← Back to context

Comment by aidenn0

2 years ago

It's in there.

He first raised the issue in April 2022.

Then in December 2022 he asked about the evaluation of Kyber's security and they posted this[1], which included a 2^40 multiple that he wasn't sure where it came from; if it came from where he thought it did (bogus math on numbers from a paper DJB himself coauthored), then that was troubling.

There was no response, so a few weeks later he posted his assumptions and asked if anyone else could come up with another possible explanation for what the NIST e-mail was assuming.

This did get a response[2], the main thrust of which was:

> While reviewers are free, as a fun exercise, to attempt to "disprove what NIST _appears_ to be claiming about the security margin," the results of this exercise would not be particularly useful to the standardization process. NIST's prior assertions and their interpretation are not relevant to the question of whether people believe that it is a good idea to standardize Kyber512.

After further prodding the response[3] was essentially a rather polite version of "You're the scientist and it's your model, why don't you tell us?" Which DJB considers dodging his question of "How did you get these numbers?"

At this point DJB posts[4] a dissection of the December 2022 e-mail, which is similar to the middle quarter of TFA.

1: https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/4MBu...

2: https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/4MBu...

3: https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/4MBu...

4: https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/4MBu...

3 comments

aidenn0

Reply
denton-scratch  2 years ago

> NIST's prior assertions and their interpretation are not relevant [...]

That seems to be an extraordinarily strong claim to make, without detailed explanation, which apparently wasn't provided.

  • aidenn0  2 years ago

    There did seem to be some talking past each other. The most kind to NIST explanation is they wanted DJB to say something like "Adopting Kyber-512 is bad because it is likely to be less strong than AES-128, and here's the math" while DJB wanted to rebut the analysis that NIST, (hopefully with the aid of a member of the team developing Kyber) had done.

    I think there was also a bit of DJB wanting to engage NIST in a scientific debate (and getting increasingly abrasive when this didn't happen), while NIST wanted none of that, preferring that such debates be between researchers.

    However from the point of view advanced in TFA, the best published papers implied that Kyber's security was likely very close to another algorithm (that the author of TFA preferred) that was disqualified for being insufficiently strong.