Comment by some_furry

it's not just those two institutions. South Korea is running their own standardization currently, and fundamentally similar algorithms are expected to win (some more modern insights might be incorporated, due to starting >=5 years after the NIST standardization did, but still).

The Chinese Academy of Science made their own professional recommendation to the Chinese government a few years ago to use fundamentally similar schemes. The Chinese government this year is planning to start on their own standardization. Again, it is expected they will use fundamentally similar schemes.

The German BSD has suggested their own schemes as well, which are fundamentally similar (they suggested unstructured lattices, which is mildly different. They've also made some incompetent suggestions regarding quantum networking though iirc, so it might be a BSD-specific quirk).

Cryptographers are paranoid by default. It's really the only reasonable way to evaluate things competently. Even among the paranoid though, there's been no plausible argument suggested that something bad is happening with the PQ transition. People will point various fingers, for example

1. a backdoor! Except we can typically detect the possible presence of a backdoor, and nobody has suggested anything despite the designs being fundamentally fixed over the last 15 years (again, except the "one obvious" possible backdoor of standardizing a ML-KEM lattice, which was decided against for this reason), or

2. lattice-based problems are classically weak! There is no publicly visible reason to suspect this. One might then conjecture that they're weak in only a way a nation-state can detect/exploit. Then it would be very weird that it appears that both the US and China will both adopt lattice-based schemes.

It takes more to be a competent cryptographer to be blindly paranoid. There has been zero credible reasons presented though, and the cryptographic community has been looking into these problems and constructions for well over a decade now.

That's not what you said. You said that the algorithms were "very likely backdoored", despite the fact that neither NSA nor the EU had any hand in actually designing them.

> nsa & eu pushing for something to change proven algorithms makes me personally automatically distrustful as both are highly rotten bad actors.

Who do you trust, then?

> i have no knowledge, nor time to eval. (and probably few people do)

If you do not have the expertise nor time to evaluate technical claims, how do you hope to arrive at correct technical conclusions?

Surely, you'd trust experts in that case? Like the experts that were involved in a multi-year international standardization effort? Like the one that produced ML-KEM and ML-DSA?

Or do you just balk at experts and "trust no one" even to your own detriment?

I'm not here to defend the NSA as it's treaded on liberties and rights countless times so far.

But understand this:

YES they have a vested interest in harvesting all of your private data for surveillance.

That doesn't mean they DON'T have a vested interest in safeguarding their own data and that of other gov't agencies.

They need the co-operation of the academic community and top cryptography experts to accomplish this. They cannot safeguard their own data or other agencies' data without publishing reports on what works and what doesn't.

So either they risk leaking the encryption algorithms that work for them by hiding them and only sharing the backdoored ones with the public, which is a violation of the [Kerchoff Principle](https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle) and a massive risk.

Or they simply cooperate with experts and publish algorithms that work for both them and everyone else.

Which sounds simpler?