Comment by hn_throwaway_99
2 years ago
Edit: Just realized the author is djb, Daniel Bernstein, which I guess is semi-ironic for me because I was recently praising him on HN for an old, well-read blog post on ipv6. Thus, I guess I may take back a bit of what I said below, or least perhaps it would be better to say that I can better understand the adversarial tone given djb's history with NIST recommendations (more info at https://en.wikipedia.org/wiki/Daniel_J._Bernstein#Cryptograp...).
> The unfortunate reality of this is that while he may be right, it is difficult to classify the responses (or non-response) from the NIST people as deceptive vs just not wanting to engage with someone coming from such an adversarial position.
Couldn't agree with this more. I don't like to harp on form over substance, but in this case the form of this blog post was so bad I had difficulty evaluating whether the substance was worthwhile. I'm not in the field of cryptography, so I'm not qualified to assess on the merits, but my thoughts reading this were:
1. All the unnecessary snark and disparagement made me extremely wary of the message. It seemed like he was making good points, but the overall tone was similar to those YouTube "WhaT ThE ElITe DoN'T WanT YoU TO KnoW!!" videos. Frankly, the author just sounds like kind of an asshole, even if he is right.
2. Did anyone actually read this whole thing?? I know people love to harp on "the Internet has killed our attention spans", and that may be true, but the flip side is we're bombarded with so much info now that I take a very judicious approach to where I'll spend my time. On that point, if you're writing a blog post, the relevant details and "executive summary" if you will should be in the first couple paragraphs, then put the meandering, wandering diary after. Don't expect a full read if important tidbits are hidden like Where's Waldo in your meandering diary.
I read the whole thing because of who the author was.
The executive summary is above the fold:
Take a deep breath and relax. When cryptographers are analyzing the security of cryptographic systems, of course they don't make stupid mistakes such as multiplying numbers that should have been added.
If such an error somehow managed to appear, of course it would immediately be caught by the robust procedures that cryptographers follow to thoroughly review security analyses.
Furthermore, in the context of standardization processes such as the NIST Post-Quantum Cryptography Standardization Project (NISTPQC), of course the review procedures are even more stringent.
The only way for the security claims for modern cryptographic standards to turn out to fail would be because of some unpredictable new discovery revolutionizing the field.
Oops, wait, maybe not. In 2022, NIST announced plans to standardize a particular cryptosystem, Kyber-512. As justification, NIST issued claims regarding the security level of Kyber-512. In 2023, NIST issued a draft standard for Kyber-512.
NIST's underlying calculation of the security level was a severe and indefensible miscalculation. NIST's primary error is exposed in this blog post, and boils down to nonsensically multiplying two costs that should have been added.
How did such a serious error slip past NIST's review process? Do we dismiss this as an isolated incident? Or do we conclude that something is fundamentally broken in the procedures that NIST is following?
> I know people love to harp on "the Internet has killed our attention spans"
Not just that. Give your parent or grandparent a 75-page booklet to read, full of accusations and snark, and let's say it's about something they care about and actually impacts their lives (maybe a local government agency, idk). What are the odds they are going to read that A-Z versus waiting for a summary or call-to-action to be put out? The latter can be expected to happen if there is actually something worthwhile in there.
This is objectively too long for casual reading, nothing to do with anyone's attention span.
(The 75-page estimate is based on: (1) a proficient reader doing about a page per minute in most books that I know of, so pages==minutes; (2) the submission being 17.6k words; (3) average reading speed is ~250 wpm, resulting in 17.6e3/250=70 minutes; (4) this is not an easy text, it has lots of acronyms and numbers, so conservatively pad to 75.)
People read it because of djb’s reputation. I’m the future, when someone smarter than you writes something it might benefit you to put aside your tone scolding and receive the information. It might be important.
Really smart people can be horrible writers. It's fair to call that out regardless of the reputation of the author.
> Did anyone actually read this whole thing?
Yup. I'm not a cryptographer, so I didn't understand most of the detail. I realized it ws DJB after a couple of paragraphs.
> the relevant details and "executive summary" if you will should be in the first couple paragraphs
It wasn't written for "executives".
> It wasn't written for "executives".
When writing about real-world topics (especially where the goal is to educate or change opinions), it's usually a good idea to summarize the overall piece at the beginning, regardless of the intended audience. If the piece is broken up into chapters, sections, etc., it often helps to open each of those with a summary as well.
Like a lot of technical people, my default writing style tends to be a linear/journal-entry structure that tells a story more or less in the order it occurred. Over time I've learned that that type of structure only really works if someone is already interested in the material. Otherwise, they're likely to see a wall of text and move on.
Summarizing the overall piece as well as sections lets the reader immediately figure out if what they're reading is relevant to them, what the author's goals are, and if there are parts they can skip over because they're already familiar with those topics.
Even worse, I expected to find a part when he reports it and includes the responses/follow-up from that... But this is the first time it's published a far as I understand? Did I miss it in the wall of text? Or is it really a huge initial writeup that may end up with someone responding "oh, we did mess up, didn't we? Let's think how to deal with that."
It's in there.
He first raised the issue in April 2022.
Then in December 2022 he asked about the evaluation of Kyber's security and they posted this[1], which included a 2^40 multiple that he wasn't sure where it came from; if it came from where he thought it did (bogus math on numbers from a paper DJB himself coauthored), then that was troubling.
There was no response, so a few weeks later he posted his assumptions and asked if anyone else could come up with another possible explanation for what the NIST e-mail was assuming.
This did get a response[2], the main thrust of which was:
> While reviewers are free, as a fun exercise, to attempt to "disprove what NIST _appears_ to be claiming about the security margin," the results of this exercise would not be particularly useful to the standardization process. NIST's prior assertions and their interpretation are not relevant to the question of whether people believe that it is a good idea to standardize Kyber512.
After further prodding the response[3] was essentially a rather polite version of "You're the scientist and it's your model, why don't you tell us?" Which DJB considers dodging his question of "How did you get these numbers?"
At this point DJB posts[4] a dissection of the December 2022 e-mail, which is similar to the middle quarter of TFA.
1: https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/4MBu...
2: https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/4MBu...
3: https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/4MBu...
4: https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/4MBu...
> NIST's prior assertions and their interpretation are not relevant [...]
That seems to be an extraordinarily strong claim to make, without detailed explanation, which apparently wasn't provided.
1 reply →
Thank you. Now that's a readable summary!