Remix.run Logo
nullc a day ago

I might have expected you'd be once bitten twice shy after having once taking an aggressive position that DUAL-EC would never have backdoored anyone in practice...

The optionality of MLKEM by itself is of a similar shape to standardizing a lame DRBG that 'obviously' no one would use and anyone who would use would use the appendix parameter generation scheme that would have rendered it secure (although still slow). The reality of it was that once it was standardized NSA was able to secretly compel its use.

On one hand MLKEM by itself seems like a better choice than DUAL-EC, on the other hand that fact should make it much easier for a powerful attacker to cause a target to use it if you do have an attack that exploits this fact.

MLKEM was selected out of myriad other options through a NIST process which was directly influenced by NSA (including in manners that NIST failed to disclose and actively mislead the group about). I think this makes the commentary regarding NSA highly relevant. While it seems less like that NSA already knows of a total break in MLKEM (and indeed their influence could have been in a strengthening direction...) it's possible that their influence was motivated by things like that ease of undetectably compromising specific implementations through techniques like dopant adulteration or specialized side channel weaknesses.

If your plan it to tamper with chip mfgr or hit them with a very well aimed e-beam (e.g. to cause ion migration) after the fact then having a non-hybrid scheme is pretty obviously going to make your life much easier... Or perhaps they've taken a route similar to the one they took with Crypto AG-- this time positioning themselves as a fabless silicon vendor to sell MLKEM RTL to a market that doesn't have an implementation but already has many robust ECC implementations to choose from.

...and that's without getting into the unknown possibility of a cryptoanalytic breakthrough.

I don't think it's even safe to say that NSA would only consider NOBUS backdoors-- I don't think any of us can know how inadvisably arrogant the relevant decision makers may be and what they might consider NOBUS. Given how DUAL_EC went in Netscreen's products I think it's reasonable to argument that there is no such thing as a NOBUS backdoor when push comes to shove. Capping DES's key size is candidate example of a very much non-NOBUS weakness that NSA felt comfortable with, as one needed a particularly amount of strength to exploit it which they believed that only they had. Today, of course, a child's video game device can crack DES as a direct product of that part of their influence.

Not a great track record when fear of "store and decrypt later" attacks is much of what motivates the use of PQ key agreement today.

The consistent aggression five-eyes affiliated cryptographic-intelligence groups have had for hybrid schemes is truly difficult to comprehend-- given that practically everyone else considers them obviously prudent in all cases where the resource costs permit -- and I think this justifies the utmost concern and caution. And in terms of caution hybrid schemes are table stakes.

A major theme of DJB's cryptographic security advocacy is that cryptographic security is often as much about what you don't offer as it is what you do. A completently engineered security product is misuse resistant and it's not completely clear to me that a standard which offers the choice of a non-hybrid mlkem qualifies as misuse resistant.

That said, there are plenty of drafts that are in no way misuse resistant. :)

tptacek 19 hours ago | parent [-]

None of this makes any sense once you understand that NSA had no hand in designing MLKEM, or in shaping the LWE research that led to it. NSA designed Dual-EC. MLKEM won an open competition; its entrants are among the most reputable cryptographers in the world.

mswphd 17 hours ago | parent | next [-]

it's worth clarifying that its entrants were all qualified, and 2 other essentially identical schemes, namely New Hope and Saber, made it very deep into the NIST competition.

All 3 (roughly) took the approach of

1. take the obvious best design, and

2. tweak various internal design knobs you have access to, and

3. that's pretty much it.

So they differ in the internal design knobs they chose. But the fact that 3 independent teams all created something substantially similar to ML-KEM should be an indication of how much harder it would be for the NSA to be behind it.

nullc 17 hours ago | parent | prev [-]

Post selection is also design. Evolution by natural (or artificial, for that matter) selection works by post-selection.

I'm happy to agree that it affords much less degrees of freedom than original design, but the irrelevance argument depends on no influence rather than a lack of absolute influence.

tptacek 16 hours ago | parent [-]

I'd call this an instance of the genetic fallacy, but it's even less tethered to reason than that.