I guess, but consider the alternative. Suppose I tell you, “NIST is lying to the public, at the behest of the NSA,” without any other details; you presumably would want details, evidence, an explanation of how I know about it, and a justification of my framing.
As far as I can tell, the author’s only mistake here was to not lead with this part:
In 2022, NIST announced plans to standardize a particular cryptosystem, Kyber-512. As justification, NIST issued claims regarding the security level of Kyber-512. In 2023, NIST issued a draft standard for Kyber-512. NIST’s underlying calculation of the security level was a severe and indefensible miscalculation. NIST’s primary error is exposed in this blog post, and boils down to nonsensically multiplying two costs that should have been added. How did such a serious error slip past NIST’s review process? Do we dismiss this as an isolated incident? Or do we conclude that something is fundamentally broken in the procedures that NIST is following?
From a skimming of the post, along with skimming the comments here and on HN, the following summaries can be made:
DJB has lost it
NIST made a boo boo, but no biggie
NIST is again being very underhanded just like that one time in the 90s that DJB exposed[1]
This is the NSA destroying crypto
That’s the point many, including me, are making. The post can be read in multiple ways. It’s not an effective way to make a case, or even show there is a case.
—-
[1] don’t quote me on that, the crypto wars were a long time ago.
You missed “NIST screwed up, and then continued with standardization full steam while ignoring any issues that were raised”, which seems like the most reasonable take away, and definitely hampers trust in them and their processes, regardless of whether the screw up was intentional malice or just incompetence.
Again, if that was DJB’s point, he could have made it a lot more succinctly.
Look, my point isn’t that DJB is wrong per se, it’s that it’s really really hard to take what he’s saying seriously when he writes like a crank. He’s not doing his cause any favors.
But the problem exists regardless of how poorly he is communicating it. And it affects all of us. If we ignore the problem because the only person who felt like going through the trouble to find this out is rather deranged these days, we’re not doing ourselves any favors.
I mean, you either think that ratifying an inadequate standard based on an egregious miscalculation is bad or it isn’t. I don’t think we’re disagreeing on content here.
What would you suggest is a better way to publicize this that hasn’t been tried (and failed) against NIST before? Multiple credible claims of malfeasance happen at nearly every NIST crypto decision these days.
This text will do very little to convince anyone who has not made their mind up about what they believe about NIST and DJB. It’s surprising to me that he, as an academic of long standing, has put his name on something as disorganized as this.
Myself, and a number of other cryptography practitioners I spoke with, are not finding it a useful or coherent way to convey anything. In fact, a number of people—me included—have mostly stopped engaging because of the personal attacks, constant self-promotion, legal threats, and gish galloping.
OK that’s interesting. What’s the best (non-DJB) background on this topic?
I’m seeing lots of complaints about the tone, which I can acknowledge, but it would be nice to get some commentary on the substance.
I didn’t read the post carefully, but I didn’t see personal attacks, legal threats, etc. Are you referring to this post, or other parts of this debate?
Of course, djb being an unhinged lunatic doesn’t make the problems at hand any less real, so while not engaging with him I hope you and other cryptography practitioners are taking these things seriously.
Meh, I highly doubt it’s written for a lobste.rs audience
I don’t think this writing is particularly useful for any audience.
If you know what’s going on here and agree with DJB, I think this would be better written like a reference rather than a narrative.
For anyone else, the constant imputing of malicious intent and assuming that is the only explanation for certain facts makes this very difficult to read. It also makes me doubt the reliability of the document as a whole. As someone without a lot of knowledge of this matter, I don’t think I could confidently differentiate between common ground and speculation in this piece.
There’s a lot of text there and I didn’t get through all of it, but I’m stuck feeling that this is a violation of the maxim ‘never attribute to malice that which can be adequately explained by incompetence’.
The FOA requests portray NIST talking to the NSA as some deep dark secret. The NSA is a dual-mission agency (which is a terrible idea, but that’s a separate discussion) and one of those missions is protecting US critical infrastructure and government / military communications. NIST would not be doing their jobs if they did not talk to NSA.
The complexity analysis sounds wrong, but it’s not a case of confusing addition and multiplication it’s a case of confusing dependent and independent operations. If every compute step required 2^35 memory accesses, it would be correct. The fact that they’re independent operations means that this is not correct. That’s an easy mistake to make if you do the maths without properly looking at the context. Should it have been caught in review? Yes. Fortunately, it was caught in DJB’s review.
It sounds more like someone at NIST had a promotion depending on getting something standardised for PQC and pushed things through without adequate review than a deep conspiracy. The message (Kyber is not as secure as NIST thinks’) would be a lot clearer without all of the conjecture.
I don’t think it matters if it’s incompetence or malice. The point is that NIST has (not for the first time) acted in a way that has weakened public crypto for no clear reason. Their actions and procedures should be publicly investigated and reviewed, which it seems like DJB is trying to do with FOA requests and legal action, so I support that.
Yes, that is the interpretation favourable to NIST. But it does seem to be worth considering that for some reason other than the stated evaluation criteria of tbe competition someone really wanted Kyber to win. The most concerning possible rationalebeing that someone (probably the NSA) has discovered a backdoor or some other effective crack.
I think you are right that it isn’t the likely reason. But if true it is incredibly important. A 1% chance of a backdoor seems worth investigating. (Not that FOI requests are likely to uncover that issue.)
The conversations between NIST and NSA were kept secret, at least in part. It need not be “deep dark” in order to negatively affect the standardization process; merely being secret is an issue.
A lot of what the NSA does is kept secret because that’s their default mode. They have, in the past, proposed tweaks to NIST standards to avoid possible attacks because they don’t want to disclose the attack (because some foreign power is using a different algorithm vulnerable to the attack and no one has publicly admitted independently discovering the attack). They may have also intentionally weakened others (there are conflicting reports on DES). It’s still unclear whether the null-dereference exploits introduced with SELinux were intentional and the NSA knew about that vulnerability class before anyone else or whether they were accidental.
That’s, unfortunately, to be expected from a dual-mission agency. The organisation is tasked with both making sure that US communication (military, government, and civilian) is impervious to decryption by foreign actors and making sure that foreign communication is vulnerable to decryption by US intelligence agencies (and, for extra fun, that countries that are US allies this week are not vulnerable to interception by countries that are not US allies this week, but ideally that they are vulnerable to interception by the USA). This is a completely conflicting set of goals, which also means that a secret conversation with the NSA might be a deniable malicious intervention or a positive intervention from the NSA.
I recognize your point in general, but cryptographers should generally abide by Kerchoffs’ principle. The NSA only acts this way because they genuinely believe that they are the only ones who hire skilled mathematicians; it’s an arrogance that the community should tear down.
That’s all true, but arguably implies that the only reasonable way for NIST to execute their mission is to refuse the NSA’s help, and rely on civil society to review their work.
It sounds more like someone at NIST had a promotion depending on getting something standardised for PQC
That sounds like malice as far as I’m concerned. Perhaps incompetence by the others reviewing it, but I think it‘s hard to give NIST the benefit of the doubt either way
Good grief. What happened to DJB?
There’s a right way to publicize malfeasance. An incomprehensible 20,000 word rant ain’t it.
I guess, but consider the alternative. Suppose I tell you, “NIST is lying to the public, at the behest of the NSA,” without any other details; you presumably would want details, evidence, an explanation of how I know about it, and a justification of my framing.
As far as I can tell, the author’s only mistake here was to not lead with this part:
It is probably a rant but why is it incomprehensible? To who?
And everyone is free to summarize the problem in their own succinct form.
You seem to find it comprehensible. Would you care to summarize it?
If not, why?
It’s already summarized in the comments.
Really? I don’t agree.
From a skimming of the post, along with skimming the comments here and on HN, the following summaries can be made:
That’s the point many, including me, are making. The post can be read in multiple ways. It’s not an effective way to make a case, or even show there is a case.
—-
[1] don’t quote me on that, the crypto wars were a long time ago.
You missed “NIST screwed up, and then continued with standardization full steam while ignoring any issues that were raised”, which seems like the most reasonable take away, and definitely hampers trust in them and their processes, regardless of whether the screw up was intentional malice or just incompetence.
Again, if that was DJB’s point, he could have made it a lot more succinctly.
Look, my point isn’t that DJB is wrong per se, it’s that it’s really really hard to take what he’s saying seriously when he writes like a crank. He’s not doing his cause any favors.
But the problem exists regardless of how poorly he is communicating it. And it affects all of us. If we ignore the problem because the only person who felt like going through the trouble to find this out is rather deranged these days, we’re not doing ourselves any favors.
Can you point me to a source corroborating DJB’s claims?
[Comment removed by author]
I mean, you either think that ratifying an inadequate standard based on an egregious miscalculation is bad or it isn’t. I don’t think we’re disagreeing on content here.
OK, I’ve added your viewpoint to the list of interpretations.
What would you suggest is a better way to publicize this that hasn’t been tried (and failed) against NIST before? Multiple credible claims of malfeasance happen at nearly every NIST crypto decision these days.
This text will do very little to convince anyone who has not made their mind up about what they believe about NIST and DJB. It’s surprising to me that he, as an academic of long standing, has put his name on something as disorganized as this.
Meh, I highly doubt it’s written for a lobste.rs audience
If another crypto researcher reads it and writes something either confirming or refuting it, then it will have been proven useful
Not everyone has to weigh in on every topic
Myself, and a number of other cryptography practitioners I spoke with, are not finding it a useful or coherent way to convey anything. In fact, a number of people—me included—have mostly stopped engaging because of the personal attacks, constant self-promotion, legal threats, and gish galloping.
OK that’s interesting. What’s the best (non-DJB) background on this topic?
I’m seeing lots of complaints about the tone, which I can acknowledge, but it would be nice to get some commentary on the substance.
I didn’t read the post carefully, but I didn’t see personal attacks, legal threats, etc. Are you referring to this post, or other parts of this debate?
Of course, djb being an unhinged lunatic doesn’t make the problems at hand any less real, so while not engaging with him I hope you and other cryptography practitioners are taking these things seriously.
I don’t think this writing is particularly useful for any audience.
If you know what’s going on here and agree with DJB, I think this would be better written like a reference rather than a narrative.
For anyone else, the constant imputing of malicious intent and assuming that is the only explanation for certain facts makes this very difficult to read. It also makes me doubt the reliability of the document as a whole. As someone without a lot of knowledge of this matter, I don’t think I could confidently differentiate between common ground and speculation in this piece.
It reads like “DJB gave a lecture and some poor soul of a grad student got to transcribe it.”
God help his students if that’s the way he lectures.
There’s a lot of text there and I didn’t get through all of it, but I’m stuck feeling that this is a violation of the maxim ‘never attribute to malice that which can be adequately explained by incompetence’.
The FOA requests portray NIST talking to the NSA as some deep dark secret. The NSA is a dual-mission agency (which is a terrible idea, but that’s a separate discussion) and one of those missions is protecting US critical infrastructure and government / military communications. NIST would not be doing their jobs if they did not talk to NSA.
The complexity analysis sounds wrong, but it’s not a case of confusing addition and multiplication it’s a case of confusing dependent and independent operations. If every compute step required 2^35 memory accesses, it would be correct. The fact that they’re independent operations means that this is not correct. That’s an easy mistake to make if you do the maths without properly looking at the context. Should it have been caught in review? Yes. Fortunately, it was caught in DJB’s review.
It sounds more like someone at NIST had a promotion depending on getting something standardised for PQC and pushed things through without adequate review than a deep conspiracy. The message (Kyber is not as secure as NIST thinks’) would be a lot clearer without all of the conjecture.
I don’t think it matters if it’s incompetence or malice. The point is that NIST has (not for the first time) acted in a way that has weakened public crypto for no clear reason. Their actions and procedures should be publicly investigated and reviewed, which it seems like DJB is trying to do with FOA requests and legal action, so I support that.
And it would’ve been caught a lot sooner if they hadn’t constantly stonewalled him.
Incompetence sufficiently advanced to be indistinguishable from malice is not particularly less damning for NIST, IMO.
Yes, that is the interpretation favourable to NIST. But it does seem to be worth considering that for some reason other than the stated evaluation criteria of tbe competition someone really wanted Kyber to win. The most concerning possible rationalebeing that someone (probably the NSA) has discovered a backdoor or some other effective crack.
I think you are right that it isn’t the likely reason. But if true it is incredibly important. A 1% chance of a backdoor seems worth investigating. (Not that FOI requests are likely to uncover that issue.)
The conversations between NIST and NSA were kept secret, at least in part. It need not be “deep dark” in order to negatively affect the standardization process; merely being secret is an issue.
A lot of what the NSA does is kept secret because that’s their default mode. They have, in the past, proposed tweaks to NIST standards to avoid possible attacks because they don’t want to disclose the attack (because some foreign power is using a different algorithm vulnerable to the attack and no one has publicly admitted independently discovering the attack). They may have also intentionally weakened others (there are conflicting reports on DES). It’s still unclear whether the null-dereference exploits introduced with SELinux were intentional and the NSA knew about that vulnerability class before anyone else or whether they were accidental.
That’s, unfortunately, to be expected from a dual-mission agency. The organisation is tasked with both making sure that US communication (military, government, and civilian) is impervious to decryption by foreign actors and making sure that foreign communication is vulnerable to decryption by US intelligence agencies (and, for extra fun, that countries that are US allies this week are not vulnerable to interception by countries that are not US allies this week, but ideally that they are vulnerable to interception by the USA). This is a completely conflicting set of goals, which also means that a secret conversation with the NSA might be a deniable malicious intervention or a positive intervention from the NSA.
I recognize your point in general, but cryptographers should generally abide by Kerchoffs’ principle. The NSA only acts this way because they genuinely believe that they are the only ones who hire skilled mathematicians; it’s an arrogance that the community should tear down.
That’s all true, but arguably implies that the only reasonable way for NIST to execute their mission is to refuse the NSA’s help, and rely on civil society to review their work.
That sounds like malice as far as I’m concerned. Perhaps incompetence by the others reviewing it, but I think it‘s hard to give NIST the benefit of the doubt either way
Wow. This is a wall of text, or it would be if it didn’t have more bullet points than a Pentagon PowerPoint slide…