[HN Gopher] Debunking NIST's calculation of the Kyber-512 securi...
___________________________________________________________________
Debunking NIST's calculation of the Kyber-512 security level
Author : bumbledraven
Score : 172 points
Date : 2023-10-03 19:49 UTC (3 hours ago)
(HTM) web link (blog.cr.yp.to)
(TXT) w3m dump (blog.cr.yp.to)
| greggsy wrote:
| It would be interesting to see Signal Sciences response to this
| Bernstein's post
| codeflo wrote:
| That's more of a diary than an article -- jargony, disorganized,
| running in circles, very hard to follow. But the information
| might be important regardless. There's a strong implication that
| NIST with help of the NSA intentionally standardized on a weak
| algorithm.
|
| We all know that's possible.
|
| But can someone who follows some of this stuff more closely
| explain what the play would be? I always assumed that weakening
| public cryptography in such a way is a risky bet, because you
| can't be sure that an attacker doesn't independently find out
| what you know. You can keep a secret backdoor key (that was the
| accusation when they released Dual_EC_DRBG), but you can't really
| hide mathematical results.
|
| Why would they be willing to risk that here?
| aaomidi wrote:
| > Why would they be willing to risk that here?
|
| Certain types of attacks basically make it so you need to have
| a specific private key to act as a backdoor. That's the current
| guess on what may be happening with the NIST ECC curves.
|
| If so, this can be effectively a US-only backdoor for a long,
| long time.
| tptacek wrote:
| I don't believe that is anybody's guess on what may be
| happening with the NIST ECC curves. Ordinarily, when people
| on HN say things like this, they're confusing Dual EC, a
| public key random number generator, known to be backdoored,
| with the NIST curve standards.
| dfox wrote:
| The issue with the NIST curves is that they were generated
| from a PRNG with some kind of completely random seed. The
| conspiracy theory there is that the seed was selected such
| as to make the curve exploitable for NSA and NSA only.
| Choosing such a seed is somewhat harder than complete break
| of the hash function (IIRC SHA-2) used in the PRNG that was
| used to derive the curve.
|
| On the other hand, there is a lot of reasons to use
| elliptic curve that was intentionally designed, so, DJB's
| designs. And well, in 2009 I would not imagine that the
| kinds of stuff that DJB publishes will end up being TLS1.3.
| tptacek wrote:
| It's very _unlikely_ the seeds were random, and they
| weren 't even ostensibly generated from a PRNG, as I
| understand it. Rather, they were passed through SHA1
| (remember: this is the 1990s), as a means to destroy any
| possible structure in the original seed. The actual seeds
| themselves aren't my story to tell, but are a story that
| other people are talking about. For my part, I'll just
| point again to Koblitz and Menenzes on the actual
| cryptographic problems with the NIST P-curve seed
| conspiracy:
|
| https://eprint.iacr.org/2015/1018.pdf
| f33d5173 wrote:
| A hash function is a (CS)PRNG. It has the key property,
| namely of being indistinguishable from randomness while
| being generated deterministically.
| tptacek wrote:
| In fact, `echo "This is my seed" | openssl sha -sha256`
| is not really a CSPRNG. Hash functions are the bases of
| many PRNGs. But I think you're abusing an ambiguity with
| the word "random" here. At any rate: we should be clear
| now on the point being made about the P-curve seeds.
| api wrote:
| Also: if the NIST ECC curves actually are backdoored then
| why would the NSA need to try to push a backdoored random
| number generator? Just exploit the already-backdoored
| curves.
| PeterisP wrote:
| Redundancy, so if one backdoor is closed/fixed/avoided,
| you still have more.
| aaomidi wrote:
| Yeah I've noticed people mixing them up. They happened
| around the same time, so I can excuse it a bit.
|
| The problem with the NIST ECC curves are that we still do
| not know where the heck that seed came from and why that
| seed specifically.
| tptacek wrote:
| See Koblitz and Menenzes:
|
| https://eprint.iacr.org/2015/1018.pdf
| manonthewall wrote:
| It's all far too conspiratorial for me. Just show me the math
| as to why it's broken, I don't need a conspiratorial mind map
| drawing speculative lines between various topics. Do an
| appendix or two for that.
| Exoristos wrote:
| You're making an assumption that the NSA cares about the
| efficacy of cryptography for other people. Why would they care
| about that?
| nmitchko wrote:
| Unfortunately, the NSA & NIST most likely is recommending a
| quantum-proof security that they've developed cryptanalysis
| against, either through high q-bit proprietary technology or
| specialized de-latticing algorithms .
|
| The NSA is very good at math, so I'm be thoroughly surprised if
| this analysis was error by mistake rather than error through
| intent.
| tptacek wrote:
| "Specialized de-latticing algorithms"?
| [deleted]
| [deleted]
| [deleted]
| jrochkind1 wrote:
| The NSA also has a mission-based interest in _breaking_ other
| people's crypto though, which is generally known.
|
| Which is generally known, so I'm surprised by your argument.
| Even if the NSA knows more than they are telling us, this
| doesn't result in most of us feeling less worried, as their
| ends may not be strengthening the public's cryptography!
| aaomidi wrote:
| Yes: https://en.wikipedia.org/wiki/Dual_EC_DRBG
|
| Also, we still to this day do not know where the seed for
| P256 and P384 came from. And we're using that everywhere.
| There is a non-zero chance that the NSA basically has a
| backdoor for all NIST ECC curves, and no one actually seems
| to care.
| brohee wrote:
| Or you find it somewhat credible but still use them because
| fending off the NSA is not something you want to spend
| energy on, and you are confident in the fact that NSA think
| no one else can find the backdoor.
| sweis wrote:
| NIST P-256 curve seed came from the X9.62 specification
| drafted in 1997. It was provided by an NSA employee, Jerry
| Solinas, as an example seed among many other seeds,
| including those provided by Certicom. Read this for more
| details: https://eprint.iacr.org/2015/1018
| garba_dlm wrote:
| I just find it sad that it's things like these that make it
| impossible for the layman to figure out what is going on
| with, for example, Mochizuki's new stuff
|
| I have no reason to doubt that a lot of math has been made
| more difficult than necessary just because it is known to
| give a subtle military advantage in some cases, but this
| isn't new;
| cosmojg wrote:
| Isn't that what the person you're replying to said?
| yung-africas wrote:
| [flagged]
| rideontime wrote:
| what do you have against dodo birds
| sweis wrote:
| "High q-bit proprietary technology" and "specialized de-
| latticing algorithms" are made up terms that nobody uses.
| tptacek wrote:
| I'm stuck on trying to work out what it would mean to de-
| lattice something. Would that transform a lattice basis into
| a standard vector space basis in R or something, or, like
| MOV, would it send the whole lattice to an element of some
| prime extension field?
|
| In my mind's eye, it's cooler: it's like, you render the
| ciphertext as a raster image, and then "de-lattice" it to
| reveal the underlying plaintext, scanline by scanline.
| garba_dlm wrote:
| i'm still working on understanding lattices better
|
| but i can imagine, based on my own ignorance, creativity,
| and lack of correct understanding, would be some kind of
| factorization.
|
| as I think while trying to better know what's a lattice, I
| imagine a lattice like a coordinate pair, but instead of
| each coordinate existing on a line, they exist on a binary
| tree (or some other directed graph explored from a root
| outwards without cycles)
|
| which means you have two such binary-trees (not necessarily
| binary, but it's just easier to work with them seemingly)
|
| and then you combine these into ONE lattice. so then, to
| de-lattice means to recover the binary trees.
|
| but when I say binary tree I'm thinking about rational
| numbers (because stern broccott trees)
| tptacek wrote:
| A lattice is like a vector space, but with exclusively
| integer coefficients. It's not a coordinate pair. If you
| think of vectors as coordinate pairs, a vector space is a
| (possibly unbounded) set of coordinate pairs. If you
| haven't done any linear algebra, a decent intuition would
| be mathematical objects like "the even numbers" or "the
| odd numbers", but substituting vectors (fixed-sized
| tuples of numbers) for scalars.
| thadt wrote:
| The unfortunate reality of this is that while he may be _right_ ,
| it is difficult to classify the responses (or non-response) from
| the NIST people as deceptive vs just not wanting to engage with
| someone coming from such an adversarial position. NIST is staffed
| by normal people who probably view aggressively worded requests
| for clarification in the same way that most of us have probably
| fielded aggressively worded bug reports.
|
| Adding accusatory hyperbolic statements like: "You exposed three
| years of user data to attackers by telling people to use Kyber
| starting when your patent license activates in 2024, rather than
| telling people to use NTRU starting in 2021!" doesn't help.
| Besides the fact that nobody is deploying standalone PQ for some
| time, there were several alternatives that NIST could have
| suggested in 2021. How about SIKE? That one was pretty nice until
| it was broken last year.
|
| Unfortunately, NIST doesn't have a sterling reputation in this
| area, but if we're going to cast shade on the algorithm and
| process, a succinct breakdown of why, along with a smoking gun or
| two would be great. Pages and pages of email analysis, comparison
| to (only) one other submission, and accusations that everyone is
| just stalling so data can be vacuumed up because it is completely
| unprotected makes it harder to take seriously. If Kyber-512 is
| actually this risky, then it deserves to be communicated clearly.
| nonrandomstring wrote:
| Love the narrative style of this writing second-guessing the
| erroneous thought processes. Are they deceptive? Who knows.
|
| What worries me is that it's neither malice nor incompetence, but
| that a new darker force has entered our world even at those
| tables with the highest stakes.... dispassion and indifference.
|
| It's hard to get good people these days. A lot of people stopped
| caring. Even amongst the young and eager. Whether it's climate
| change, the world economic situation, declining education, post
| pandemic brain-fog, defeat in the face of AI, chemicals in the
| water.... everywhere I sense a shrug of slacking off, lying low,
| soft quitting, and generally fewer fucks are given all round.
|
| Maybe that's just my own fatigue, but in security we have to
| vigilant _all the time_ and there 's only so much energy humans
| can bring to that. That's why I worry that we will lose against
| AI. Not because it's smarter, but because it doesn't have to
| _care_, whereas we do.
| r3trohack3r wrote:
| Bad systems beat good people.
|
| There are a lot of symptoms to distract yourself with. Focus on
| the game instead.
|
| A society full of good people will sort out the rest.
| bdamm wrote:
| This apathy is an interesting phenomenon, let's not ignore
| it. The Internet has brought us a wealth of knowledge but it
| has also shown us how truly chaotic the world really is. And
| negativity is a profitable way to drive engagement, so damn
| near everyone can see how problematic our society is. And
| when the algorithm finds something you care to be sad about,
| it will show you more, more, and ever more all the way into
| depression.
|
| This is the lasting legacy of the Internet, now. Not freedom
| for all to seek and learn, but freedom for the negativity
| engines to seek out your brain and suck you into personal
| obliteration.
|
| A society of good people? Nobody really cares any more. And I
| do agree with the gp; if you look, you can see it everywhere.
| What is this going to become? Collective helplessness as we
| eek out what little bits of personal fulfillment we can get
| in between endless tragedy and tantalizing promise?
| perihelions wrote:
| Related thread from last year, with 443 comments:
|
| https://news.ycombinator.com/item?id=32360533 ( _" NSA, NIST, and
| post-quantum crypto: my second lawsuit against the US government
| (cr.yp.to)"_)
| neonate wrote:
| http://web.archive.org/web/20231003195013/https://blog.cr.yp...
|
| https://archive.ph/NrOG6
| fefe23 wrote:
| If you have never heard of Bernstein, this may look like mad
| ramblings of a proto-Unabomber railing against THE MAN trying to
| oppress us.
|
| However, this man is one of the foremost cryptographers in the
| world, he has basically single-handedly killed US government
| crypto export restrictions back in the days, and (not least of
| all because of Snowden) we know that the NSA really is trying to
| sabotage cryptography.
|
| Also, he basically founded the field of post-quantum
| cryptography.
|
| Is NIST trying to derail his work by standardizing crappy
| algorithms with the help of the NSA? Who knows. But to me it does
| smell like that.
|
| Bernstein has a history of being right, and NIST and the NSA have
| a history of sabotaging cryptographic standards (google
| Dual_EC_DRBG if you don't know the story).
| NovemberWhiskey wrote:
| > _If you have never heard of Bernstein, this may look like mad
| ramblings of a proto-Unabomber railing against THE MAN trying
| to oppress us._
|
| Can I point out that Ted Kaczynski was also actually a
| mathematical prodigy, having been accepted into Harvard on a
| scholarship at 16?
| skeaker wrote:
| If you want, sure, but I think the reason he was mentioned
| with a negative connotation might be more to do with the
| murders he committed.
| [deleted]
| kpdemetriou wrote:
| Bernstein is often right, despite the controversy around the
| Gimli permutation.
|
| In this particular case it's worth noting that neither BSI
| (Germany) nor NLNCSA (The Netherlands) recommend Kyber.
|
| Unfortunately, alternative algorithms are more difficult to
| work with due to their large key sizes among other factors, but
| it's a price worth paying. At Backbone we've opted not to go
| down the easy route.
| throw0101a wrote:
| > _If you have never heard of Bernstein, this may look like mad
| ramblings of a proto-Unabomber railing against THE MAN trying
| to oppress us._
|
| > _However, this man is one of the foremost cryptographers in
| the world_ [...]
|
| It's possible to be both (not saying Bernstein is).
|
| Plenty of smart folks have 'jumped the shark' intellectually:
| Ted Kaczynski, the Unabomber, was very talented in mathematics
| before he went off the deep end.
| ignoramous wrote:
| An interesting set of comments (by tptacek) from a thread in
| 2022 (I wonder if they still hold the same opinion in light of
| this latest post on NIST-PQC by djb):
|
| > _The point isn 't that NIST is trustworthy. The point is that
| the PQC finalist teams are comprised of academic cryptographers
| from around the world with unimpeachable reputations, and it's
| ludicrous to suggest that NSA could have compromised them. The
| whole point of the competition structure is that you don't
| simply have to trust NIST; the competitors (and cryptographers
| who aren't even entrants in the contest) are peer reviewing
| each other, and NIST is refereeing._
|
| > _What Bernstein is counting on here is that his cheering
| section doesn 't know the names of any cryptographers besides
| "djb", Bruce Schneier, and maybe, just maybe, Joan Daemen. If
| they knew anything about who the PQC team members were, they'd
| shoot milk out their nose at the suggestion that NSA had
| suborned backdoors from them. What's upsetting is that he knows
| this, and he knows you don't know this, and he's exploiting
| that._
|
| ---
|
| > _I spent almost 2 decades as a Daniel Bernstein ultra-fan ---
| he 's a hometown hero, and also someone whose work was
| extremely important to me professionally in the 1990s, and, to
| me at least, he has always been kind and cheerful... I know
| what it's like to be in the situation of (a) deeply admiring
| Bernstein and (b) only really paying attention to one
| cryptographer in the world (Bernstein)._
|
| > _But talk to a bunch of other cryptographers --- and, also,
| learn about the work a lot of other cryptographers are doing
| --- and you 're going to hear stories. I'm not going to say
| Bernstein has a bad reputation; for one thing, I'm not
| qualified to say that, and for another I don't think "bad" is
| the right word. So I'll put it this way: Bernstein has a fucked
| up reputation in his field. I am not at all happy to say that,
| but it's true._
|
| ---
|
| > _What 's annoying is that [Bernstein is] usually right, and
| sometimes even right in important new ways. But he runs the
| ball way past the end zone. Almost everybody in the field
| agrees with the core things he's saying, but almost nobody
| wants to get on board with his wild-eyed theories of how the
| suboptimal status quo is actually a product of the Lizard
| People._
|
| (https://news.ycombinator.com/item?id=32365259,
| https://news.ycombinator.com/item?id=32368598,
| https://news.ycombinator.com/item?id=32365679)
| tptacek wrote:
| I hope he finds all sorts of crazy documents from his FOIA
| thing. FOIA lawsuits are a very normal part of the process
| (I've had the same lawyers pry loose stuff from my local
| municipality). I would bet real money against the prospect of
| him finding anything that shakes the confidence of practicing
| cryptography engineers in these standards. Many of the
| CRYSTALS team members are quite well regarded.
| mort96 wrote:
| I don't think the "these finalist teams are trustworthy"
| argument is completely watertight. If the US wanted to make
| the world completely trust and embrace subtly-broken
| cryptography, a pretty solid way to do that would be to make
| competition where a whole bunch of great, independent teams
| of cryptography researchers can submit their algorithms, then
| have a team of excellent NSA cryptographers analyze them and
| pick an algorithm with a subtle flaw that others haven't
| discovered. Alternatively, NIST or the NSA would just to
| plant one person on one of the teams, and I'm sure they could
| figure out some clever way to subtly break their team's
| algorithm in a way that's really hard to notice. With the
| first option, no participant in the competition has to that
| there's any foul play. In the second, only a single
| participant has to know.
|
| Of course I'm not saying that either of those things
| happened, nor that they would be easy to accomplish. Hell,
| maybe they're literally impossible and I just don't
| understand enough cryptography to know why. Maybe the NIST
| truly has our best interest at heart this time. I'm just
| saying that, to me, it doesn't seem impossible for the NIST
| to ensure that the winner of their cryptography contests is
| an algorithm that's subtly broken. And given that there's
| even a slight possibility, maybe distrusting the NIST
| recommendations isn't a bad idea. They do after all have a
| history of trying to make the world adopt subtly broken
| cryptography.
| tptacek wrote:
| If the NSA has back-pocketed exploits on the LWE submission
| from the CRYSTALS authors, it's not likely that a purely
| academic competition would have fared better. The CRYSTALS
| authors are extraordinarily well-regarded. This is quite a
| bank-shot theory of OPSEC from NSA.
| mort96 wrote:
| It's true that nothing is 100% safe. And to some degree,
| that makes the argument problematic; regardless of what
| happened, one could construct a way for US government to
| mess with things. If you had competition of the world's
| leading academic cryptographers with a winner selected by
| popular vote among peers, how do you know that the US
| hasn't just influenced enough cryptographers to push a
| subtly broken algorithm?
|
| But we must also recognize a difference in degree. In a
| competition where the US has no official influence over
| the result, there has to be a huge conspiracy to affect
| which algorithm is chosen. But in the competition which
| actually happened, they may potentially just need a
| single plant on one of the strong teams, and if that
| plant is successful in introducing subtle brokenness into
| the algorithm without anyone noticing, the NIST can just
| declare that team's algorithm as the winner.
|
| I think it's perfectly reasonable to dismiss this
| possibility. I also think it's reasonable to recognize
| the extreme untrustworthiness of the NIST and decide to
| not trust them if there's even a conceivable way that
| they might've messed with the outcome of their
| competition. I really can't know what the right choice
| is.
| tptacek wrote:
| That's an argument that would prove too much. If you
| believe NSA can corrupt academic cryptographers, then you
| might as well give up on all of cryptography; whatever
| construction you settle on as trustworthy, they could
| have sabotaged through the authors. Who's to say they
| didn't do that to Bernstein directly? If I'd been
| suborned by NSA, I'd be writing posts like this too!
| mort96 wrote:
| You're still not recognizing the difference between
| corrupting a single academic cryptographer and corrupting
| a whole bunch of academic cryptographers. This isn't so
| black and white.
|
| For what it's worth, I do think the US government could
| corrupt academic cryptographers. If I was an academic
| cryptographer, and someone from the US government told me
| to do something immoral or else they would, say, kill my
| family, and they gave me reason to believe the threat was
| genuine, I'm not so sure I wouldn't have done what they
| told me. And I know this sounds like spy movie shit, but
| this is _the US government_.
|
| One last thing though, if you're giving me the black and
| white choice between blindly trusting the outcome of a US
| government cryptography standard competition or
| distrusting the field of cryptography altogether, I
| choose the latter.
| tptacek wrote:
| As long as we're clear that your concern involves spy
| movie shit, and not mathematics or computer science, I'm
| pretty comfortable with where we've landed.
| mort96 wrote:
| If your argument is: "assuming the US government wouldn't
| be able to make someone act against their will and stay
| silent about it, the NIST recommendation is trustworthy",
| I'm certainly more inclined to distrust this
| recommendation than I was before this conversation.
|
| Note that the "forcing someone to comply" thing was just
| meant as one possibility among many, I don't see why you
| completely dismiss the idea of someone who's good at
| cryptography being in on the US's mission to intercept
| people's communications. I mean the NSA seems to be full
| of those kinds of people. You also dismiss the
| possibility that they just ... picked the algorithm that
| they thought they could break after analysing it, with no
| participant being in on anything. But I get the feeling
| that you're not really interested in engaging with this
| topic anymore, so I'll leave it at that. It's already
| late here.
| zahllos wrote:
| This comment is factually incorrect on a number of levels.
|
| 1) single-handedly killed US government crypto export
| restrictions - Bernstein certainly litigated, but was not the
| sole actor in this fight. For example, Phil Zimmerman, the
| author of PGP, published the source code of PGP as a book to
| work around US export laws, which undoubtedly helped highlight
| the futility of labelling open source software as a munition:
| https://en.wikipedia.org/wiki/Pretty_Good_Privacy#Criminal_i...
|
| 2) Bernstein "founded" the field of post quantum cryptography:
| Uh. Ok. That's not how academia works. Bernstein was certainly
| an organiser of the first international workshop on post
| quantum cryptography, but that's not the same as inventing a
| field. Many of the primitives that are now candidates were
| being published long before this, McEliece being one of the
| oldest, but even Atjai's lattice reductions go back to '97.
|
| 3) The dual_ec rng was backdoored (previously read was and is
| fishy, poor wording on my part), but nobody at the time wanted
| NIST to standardize it because it was a _poor PRNG anyway_:
| slow and unnecessarily complicated. Here is a patent from Scott
| Vanstone on using DUAL_EC for "key escrow" which is another way
| of saying "backdoor":
| https://patentimages.storage.googleapis.com/32/9b/73/fe5401e...
| - filed in 2006. In case you don't know Scott Vanstone, he's
| the founder of Certicom. So at least one person noticed. This
| was mentioned in a blog post as a result of the Snowden leaks
| working out how the backdoor happened:
| https://blog.0xbadc0de.be/archives/155
|
| NSA have been caught in a poor attempt to sabotage a standard
| that nobody with half a brain would use. On the other hand NSA
| also designed SHA-2, which you are likely using right now, and
| I'm not aware of anyone with major concerns about it. When I
| say NSA designed it, I don't mean "input for a crypto
| competition" - a team from the NSA literally designed it and
| NIST standardized it, which is not the case for SHA-3, AES or
| the current PQC process.
|
| DJB is a good cryptographer, better than me for sure. But he's
| not the only one - and some very smart, non-NSA, non-US-citizen
| cryptographers were involved in the design of Kyber, Dilithium,
| Falcon etc.
| tptacek wrote:
| Dual EC is virtually certain to be a backdoor.
|
| I had the same take on Dual EC prior to Snowden. The big
| revelation with Snowden wasn't NSA involvement in Dual EC,
| but rather that (1) NSA had intervened to get Dual EC
| defaulted-on in RSA's BSAFE library, which was in the late
| 1990s the commercial standard for public key crypto, and (2)
| that major vendors of networking equipment were --- in
| defiance of all reason --- using BSAFE rather than vetted
| open-source cryptography libraries.
|
| DJB probably did invent the _term_ "post-quantum
| cryptography". For whatever that's worth.
| zahllos wrote:
| DualEC: agree. Wanted to point out that it was a poor PRNG
| _anyway_ and point out that the NSA's attempt at
| backdooring the RNG wasn't that great - as you say, RSA
| BSAFE used it and it made no sense. We could also point out
| they went after the RNG rather than the algorithm directly,
| which is a less obvious strategy.
|
| I'll believe he invented the term - I have a 2009 book so-
| named for which he was an editor surveying non-DLP/non-RSA
| algorithms. Still, the idea that he's "the only one who can
| produce the good algorithms" and literally everyone else on
| the pqc list (even if we subtract all the NIST people) is
| wrong is bonkers.
| ziddoap wrote:
| While I agree with a lot of what you have said,
|
| > _Still, the idea that he 's "the only one who can
| produce the good algorithms"_
|
| The parent post did not, at all, make the claim that
| Bernstein is the _only one_.
| [deleted]
| jeffrallen wrote:
| Something I've learned from a career of watching cryptographer
| flame wars: Don't bet against Bernstein, and don't trust NIST.
| jcranmer wrote:
| Notwithstanding DJB's importance to cryptography, and the fact
| that I'm ignorant of a large number of details here, there was a
| point where he lost a lot of credibility with me.
|
| Specifically, when he gets to the graphs, he says "NIST chose to
| deemphasize the bandwidth graph by using thinner red bars for
| it." That is just not proven by his evidence, and there is a very
| plausible explanation for it. The graph that has the thinner bars
| is a bar chart that has more data points than the other graph.
| Open up your favorite charting application, and observe the
| difference in a graph that has 12 data points versus one with
| 9... of course the one with 12 data points has thinner lines! At
| this point, it feels quite strongly to me that he is trying to
| interpret every action in the most malicious way possible.
|
| In the next bullet point, he complains that they're not using a
| log scale for the graph... where everything is in the same order
| of magnitude. That doesn't sound like a good use case for log
| scale, and I'm having a hard time trying to figure out why it
| might be justified in this case.
|
| Knowing that DJB was involved in NTRU, it's a little hard to
| shake the feeling that a lot of this is DJB just being salty
| about losing the competition.
| aaomidi wrote:
| > Knowing that DJB was involved in NTRU, it's a little hard to
| shake the feeling that a lot of this is DJB just being salty
| about losing the competition.
|
| There isn't a lot of people in the world with the technical
| know-how for cryptography. It's clear that competitors in this
| space are going to be reviewing eachothers work.
| tptacek wrote:
| Yes, that was the premise of the competition, and was in fact
| what happened.
| pnpnp wrote:
| Sure, but this was just a weird thing to hone in on.
| ziddoap wrote:
| > _At this point, it feels quite strongly to me that he is
| trying to interpret every action in the most malicious way
| possible._
|
| Given the long and detailed history of various governments and
| government agencies purposefully attempting to limit the public
| from accessing strong cryptography, I tend to agree with the
| "assume malice by default" approach here. Assuming anything
| else, to me at least, seems pretty naive.
| [deleted]
| DangitBobby wrote:
| If you continue reading, you'll find that they aren't
| responding to requests for clarification on their hand-waving
| computations. Suspicion is definitely warranted.
| tptacek wrote:
| An important detail you really want to understand before reading
| this is that NIST (and NSA) didn't come up with these algorithms;
| they refereed a competition, in which most of the analysis was
| done by competitors and other academics. The Kyber team was
| Roberto Avanzi, Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede
| Lepoint, Vadim Lyubashevsky, John M. Schanck, Gregor Seiler,
| Damien Stehle, and also Peter Schwabe, a collaborator of
| Bernstein's.
| wnevets wrote:
| Correct me if I'm wrong, everything is also being done out in
| the open for everyone to see. The NIST aren't using some secret
| analysis to make any recommendations.
| tux3 wrote:
| Teams of cryptographers submit several proposals (and break
| each other's proposals). These people are well respected,
| largely independent, and assumed honest. Some of the mailing
| lists provided by NIST where cryptographers collaborated to
| review each other's work are public
|
| NIST may or may not consort with your friendly local
| neighborhood NSA people, who are bright and talented
| contributors in their own right. That's simply in addition to
| reading the same mailing lists
|
| At the end, NIST gets to pick a winner and explain their
| reasonning. What influenced the decision is surely a
| combination of things, some of which may be internal or
| private discussions
| tptacek wrote:
| You don't really know, but you can be reasonably sure that
| they didn't sabotage the submissions themselves.
| pclmulqdq wrote:
| There is a final standardization step where NIST selects
| constants, and this is done without always consulting with
| the research team. Presumably, these are usually random, but
| the ones chosen for the Dual-EC DRBG algorithm seem to have
| been compromised. SHA-3 also had some suspicious
| constants/padding, but that wasn't shown to be vulnerable
| yet.
| tptacek wrote:
| The problem with Dual EC isn't the sketchy "constants", but
| rather the structure of the construction, which is a random
| number generator that works by doing a public key
| transformation on its state. Imagine CTR-DRBG, but
| standardized with a constant AES key. You don't so much
| wonder about the provenance of the key so much as wonder
| why the fuck there's a key there at all.
|
| I don't know of any cryptographer or cryptography engineer
| that takes the SHA3 innuendo seriously. Do you?
|
| Additional backstory that might be helpful here: about 10
| years ago, Bernstein invested a pretty significant amount
| of time on a research project designed to illustrate that
| "nothing up my sleeves" numbers, like constants formed from
| digits of pi, e, etc, could be used to backdoor standards.
| When we're talking about people's ability to cast doubt on
| standards, we should keep in mind that the paragon of that
| idea believes it to be true of pi.
|
| I'm fine with that, for what it's worth. Cryptography
| standards are a force for evil. You can just reject the
| whole enterprise of standardizing cryptography of any sort,
| and instead work directly from reference designs from
| cryptographers. That's more or less how Chapoly came to be,
| though it's standardized now.
| pclmulqdq wrote:
| I do know a few cryptographers who were suspicious of
| SHA-3 when it came out, but after some napkin math and no
| obvious hole was found, they were fine with it. The
| actual goal of that extra padding was to get extra one
| bits in the input to avoid possible pathological cases.
|
| My understanding of the Dual-EC problem may be different
| than yours. As I understand it, the construction is such
| that if you choose the two constants randomly, it's fine,
| but if you derived them from a known secret, the output
| was predictable for anyone who knows the secret. The NIST
| did not provide proof that the constants used were chosen
| randomly.
|
| Random choice would be equivalent to encrypting with a
| public key corresponding to an unknown private key, while
| the current situation has some doubt about whether the
| private key is known or not.
| tptacek wrote:
| Who were those cryptographers?
| codr7 wrote:
| My rule of thumb in these situations is always: if they
| could, they would.
|
| I've seen enough blatant disregard for humanity to assume any
| kind of honesty in the powers that were.
| [deleted]
| kpdemetriou wrote:
| [delayed]
___________________________________________________________________
(page generated 2023-10-03 23:00 UTC)