a backdoor in some way? Then in 1989 white hats "discovered" differential cryptography, and realized that the changes that were made to the algorithm actually protected it from a then-unknown (to the general public) cryptographic attack. Differential cryptography worked beautifully on some other popular cryptosystems of the era, e.g. the FEAL-4 cipher could be broken with just 8 plaintext examples, while DES offered protection up to 2^47 chosen plaintexts.
The actual way that the NSA had tried to limit DES was to cap its key length at 48 bits, figuring that their advantage in computing power would let them brute force it when no one else could. (NIST compromised between the NSA's desire for 48 and the rest of the world's desire for 64, which was why DES had the always bizarre 56 bit key.) So sometimes they strengthen it, sometimes they weaken it, and so I'm not sure it appropriate to presume malice.
>So sometimes they strengthen it, sometimes they weaken it, and so I'm not sure it appropriate to presume malice.
If you had a dog that sometimes licked you and sometimes bit you, would you let it sleep with you?
Neither NSA nor NIST can be trusted. They brought this on themselves.
There's a meaningful difference between assuming an actor is malicious or untrustworthy and going out of your way to provide the maximally malicious interpretation of each of their actions. As a matter of rhetoric, the latter tends to give the impression of a personal vendetta.
DJB has lost a ton of credibility already within the non-government cryptography community for his frankly unhinged rants on the PQC mailing list.
If you read his posts there, it’s hard not to come away with the impression that he’s just upset his favourite scheme wasn’t chosen.
Stare into randomness for long enough, and you'll see something staring back. There's a reason I didn't go pure-math
Hasn't djb always been rather difficult and ranty? That's certainly always been my impression of him.
If you continue reading, you'll find that they aren't responding to requests for clarification on their hand-waving computations. Suspicion is definitely warranted.
> Knowing that DJB was involved in NTRU, it's a little hard to shake the feeling that a lot of this is DJB just being salty about losing the competition.
There isn't a lot of people in the world with the technical know-how for cryptography. It's clear that competitors in this space are going to be reviewing eachothers work.
Yes, that was the premise of the competition, and was in fact what happened.
Sure, but this was just a weird thing to hone in on.
FWIW, there are two NTRUs: the original one, which had no djb involvement, and NTRU Prime, which does.
Yeah. It does honestly sound like he looked at the options and decided that this one was the best, then he started contributing.