
NIST CSRC Post-Quantum Cryptography Project - christianbryant
http://csrc.nist.gov/groups/ST/post-quantum-crypto/
======
mtgx
Is it absolutely necessary to help NIST here? Can't the IETF come up with its
own standards and leave it at that? The U.S. government is free to adopt the
same standards later on (just like all the other governments) or create its
own broken ones, I don't really care about that. The NSA isn't going to use
whatever NIST ends up adopting anyway. It's going to use its own crypto for
classified stuff.

I'd rather not risk another Dual_EC fiasco with everyone trusting NIST to do
the right thing, and then it doesn't. They almost messed up SHA3, too, if it
wasn't for vocal opposition from the community. They've proven to be
untrustworthy a few too many times.

~~~
wahern
Dual_EC_DRBG was first standardized through ANSI and ISO, and only later
adopted as a FIPS standard through a process completely different than the AES
and SHA-3 competitions.

I don't think there was any serious criticism of early SHA-3 proposals. The
properties of Keccak's sponge construction gave them legitimate reasons to
reassess some of the original criteria. And the proposals were actually
drafted with the cooperation and approval of the Keccak authors'. See the
authors' reply to the original criticisms here:

    
    
      http://keccak.noekeon.org/yes_this_is_keccak.html
    

NIST brings money to the table, both for conferences and for employing
reviewers in addition to the friendly and competitive peer review. And more
importantly a NIST competition has the potential to be more inclusive than
typical standards committees. IETF, not to mention ANSI and ISO, working
groups tend to either become captured by industry special interests, or
devolve into little cliques of not particularly diverse (in experience)
experts[1]. And that's when they're working well. When they don't work well
they degenerate into a stalemate, and either fail completely or acquiesce to
horrid compromises in attempts to reach consensus.

An open and transparent NIST competition has the potential to offer the best
possible outcome by attracting more, and more diverse, participants. And if a
rough consensus isn't easily reached, NIST at least can produce a decent
standard that doesn't include the kitchen sink. And if it sucks? It can just
be ignored. Doubtless there will be plenty of alternatives coming out of the
IETF to choose from, NIST or no NIST.

[1] Note that those characterizations are not necessarily negative. Special
interests and little cliques have a much easier time reaching consensus,
partly because those are often the same people writing the implementations and
naturally have fewer degrees of freedom if they want to maintain their
investment in their existing software. And there's never any scarcity of
standards being published by working groups in those organizations, so failure
is less costly and the cream will tend to rise to the top over time. For
something like post-quantum crypto, IETF, ANSI, ISO, and similar organizations
are really not a particularly good fit.

