Remix.run Logo
philodeon 20 hours ago

[flagged]

tptacek 19 hours ago | parent [-]

What does this even mean? By the exact same logic you could impeach literally any algorithm.

philodeon 19 hours ago | parent [-]

It means that your argument is “the NSA couldn’t have subverted ML-KEM, it was written by Europeans”.

You assiduously pretend that this scenario isn’t possible: * The NSA reviewed the PQ submissions and realized that there’s one they already know how to break at scale: ML-KEM, because their army of math PhDs spent a couple decades understanding it better than the rest of the world * The NSA decides they want ML-KEM deployed everywhere so that the world is full of transparent-to-NOBUS cryptography * The NSA spends the entire PQ contest placing their thumbs on the scale of the process, violating their 2014 post-Snowden promises of increased transparency, to make their NOBUS dreams happen

The actions of NSA and NIST personnel make the most sense with the assumption that they desperately want to standardize ML-KEM and ML-KEM alone because _they already know how to break it_. What doesn’t make any sense is why the private sector is cheerfully going along with it —- even Charlie stopped letting Lucy hold the football at some point.

tptacek 19 hours ago | parent [-]

You're just restating the same claim with more words. It obviously proves too much. You can stick any algorithm, from MLKEM to SNTRUP to CRC32, in the same comments and get the same result.

philodeon 19 hours ago | parent [-]

No, because if the NSA didn’t already know how to break one of the cryptosystems, their engagement with the contest would have looked much different. They’d genuinely engage with the contestants and provide accurate security margin estimates. They wouldn’t barge in and make illegal procedural demands.

This is called praxeology. One would think that someone who has already been a useful idiot on behalf of the NSA regarding Dual-EC-DRBG might learn to keep their naivete to themselves.

tptacek 19 hours ago | parent [-]

I don't think you understand the argument you're making here. NSA had no hand in MLKEM itself or even in the line of research that led to MLKEM. Whatever advantage you're claiming they have with respect to MLKEM, I could just as straightforwardly claim they had for McEliece, isogenies, HQC, or UOV.

philodeon 19 hours ago | parent [-]

But the NSA didn’t throw their weight around in the NIST or IETF processes trying to standardize McEliece, isogenies, HQC, or UOV. They threw their weight around trying to standardize ML-KEM.

And anticipating your “but SIKE turned out to be easily breakable, why didn’t they try to standardize it?” The answer is “it made it shockingly far, but more importantly, SIKE was broken in the unclassified literature, but ML-KEM is broken in the classified literature.” Secrets in unclassified literature are not NOBUS secrets.

tptacek 19 hours ago | parent [-]

Unfalsifiable just-so argument. The point is that no matter what NIST selected, you could make this argument. Heads, you win, tails, they lose. There's no actual cryptography involved here.

philodeon 19 hours ago | parent [-]

You do realize that the NSA spends many millions on employing mathematicians, right? And that they wouldn’t keep doing that if all the mathematicians did was get really shit-hot at Kerbal Space Program?

An analysis of the comparative risks of these crypto systems should include “The NSA knows a lot of math they’re not sharing, and if they really really like ML-KEM, that’s concerning even if Ptacek keeps pointing out NSA didn’t write it”