| But the NSA didn’t throw their weight around in the NIST or IETF processes trying to standardize McEliece, isogenies, HQC, or UOV. They threw their weight around trying to standardize ML-KEM. And anticipating your “but SIKE turned out to be easily breakable, why didn’t they try to standardize it?” The answer is “it made it shockingly far, but more importantly, SIKE was broken in the unclassified literature, but ML-KEM is broken in the classified literature.” Secrets in unclassified literature are not NOBUS secrets. |
| |
| ▲ | philodeon 19 hours ago | parent [-] | | You do realize that the NSA spends many millions on employing mathematicians, right? And that they wouldn’t keep doing that if all the mathematicians did was get really shit-hot at Kerbal Space Program? An analysis of the comparative risks of these crypto systems should include “The NSA knows a lot of math they’re not sharing, and if they really really like ML-KEM, that’s concerning even if Ptacek keeps pointing out NSA didn’t write it” | | |
| ▲ | tptacek 19 hours ago | parent [-] | | When you make an argument that is actually somehow rooted in cryptographic research, I'll have something to reply to. This is all just Schneier-Facts(tm) logic. | | |
| ▲ | philodeon 19 hours ago | parent [-] | | To be clear, the Schneier Facts on Dual-EC turned out to be far more accurate than the Ptacek Gut Logic. | | |
| ▲ | tptacek 18 hours ago | parent [-] | | Schneier said the same thing I did. I literally got my take from Schneier. You don't even have the Schneier Facts right! | | |
| ▲ | philodeon 18 hours ago | parent [-] | | To quote you: “ (I'm among an elite cadre† of cryptography-adjacents who felt it probably wasn't, but only because I thought it was too stupid to actually be used anywhere --- as soon as it was disclosed that (a) it was a default-yes algorithm in BSAFE and (b) big companies actually used BSAFE in important products, it was immediately clear what was going on).” The BSAFE disclosure happened in 2013 with Snowden. In 2015 you published an article still questioning whether Dual-EC was a backdoor, and providing an immense amount of plausible deniability for folks like Hoffman. https://sockpuppet.org/blog/2015/08/04/is-extended-random-ma... You don’t even remember the historical Ptacek Gut Logic! | | |
| ▲ | tptacek 18 hours ago | parent [-] | | You don't understand the article you just quoted. It is certainly not the case that I published an article in 2015 questioning Dual EC. You might be the only person in the world with an opinion about Paul Hoffman, by the way. I had to look him up. I mean, it's obvious what you did here: you went to my blog hoping to find the "Dual EC is fine" story, misread this one, and then took a random name out of it and tried to cast them as an archvillain. | | |
| ▲ | philodeon 17 hours ago | parent [-] | | As your article points out, Hoffman wrote a specification for spewing as many NSA-controlled “random” bytes into TLS packets as he could get away with, after Rescorla’s attempt failed. Hoffman’s work became an experimental RFC. Yet, your article says “In at least one case, Hoffman even attempted to provide a cryptographic rationale for extra randomness. Of course, naming-and-shaming either of them is pretty silly.” This makes no sense. We have names for criminal equivalents of his behavior: criminal mischief, disturbing the peace, conspiracy, etc. But if you do these things on a standards board, you get a pass? This was a concerted well-funded effort to compromise your security and my security. I think he should be put in a pillory and tarred-and-feathered. You continue to cover for malicious actors with your “but the NSA didn’t write it!” insistence. The classic anti-Schneier Dual-EC take around 2007 was “but the NSA wouldn’t insert a backdoor, they would destroy their public image!” Your insistence is the equivalent of “but the NSA wouldn’t do that AGAIN!” Fool me once… | | |
| ▲ | tptacek 17 hours ago | parent [-] | | The article you're talking about literally opens "I think Dual EC is a backdoor". You don't understand it. You don't know who Paul Hoffman even is. Why would we keep discussing this? | | |
| ▲ | philodeon 17 hours ago | parent [-] | | Because both the article and your continued arguments about ML-KEM demonstrates that in confirmed cases of NSA sabotage and in hypothetical cases of NSA sabotage, your job is to deflect, minimize, and avoid any responsibility being doled out. I hope you’re well paid for this job. When we find out that the ML-KEM math was thoroughly broken by NSA for years, your response will be “gosh, nobody could have known that. It’s best not to hold anyone responsible though, certainly not the NIST employees whose names are all over the evidence…” | | |
| ▲ | tptacek 17 hours ago | parent [-] | | Again: you pretty clearly don't understand the article you're citing. And that's easy mode compared to LWE vs RLWE. I don't think there's anything productive to be gained from us continuing to talk. | | |
|
|
|
|
|
|
|
|
|
|