I will draw to your attention two interesting facts.
First, OpenSSH has disregarded the winning (crystals) variants, and implemented hybrid NTRU-Prime. The Bernstein blog post discusses hybrid designs.
"Use the hybrid Streamlined NTRU Prime + x25519 key
exchange method by default ("sntrup761x25519-sha512@openssh.com").
The NTRU algorithm is believed to resist attacks enabled by future
quantum computers and is paired with the X25519 ECDH key exchange
(the previous default) as a backstop against any weaknesses in
NTRU Prime that may be discovered in the future. The combination
ensures that the hybrid exchange offers at least as good security
as the status quo."
Second, Daniel Bernstein has filed a public complaint against the NIST process, and the FOIA stonewalling adds more concern and doubt that the current results are fair.
We (OpenSSH) haven't "disregarded" the winning variants, we added NTRU before the standardisation process was finished and we'll almost certainly add the NIST finalists fairly soon.
What are the aims of the lawsuit? NIST fucked up a FOIA response. The thing you do when a public body gives you an unsatisfactory FOIA response is that you sue them. I've been involved in similar suits. I'd be surprised if NIST doesn't just cough up the documents to make this go away.
"Can NIST's decisions on crystals be overturned by the court?" Let me help you out with that: no, you can't use a FOIA suit to "overturn" a NIST contest.
OpenSSH implemneted NTRU-Prime? What's your point? That we should just do whatever the OpenSSH team decides to do? I almost agree! But then, if that's the case, none of this matters.
I assume that the point was that NSA is against using hybrid algorithms like the one used by OpenSSH, which combine a traditional algorithm with a post-quantum algorithm, arguing that using both algorithms is an unnecessary complication.
The position of D. J. Bernstein and also of the OpenSSH team is that the prudent approach is to use only hybrid algorithms until enough experience is gained with the post-quantum algorithms, to be reasonably certain that they are secure against the possible attacks.
If they obtain the documents requested through FOIA, it is expected that they will support the opinion that the NSA recommendations should be ignored, because they have a very long history in making attempts to convince the public that certain cryptographic algorithms are secure enough, even when they were aware of weaknesses in those algorithms that they could exploit, so it was in their interest that everybody else should use them, to facilitate the NSA's tasks.
As explained at the linked Web page, in the past NSA has forced the standardization of algorithms that had too short keys, i.e. DES and DSA, and has made partially-successful attempts to standardize back-doored algorithms like Clipper and their infamous random bit generator.
Similarly now, they want to enforce the use of only the post-quantum winning algorithm, without the additional protection of combining it with a traditional algorithm.
Fucking everybody's position is to combine classical key exchanges with PQC KEMs. It wasn't NIST's job to standardize a classical+PQC construction. The point of the contest is to figure out which PQC constructions to use. NIST also didn't recommend that everyone implement their cryptographic handshakes in a memory-safe language. But not doing that is going to get a bunch of people owned by NSA too. Do you see how silly this argument is?
Ostensibly, nistpqc is about finding safe crypto, first for TLS, second for ssh. You will argue differently, but we all expect the same end product.
NIST has specifically asked for guidance on hybrid crypto (as well you know), as I documented elsewhere on this page.
You assert that NIST only accepts pure post-quantum crypto. They ask for hybrid.
Color me jaded.
EDIT: Just for you, my fine fellow!
'For example, in email to pqc-forum dated 30 Oct 2019 15:38:10 +0000 (2019), NIST posted technical comments regarding hybrid encryption modes and asked for feedback “either here on the pqc-forum or by contacting us at pqc-comments@nist.gov” (emphasis added).'
It's not the first time either and it won't be the last. NIST chose Rijndael over Serpent for the AES standard even though Serpent won. I vaguely recall they gave some smarmy answer. I don't think anyone submitted a FOIA not that it would matter. I've been through that bloated semi-pseudo process and saw how easy it was to stall people not answer a simple question.
I remember them saying that in a follow-on email on one of the mail list servers. That was not their original statement but I can't remember exactly what they said. I just remember it was quite smarmy and did not sit well with me coming from such an organization. Regardless Serpent won the challenge by their criteria but then they moved the goal posts after the fact.
Both Rijndael and Serpent could have equally become more performant in the AES-NI CPU instruction sets and I am also not ok with how that evolved either. Cipher fixation is a security vulnerability. AES-NI CPU instructions should have included a few ciphers for performance. Probably Rijndael, Serpent and Twofish. There are folks in the cryptography community that are very much against using more than one cipher and that makes it clear to me they have been compromised or manipulated by something.
Please cite for me the most credible cryptographic researcher you can find who advocates cascades of ciphers. I'm not certain, but if I had to bet, I'd bet that you can't even find one.
You can believe whatever you want to believe, but the threshold you've just claimed to have for believing someone is compromised suggests that essentially every academic cryptographic researcher in the world is compromised.
>What are the aims of the lawsuit? Can the NIST decision on crystals be overturned by the court, and is that the goal?
It sounds to me like the goal is to find out if there's any evidence of the NSA adding weaknesses into any of the algorithms. That information would allow people to avoid using those algorithms.
The town I live in just outside of Chicago refused to disclose their police General Orders to me; I had to engage the same attorneys Bernstein did to get them. What can I infer from their refusal? That the General Orders include their instructions from the Lizard People overlords?
> The town I live in just outside of Chicago refused to disclose their police General Orders to me; I had to engage the same attorneys Bernstein did to get them. What can I infer from their refusal? That the General Orders include their instructions from the Lizard People overlords?
Naah, probably just that they include some pretty shitty stuff in general.
The fact (AFAWK) that the town came up with this shitty stuff even without any Lizard People Overlords having ordered them to do so of course makes it even worse for the powers that be of the town; now they can't even put the blame for the shitty stuff on the LPO.
First, OpenSSH has disregarded the winning (crystals) variants, and implemented hybrid NTRU-Prime. The Bernstein blog post discusses hybrid designs.
"Use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo."
https://www.openssh.com/releasenotes.html
Second, Daniel Bernstein has filed a public complaint against the NIST process, and the FOIA stonewalling adds more concern and doubt that the current results are fair.
https://www.google.com/url?q=https://groups.google.com/a/lis...
What are the aims of the lawsuit? Can the NIST decision on crystals be overturned by the court, and is that the goal?