Comment by ziddoap

Eh, it goes both ways. Back in the 1970's and 1980's there was a whole lot of suspicion about changes that the NSA made to DES S-boxes with limited explanation- was it a backdoor in some way? Then in 1989 white hats "discovered" differential cryptography, and realized that the changes that were made to the algorithm actually protected it from a then-unknown (to the general public) cryptographic attack. Differential cryptography worked beautifully on some other popular cryptosystems of the era, e.g. the FEAL-4 cipher could be broken with just 8 plaintext examples, while DES offered protection up to 2^47 chosen plaintexts.

The actual way that the NSA had tried to limit DES was to cap its key length at 48 bits, figuring that their advantage in computing power would let them brute force it when no one else could. (NIST compromised between the NSA's desire for 48 and the rest of the world's desire for 64, which was why DES had the always bizarre 56 bit key.) So sometimes they strengthen it, sometimes they weaken it, and so I'm not sure it appropriate to presume malice.

There's a meaningful difference between assuming an actor is malicious or untrustworthy and going out of your way to provide the maximally malicious interpretation of each of their actions. As a matter of rhetoric, the latter tends to give the impression of a personal vendetta.

DJB has lost a ton of credibility already within the non-government cryptography community for his frankly unhinged rants on the PQC mailing list.

If you read his posts there, it’s hard not to come away with the impression that he’s just upset his favourite scheme wasn’t chosen.