
A discretization attack [pdf] - Kubuxu
https://cr.yp.to/papers/categories-20200918.pdf
======
beagle3
Once again, a reminder that for more than a decade, we've been living in a djb
monoculture. I fear the day djb is retired (or compromised .... hopefully that
hasn't yet happened).

~~~
Fnoord
If it brings you some relief, he's a teacher for multiple universities (at the
very least one in Chicago and one in Eindhoven). He's passing on his knowledge
in this way as well.

------
vii
This paper is surprisingly accessibly written given the complexities involved
and depth of expertise of the author, DJB, who has made great contributions to
many fields.

Unfortunately nearly all decision making processes are vulnerable to this kind
of attack: processes are never clear, selection criteria always up for debate,
and generally people pick a special option to present preferentially.

This generally just leads to suboptimal decision making - we're lucky to have
DJB's focus here to improve this one.

------
bem94
I've said it elsewhere, but...

If I were carrying out this attack against NIST, and it had failed up to now
(i.e. they chose 'wrong' from my perspective), my next step would surely be to
publish something which calls into question the conclusion they came to. This
would cause everyone involved to start second guessing, loose confidence in
the process, and make it easier to re-mount the attack either now, or in the
future.

N.b. I assume this document has been written in good faith and with the best
of intentions. It's just hard not to see some contradictions mixed up in
there.

~~~
cryptonector
"We're susceptible to process attacks" plus "pointing it out might be an
attack on the process" is much much better than not being aware of attacks on
the process.

Supposing this is DJB attacking the process, well, the other participants can
simply find the fly in his ointment, point it out, and stop the attack. It's
hard to argue that DJB's paper doesn't represent progress then since we can
both, reason about its claims and reason about it being an instance of an
attack on the process, whereas prior to this we weren't seriously considering
attacks on the process at all.

------
jeffrallen
Interesting... Attacking the standards process. Poor NIST, besieged on all
sides. They should just give up on cryptography, they are fatally compromised
by their connection to NSA.

~~~
ncmncm
One could suggest they were under attack, even breached, but their refusal to
reveal details of their analysis suggests a worse conclusion.

~~~
imglorp
Again. Stop us if you've heard this before.

[https://www.math.columbia.edu/~woit/wordpress/?p=7045](https://www.math.columbia.edu/~woit/wordpress/?p=7045)

------
Thorrez
Very interesting. But one part confuses me. It claims NIST was manipulated via
discretization to favor Kyber over NTRU. But when I look at Figure 4.5 (which
hasn't been discretized), it seems to say that Kyber is in fact better. Draw a
line connecting the Kyber points (open red squares) and a line connecting the
NTRU points (solid green circles). The Kyber line is slightly more up and the
the left (better).

------
DarthGhandi
For perhaps some background behind this paperthere's some lively official
discussion here [0] by many participants after the round 3 candidates were
announced.

[0]
[https://groups.google.com/a/list.nist.gov/forum/m/#!forum/pq...](https://groups.google.com/a/list.nist.gov/forum/m/#!forum/pqc-
forum)

~~~
Sniffnoy
Non-mobile link:
[https://groups.google.com/a/list.nist.gov/forum/#!forum/pqc-...](https://groups.google.com/a/list.nist.gov/forum/#!forum/pqc-
forum)

------
Kednicma
Excellent paper. Aside from the main points, I notice that the key phrase
"category theory" is in the abstract, to aid indexing, but there's no category
theory here. I don't think djb's unaware of abstract algebra, so I wonder why
he chose this otherwise-irrelevant phrase for indexing.

~~~
kurlberg
It's not only in the abstract - "category" occurs all over the document.
Possibly he's poking fun at category theory/theorists.

