Comment by denton-scratch
2 years ago
> NIST's prior assertions and their interpretation are not relevant [...]
That seems to be an extraordinarily strong claim to make, without detailed explanation, which apparently wasn't provided.
2 years ago
> NIST's prior assertions and their interpretation are not relevant [...]
That seems to be an extraordinarily strong claim to make, without detailed explanation, which apparently wasn't provided.
There did seem to be some talking past each other. The most kind to NIST explanation is they wanted DJB to say something like "Adopting Kyber-512 is bad because it is likely to be less strong than AES-128, and here's the math" while DJB wanted to rebut the analysis that NIST, (hopefully with the aid of a member of the team developing Kyber) had done.
I think there was also a bit of DJB wanting to engage NIST in a scientific debate (and getting increasingly abrasive when this didn't happen), while NIST wanted none of that, preferring that such debates be between researchers.
However from the point of view advanced in TFA, the best published papers implied that Kyber's security was likely very close to another algorithm (that the author of TFA preferred) that was disqualified for being insufficiently strong.