Remix.run Logo
yasaheblasa a day ago

You are simplifying ad absurdum. The NSA is as likely to compromise hash and signing algorithms as the police are likely to recommend pissing in petri dishes to cast doubt on that troublesome forensic science. The NSA likely has orders more experience with the area of cryptography Kyber comes from than everyone who worked on Kyber. Estimates at one point were that they had more than half of appropriate PhD level Mathematicians in the US, that may have gone down with more cryptocurrency firms, etc, but those firms are not researching algorithm families that may or may not replace the standards with all that much interest.

tptacek a day ago | parent [-]

The NSA had nothing to do with designing Kyber.

protocolture a day ago | parent | next [-]

He didnt say it did, he said "The NSA likely has orders more experience with the area of cryptography Kyber comes from than everyone who worked on Kyber"

tptacek a day ago | parent [-]

He himself (co-)submitted a lattice KEM to the NIST competition.

nullc a day ago | parent [-]

Yes, and strongly argued against lattice schemes generally. DJB submitted a lattice scheme under the theory that if the advocates of lattice schemes were able to win the argument about the performance properties then there should be a choice of an extremely conservatively designed one.

DJB himself has consistently advocated for Classic McEliece in any application which can accept its performance characteristics (which are excellent except for the ginormous public keys), and spent many bytes trying to convince people that the set of applications that can is wider than they suspect.

mswphd 20 hours ago | parent | next [-]

NTRU based schemes are not the most conservative. NTRU is an old design from the 90s, that had some shocking structural attacks against it appear ~2016. These attacks so far are only relevant for moduli q ~ (1/100) n^{2.3...}. This makes them worse than conventional attacks against NTRU-based PKE. But they completely killed roughly half of all NTRU-based fully homomorphic encryption schemes, and are a (major) structural issue with NTRU that RLWE/MLWE does not have.

In other words, Bernstein proposed a NTRU-based scheme under his theory it was the most conservative. The only major attacks on lattice-based schemes since his proposal have been on the hardness assumption his scheme uses. I would personally suggest this means that Bernstein is not an accurate predictor of the security of lattice-based schemes. So far his track record (with this notable example, but also many others) is remarkably bad.

tptacek 19 hours ago | parent | next [-]

The general C.W. I've heard is that if something happened that made MLKEM look theoretically shaky (pretty unlikely, but whatever), you fall back to something like FrodoKEM, which is plain LWE with no affordance for NTT or anything like it; no structure, no performance.

mswphd 18 hours ago | parent [-]

It really depends on what the precise details of the attack look like.

1. algebraic structure: sure use frodoKEM

2. error rates smaller than those required for worst-case to average-case reductions: idk bump error rates

3. some coding theorist ruins everyone's fun and has linear time decoding for p-ary construction A codes: probably drink a lot idk

fortunately there haven't been any "incremental" attacks in any of these directions, so it is really more an academic discussion.

Also note the primary issue with FrodoKEM isn't performance (though that is definitely worse), but size. My impression from the following

https://blog.cloudflare.com/sizing-up-post-quantum-signature...

https://blog.cloudflare.com/making-protocols-post-quantum/

was that TLS w/ FrodoKEM might have some undesirable performance characteristics, though that isn't directly stated in the articles. Iirc TLS w/ FrodoKEM

nullc 17 hours ago | parent | prev [-]

> In other words, Bernstein proposed a NTRU-based scheme under his theory it was the most conservative.

This is in fact that what I meant, and should have said: thanks.

tptacek a day ago | parent | prev [-]

His isn't the most conservative lattice construction! This is a hell of a just-so story.

philodeon 20 hours ago | parent | prev [-]

[flagged]

tptacek 19 hours ago | parent [-]

What does this even mean? By the exact same logic you could impeach literally any algorithm.

philodeon 18 hours ago | parent [-]

It means that your argument is “the NSA couldn’t have subverted ML-KEM, it was written by Europeans”.

You assiduously pretend that this scenario isn’t possible: * The NSA reviewed the PQ submissions and realized that there’s one they already know how to break at scale: ML-KEM, because their army of math PhDs spent a couple decades understanding it better than the rest of the world * The NSA decides they want ML-KEM deployed everywhere so that the world is full of transparent-to-NOBUS cryptography * The NSA spends the entire PQ contest placing their thumbs on the scale of the process, violating their 2014 post-Snowden promises of increased transparency, to make their NOBUS dreams happen

The actions of NSA and NIST personnel make the most sense with the assumption that they desperately want to standardize ML-KEM and ML-KEM alone because _they already know how to break it_. What doesn’t make any sense is why the private sector is cheerfully going along with it —- even Charlie stopped letting Lucy hold the football at some point.

tptacek 18 hours ago | parent [-]

You're just restating the same claim with more words. It obviously proves too much. You can stick any algorithm, from MLKEM to SNTRUP to CRC32, in the same comments and get the same result.

philodeon 18 hours ago | parent [-]

No, because if the NSA didn’t already know how to break one of the cryptosystems, their engagement with the contest would have looked much different. They’d genuinely engage with the contestants and provide accurate security margin estimates. They wouldn’t barge in and make illegal procedural demands.

This is called praxeology. One would think that someone who has already been a useful idiot on behalf of the NSA regarding Dual-EC-DRBG might learn to keep their naivete to themselves.

tptacek 18 hours ago | parent [-]

I don't think you understand the argument you're making here. NSA had no hand in MLKEM itself or even in the line of research that led to MLKEM. Whatever advantage you're claiming they have with respect to MLKEM, I could just as straightforwardly claim they had for McEliece, isogenies, HQC, or UOV.

philodeon 18 hours ago | parent [-]

But the NSA didn’t throw their weight around in the NIST or IETF processes trying to standardize McEliece, isogenies, HQC, or UOV. They threw their weight around trying to standardize ML-KEM.

And anticipating your “but SIKE turned out to be easily breakable, why didn’t they try to standardize it?” The answer is “it made it shockingly far, but more importantly, SIKE was broken in the unclassified literature, but ML-KEM is broken in the classified literature.” Secrets in unclassified literature are not NOBUS secrets.

tptacek 18 hours ago | parent [-]

Unfalsifiable just-so argument. The point is that no matter what NIST selected, you could make this argument. Heads, you win, tails, they lose. There's no actual cryptography involved here.

philodeon 18 hours ago | parent [-]

You do realize that the NSA spends many millions on employing mathematicians, right? And that they wouldn’t keep doing that if all the mathematicians did was get really shit-hot at Kerbal Space Program?

An analysis of the comparative risks of these crypto systems should include “The NSA knows a lot of math they’re not sharing, and if they really really like ML-KEM, that’s concerning even if Ptacek keeps pointing out NSA didn’t write it”

tptacek 18 hours ago | parent [-]

When you make an argument that is actually somehow rooted in cryptographic research, I'll have something to reply to. This is all just Schneier-Facts(tm) logic.

philodeon 18 hours ago | parent [-]

To be clear, the Schneier Facts on Dual-EC turned out to be far more accurate than the Ptacek Gut Logic.

tptacek 18 hours ago | parent [-]

Schneier said the same thing I did. I literally got my take from Schneier. You don't even have the Schneier Facts right!

philodeon 17 hours ago | parent [-]

To quote you: “ (I'm among an elite cadre† of cryptography-adjacents who felt it probably wasn't, but only because I thought it was too stupid to actually be used anywhere --- as soon as it was disclosed that (a) it was a default-yes algorithm in BSAFE and (b) big companies actually used BSAFE in important products, it was immediately clear what was going on).”

The BSAFE disclosure happened in 2013 with Snowden. In 2015 you published an article still questioning whether Dual-EC was a backdoor, and providing an immense amount of plausible deniability for folks like Hoffman.

https://sockpuppet.org/blog/2015/08/04/is-extended-random-ma...

You don’t even remember the historical Ptacek Gut Logic!

tptacek 17 hours ago | parent [-]

You don't understand the article you just quoted. It is certainly not the case that I published an article in 2015 questioning Dual EC. You might be the only person in the world with an opinion about Paul Hoffman, by the way. I had to look him up.

I mean, it's obvious what you did here: you went to my blog hoping to find the "Dual EC is fine" story, misread this one, and then took a random name out of it and tried to cast them as an archvillain.

philodeon 17 hours ago | parent [-]

As your article points out, Hoffman wrote a specification for spewing as many NSA-controlled “random” bytes into TLS packets as he could get away with, after Rescorla’s attempt failed. Hoffman’s work became an experimental RFC.

Yet, your article says “In at least one case, Hoffman even attempted to provide a cryptographic rationale for extra randomness. Of course, naming-and-shaming either of them is pretty silly.” This makes no sense. We have names for criminal equivalents of his behavior: criminal mischief, disturbing the peace, conspiracy, etc. But if you do these things on a standards board, you get a pass? This was a concerted well-funded effort to compromise your security and my security. I think he should be put in a pillory and tarred-and-feathered.

You continue to cover for malicious actors with your “but the NSA didn’t write it!” insistence. The classic anti-Schneier Dual-EC take around 2007 was “but the NSA wouldn’t insert a backdoor, they would destroy their public image!” Your insistence is the equivalent of “but the NSA wouldn’t do that AGAIN!” Fool me once…

tptacek 16 hours ago | parent [-]

The article you're talking about literally opens "I think Dual EC is a backdoor". You don't understand it. You don't know who Paul Hoffman even is. Why would we keep discussing this?

philodeon 16 hours ago | parent [-]

Because both the article and your continued arguments about ML-KEM demonstrates that in confirmed cases of NSA sabotage and in hypothetical cases of NSA sabotage, your job is to deflect, minimize, and avoid any responsibility being doled out. I hope you’re well paid for this job.

When we find out that the ML-KEM math was thoroughly broken by NSA for years, your response will be “gosh, nobody could have known that. It’s best not to hold anyone responsible though, certainly not the NIST employees whose names are all over the evidence…”

tptacek 16 hours ago | parent [-]

Again: you pretty clearly don't understand the article you're citing. And that's easy mode compared to LWE vs RLWE. I don't think there's anything productive to be gained from us continuing to talk.

philodeon 16 hours ago | parent [-]

Yes, that’s the deflect part of deflect and minimize.