Mathematician warns US spies may be weakening next-gen encryption

333 点作者 stevefan1999超过 1 年前

20 条评论

"All we can do is tell people that NIST are the ones in the room making the decisions, but if you don't believe us, there's no way you could verify that without being inside NIST" says Moody.There's our problem - right there!If a body as important as NIST is not so utterly transparent that any random interested person cannot comb through every meeting, memo, and coffee break conversation then it needs disbanding and replacing with something that properly serves the public.We have bastardised technology to create a world of panopticonic surveillance, and then misused it by scrutinising the private lives of simple citizens.This is arse-backwards. If monitoring and auditing technology has any legitimate use the only people who should morally (though willingly) give-up some of their privacy are those that serve in public, in our parliaments, councils, congress, government agencies and standards bodies.> All we can do is tell peopleNo. You can prove it, and if you cannot, step aside for leadership better suited to serving the public interest.

评论 #37869655 未加载

评论 #37871069 未加载

评论 #37868028 未加载

评论 #37870839 未加载

评论 #37867106 未加载

评论 #37867328 未加载

BoppreH超过 1 年前

The article is a bit weird, so here's my summary of the situation, as someone in the security field:- Berstein, an extremely esteemed security researcher[0], published a long blog post last week[1] criticizing NIST's standardization process for new Post-Quantum-Crypto algorithms. He is focusing on the selection of Key Encapsulation Mechanisms (think TLS key exchange). Two big options are Kyber and NTRU (coauthored by Berstein).- His main complaint is that NIST is playing fast and loose with the selection process, and had disqualified a fast NTRU variant due to barely not meeting a certain security threshold. The missing variant makes NTRU look slower and less flexible than it actually is.- Meanwhile, NIST accepted a similar fast Kyber variant based on shaky assumptions. Berstein argues at length that it doesn't meet the security threshold either and should be disqualified. Funnily, NIST used Berstein's own research in (seemingly) incorrect fashion to argue for Kyber's security.- There's an air of impropriety, as if NIST was favoring one algorithm over the other, for unknown reasons. And in the beginning of the post, Berstein shows the results of his recent lawsuit to reveal more information about the internal NIST process: it seems that NIST and NSA met more often than previously thought.My interpretation leans more towards NIST making an internal mistake in evaluating the algorithms, rather than NSA pushing its agenda. One could argue that Berstein is sour that his algorithm might not be picked, and is trying underhanded tactics. On the other hand, he does have excellent reputation, and convincingly argues that NIST made an important mistake and is not transparent enough.[0] <a href="https://www.metzdowd.com/pipermail/cryptography/2016-March/028824.html" rel="nofollow noreferrer">https://www.metzdowd.com/pipermail/cryptography/2016-March/0...</a>[1] <a href="https://blog.cr.yp.to/20231003-countcorrectly.html" rel="nofollow noreferrer">https://blog.cr.yp.to/20231003-countcorrectly.html</a>

评论 #37868518 未加载

评论 #37869487 未加载

tptacek超过 1 年前

I've been in rooms watching cryptographers trying to figure out what exactly it is Bernstein was saying with that blog post for the past week, and I do not believe that Matthew Sparkes at The New Scientist understands it any better than they do. Since Sparkes doesn't have any direct reporting from Bernstein, and nobody here cares about the NIST quotes, the right thing to do here is to treat this story as a dupe.

评论 #37867197 未加载

peppermint_gum超过 1 年前

Whenever the topic of DJB vs NIST comes up, there are always people saying "this may look petty, but he has a spotless track record, so we have to trust him".I want to push back on this a little by linking this Twitter thread:<a href="https://nitter.net/FiloSottile/status/1555669786826244096" rel="nofollow noreferrer">https://nitter.net/FiloSottile/status/1555669786826244096</a>It shows that there's a pattern of Bernstein and his associates threatening fellow cryptographers.It's entirely possible to be a brilliant cryptographer and also a petty person, those things aren't mutually exclusive.

评论 #37867999 未加载

评论 #37868634 未加载

评论 #37871461 未加载

评论 #37868012 未加载

JacobiX超过 1 年前

Regrettably, while we are discussing the author's motives, we may inadvertently overlook the miscalculation by NIST. The crux of NIST's primary error lies in improperly multiplying two costs when they should have been added. If this assertion holds true, it would be prudent to at least revisit and revise their draft !

22c超过 1 年前

Previous discussion: <a href="https://news.ycombinator.com/item?id=37756656">https://news.ycombinator.com/item?id=37756656</a>

d-z-m超过 1 年前

Ironically, the style and substance of DJB's engagement with his peers and with NIST is likely to sour both against his claims[0], credible though they(might) be. DJB's impression of NIST "stonewalling" could very well be their reluctance in engaging with an adversarial and increasingly deranged private citizen.> We disagree with his analysis,” says Dustin Moody at NIST. “It’s a question for which there isn’t scientific certainty and intelligent people can have different views. We respect Dan’s opinion, but don’t agree with what he says.That's great for a PopSci article, but I(and many others, I'm sure) would like to see the details of this analysis hashed out. DJB had his chance at making this happen, and blew it. However, that doesn't mean his questions[0] should go unanswered.[0]: specifically talking about the calculation of the Kyber-512 security level here. Not his more conspiratorial claims.

评论 #37872474 未加载

acd超过 1 年前

Dan bernstein wrote Qmail, DJBDNS and Cryptography algorithms<a href="https://en.m.wikipedia.org/wiki/Bernstein_v._United_States" rel="nofollow noreferrer">https://en.m.wikipedia.org/wiki/Bernstein_v._United_States</a>Qmail <a href="https://en.m.wikipedia.org/wiki/Qmail" rel="nofollow noreferrer">https://en.m.wikipedia.org/wiki/Qmail</a>Djbdns <a href="https://en.m.wikipedia.org/wiki/Djbdns" rel="nofollow noreferrer">https://en.m.wikipedia.org/wiki/Djbdns</a><a href="https://en.m.wikipedia.org/wiki/Daniel_J._Bernstein" rel="nofollow noreferrer">https://en.m.wikipedia.org/wiki/Daniel_J._Bernstein</a>

aaa_aaa超过 1 年前

Encryption, like other things, is too important to leave at the hands of the state.

leokeba超过 1 年前

<a href="https://archive.is/zFlVi" rel="nofollow noreferrer">https://archive.is/zFlVi</a>

mcmoor超过 1 年前

For a subject as mathematical as encryption, the debate is surpisingly... subjective. Are we seriously at the mercy of non open-source geniuses for this? Was RSA this much unprovable objectively in its security?

pword超过 1 年前

I believe the push for passkeys is another avenue for this.

评论 #37867096 未加载

评论 #37867103 未加载

评论 #37867102 未加载

评论 #37867333 未加载

zteppenwolf超过 1 年前

No news there. NSA is not to be trusted. It's been a decade since serious cryptographers stopped using primitives researched @ NSA.

oalae5niMiel7qu超过 1 年前

The open-source community will continue adopting "next-gen" "encryption" even though it has back doors, just like they didn't question elliptic curve encryption even after the NSA got caught putting out a compromised algorithm.

评论 #37885413 未加载

zug_zug超过 1 年前

We should have 4 standards bodies in 4 non-allied nations each define an encryption standard and apply all 4 on top of each other in a bolstering fashion for all encrypted traffic

PedroBatista超过 1 年前

I’m not qualified enough to say who’s right or wrong but I’ve noticed a fair amount of comments invalidating the claims because of the author’s motives, ie. He’s a sore looser and has a big ego. I don’t see why that invalidates his claim that the algorithm is weaker than claimed. “Jerks” can be right too.People are people and they come and go, but these NIST standards stay a long time.

jgalt212超过 1 年前

Never roll your own crypto, but maybe sometimes ...

评论 #37877468 未加载

jongjong超过 1 年前

Such a sad time for science. We really seem to be entering the new dark ages. There is no room for curiosity or intellect anymore. The institutions cannot be trusted and people rightly do not trust them.

评论 #37868213 未加载

diogenes4超过 1 年前

Why does anyone take a US-based seriously as a standards authority? It seems like a transparent conflict of interest.

评论 #37866756 未加载

评论 #37867163 未加载

评论 #37867238 未加载

评论 #37867460 未加载

lawrenceyan超过 1 年前

This is a question I've asked before, but I'm wondering if there's an updated perspective. Given the human brain is unencryptable, it seems like keeping secrets is going to be impossible.I guess maybe with the advent of AI, you just have device to device communication with no man in the middle in the future?