| ▲ | HelloNurse 3 hours ago |
| The metaphor near the beginning of the article is a good summary: standardizing cars with seatbelts, but also cars without seatbelts. Since ML-KEM is supported by the NSA, it should be assumed to have a NSA-known backdoor that they want to be used as much as possible: IETF standardization is a great opportunity for a long term social engineering operation, much like DES, Clipper, the more recent funny elliptic curve, etc. |
|
| ▲ | blintz an hour ago | parent | next [-] |
| > Since ML-KEM is supported by the NSA, it should be assumed to have a NSA-known backdoor that they want to be used as much as possible AES and RSA are also supported by the NSA, but that doesn’t mean they were backdoored. |
| |
| ▲ | HelloNurse an hour ago | parent | next [-] | | AES and RSA had enough public scrutiny to make backdooring backdoors imprudent. The standardization of an obviously weaker option than more established ones is difficult to explain with security reasons, so the default assumption should be that there are insecurity reasons. | |
| ▲ | zahllos an hour ago | parent | prev [-] | | SHA-2 was designed by the NSA. Nobody is saying there is a backdoor. | | |
| ▲ | basilgohar 10 minutes ago | parent [-] | | I think it's established that NSA backdoors things. It doesn't mean they backdoor everything. But scrutiny is merited for each new thing NSA endorses and we have to wonder and ask why, and it's enough that if we can't explain why something is a certain way and not another, it's not improbable that we should be cautious of that and call it out. This is how they've operated for decades. |
|
|
|
| ▲ | zahllos 2 hours ago | parent | prev | next [-] |
| I will reply directly r.e. the analogy itself here. It is a poor one at best, because it assumes ML-KEM is akin to "internetting without cryptography". It isn't. If you want a better analogy, we have a seatbelt for cars right now. It turns out when you steal plutonium and hot-rod your DeLorean into a time machine, these seatbelts don't quite cut the mustard. So we need a new kind of seatbelt. We design one that should be as good for the school run as it is for time travel to 1955. We think we've done it but even after extensive testing we're not quite sure. So the debate is whether to put on two seatbelts (one traditional one we know works for traditional driving, and one that should be good for both) or if we can just use the new one on the school run and for going to 1955. We are nowhere near DeLoreans that can travel to 1955 either. |
|
| ▲ | an hour ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | MYEUHD 2 hours ago | parent | prev [-] |
| > the more recent funny elliptic curve Can you elaborate please? |
| |
| ▲ | zahllos 2 hours ago | parent | next [-] | | The commentor means Dual_EC, a random number generator. The backdoor was patented under the form of "escrow" here: https://patents.google.com/patent/US8396213B2/en?oq=USOO83.9... - replace "escrow" with "backdoor" everywhere in the text and what was done will fall out. ML-KEM/ML-DSA were adapted into standards by NIST, but I don't think a single American was involved in the actual initial design. There might be some weakness the NSA knows about that the rest of us don't, but the fact they're going ahead and recommending these be used for US government systems suggests they're fine with it. Unless they want to risk this vulnerability also being discovered by China/Russia and used to read large portions of USG internet traffic. In their position I would not be confident that if I was aware of a vulnerability it would remain secret, although I am not a US Citizen or even resident, and never have been. | | |
| ▲ | johncolanduoni 32 minutes ago | parent [-] | | Not that I think this is the case for this algorithm, but backdoors like the one in Dual_EC cannot be used by a third party without what is effectively reversing an asymmetric key pair. Their public parameters are the product of private parameters that the NSA potentially has, but if China or whoever can calculate the private parameters from the public ones it’s broken regardless. | | |
| ▲ | zahllos 16 minutes ago | parent [-] | | Indeed. Dual_EC was a NOBUS backdoor relying on the ECDLP. That's fair. My point was more that it looked suspicious at the time (why use a trapdoor in a CSPRNG) and at least the possibility of "escrow" was known, as evidenced by the fact that Vanstone (one of the inventors of elliptic curve cryptography) patented said backdoor around 2006. This suspiciousness simply doesn't apply to ML-KEM, if one ignores one very specific cryptographer. |
|
| |
| ▲ | rdtsc 2 hours ago | parent | prev [-] | | Not op, but they probably meant https://en.wikipedia.org/wiki/Dual_EC_DRBG |
|
