← Back to context

Comment by wnevets

2 years ago

Correct me if I'm wrong, everything is also being done out in the open for everyone to see. The NIST aren't using some secret analysis to make any recommendations.

30 comments

wnevets

Reply
tux3  2 years ago

Teams of cryptographers submit several proposals (and break each other's proposals). These people are well respected, largely independent, and assumed honest. Some of the mailing lists provided by NIST where cryptographers collaborated to review each other's work are public

NIST may or may not consort with your friendly local neighborhood NSA people, who are bright and talented contributors in their own right. That's simply in addition to reading the same mailing lists

At the end, NIST gets to pick a winner and explain their reasonning. What influenced the decision is surely a combination of things, some of which may be internal or private discussions

  • mike_d  2 years ago

    > NIST may or may not consort with your friendly local neighborhood NSA people

    It is worth noting that while breaking codes is a big part of the NSA's job, they also have a massive organization (NSA Cybersecurity, but I prefer the old name Information Assurance) that works to protect US and allied systems and cryptographic applications.

    In the balance, weakening American standards does little to help with foreign collection. Their efforts would be much better spent injecting into the GOST process (Russia and friends) or State Cryptography Administration (China and friends).

    • justinclift  2 years ago

      > In the balance, weakening American standards does little to help with foreign collection.

      While that makes logical sense, the previous actions of the NSA has demonstrated they're not a logical actor in regards to this stuff, or that there's more going on.

    • jjk166  2 years ago

      > In the balance, weakening American standards does little to help with foreign collection.

      Though it can be greatly beneficial for domestic collection. Further, so long as the US remains a dominant player in Tech and Tech-influenced fields like finance, odds are a lot of the world is going to be at least de facto using US standards.

  • nvy  2 years ago

    I was under the impression that only fools trust NIST after DUAL_EC_whatsit.

    Is that not the case?

codr7  2 years ago

My rule of thumb in these situations is always: if they could, they would.

I've seen enough blatant disregard for humanity to assume any kind of honesty in the powers that were.

  • dmix  2 years ago

    I'm sure the NSA 9-5ers justify weakening standards processes by the fact it's still secure enough to be useful for citizens and some gov orgs but flawed enough to help themselves when it matters at x point in the future.

    No one can say they pushed some useless or overtly backdoored encryption. That's rarely how Intel agencies work. It's also not how they need to work to maintain their effectiveness indefinitely.

    When the CIA is trying to recruit for HUMINT if they can get claws into anything whether it's a business conference that has a 0.1% chance they'll meet some pliable young but likely future industry insider that may or may not turn into a valuable source then they'll show up to every single year to that conference. It's a matter of working every angle you can get.

    They aren't short of people, time, or money. And in security tiny holes in a dam turn into torrents of water all the time.

    The fact NIST is having non public backroom meetings with NSA, concealing NSA employee paper authors, generating a long series of coincidental situations preferencing one system, and stonewalling FIOAs from reputable individuals. IDK, if was a counter intelligence officer in charge of detecting foreign IC work I'd be super suspicious of anything sold as safe and open from that org.

logifail  2 years ago

> everything is also being done out in the open for everyone to see

Well, everything apart from the secret stuff:

"I filed a FOIA request "NSA, NIST, and post-quantum cryptography" in March 2022. NIST stonewalled, in violation of the law. Civil-rights firm Loevy & Loevy filed a lawsuit on my behalf.

That lawsuit has been gradually revealing secret NIST documents, shedding some light on what was actually going on behind the scenes, including much heavier NSA involvement than indicated by NIST's public narrative"

  • londons_explore  2 years ago

    Thing is... no lawsuit will ever reveal documents directly against the USA's national interest.

    Every single document will be reviewed by a court before being opened up, and any which say "We did this so we can hoodwink the public and snoop on russia and china" won't be included.

    • logifail  2 years ago

      > any which say "We did this so we can hoodwink the public and snoop on russia and china" won't be included

      Ever since Snowdon we know it's actually "hoodwink the public and snoop on the public"

      Russia and China are just an excuse.

pclmulqdq  2 years ago

There is a final standardization step where NIST selects constants, and this is done without always consulting with the research team. Presumably, these are usually random, but the ones chosen for the Dual-EC DRBG algorithm seem to have been compromised. SHA-3 also had some suspicious constants/padding, but that wasn't shown to be vulnerable yet.

  • tptacek  2 years ago

    The problem with Dual EC isn't the sketchy "constants", but rather the structure of the construction, which is a random number generator that works by doing a public key transformation on its state. Imagine CTR-DRBG, but standardized with a constant AES key. You don't so much wonder about the provenance of the key so much as wonder why the fuck there's a key there at all.

    I don't know of any cryptographer or cryptography engineer that takes the SHA3 innuendo seriously. Do you?

    Additional backstory that might be helpful here: about 10 years ago, Bernstein invested a pretty significant amount of time on a research project designed to illustrate that "nothing up my sleeves" numbers, like constants formed from digits of pi, e, etc, could be used to backdoor standards. When we're talking about people's ability to cast doubt on standards, we should keep in mind that the paragon of that idea believes it to be true of pi.

    I'm fine with that, for what it's worth. Cryptography standards are a force for evil. You can just reject the whole enterprise of standardizing cryptography of any sort, and instead work directly from reference designs from cryptographers. That's more or less how Chapoly came to be, though it's standardized now.

    • pclmulqdq  2 years ago

      I do know a few cryptographers who were suspicious of SHA-3 when it came out, but after some napkin math and no obvious hole was found, they were fine with it. The actual goal of that extra padding was to get extra one bits in the input to avoid possible pathological cases.

      My understanding of the Dual-EC problem may be different than yours. As I understand it, the construction is such that if you choose the two constants randomly, it's fine, but if you derived them from a known secret, the output was predictable for anyone who knows the secret. The NIST did not provide proof that the constants used were chosen randomly.

      Random choice would be equivalent to encrypting with a public key corresponding to an unknown private key, while the current situation has some doubt about whether the private key is known or not.

      6 replies →

tptacek  2 years ago

You don't really know, but you can be reasonably sure that they didn't sabotage the submissions themselves.