No, you can't trust NIST on security. They've certified algorithms they must have known were deliberately weakened in every generation: DES in the 1970s, the Clipper chip in the 80s, "export-grade" RSA in the 90s, and broken RNGs in the 2000s.
The deliberate weakening generally comes from the NSA, but NIST is required to work with them on security standards.
A number of reputable security researchers claim that NIST's misdeeds were all unintentional and they've learned their lesson and there won't be any more backdoors. Perhaps. Ultimately they serve the US administration, so in the long term it depends on whether future administrations actually want everyone to have unbreakable cryptography. Doesn't seem like a safe thing to count on.
I think this is a little unfair to NIST. Some parts aren't entirely factual. For example while DES was specified at 56 bits if we discount parity bits, I'm not sure how much choice they had in this - I suspect NSA/US gov more widely here. NSA, which is distinct from NIST but obviously works with them, requested changes to the DES S-Boxes during design that resulted in better protection from differential cryptanalysis, a technique unknown to anyone else at the time. So the NSA weakened DES in one way but strengthened it in another.
A lot of this weakening of ciphers was US government policy at the time: crypto was considered only to have military applications so in the same way foreign countries don't get the full US-edition fighter jet, they also didn't get the full crypto.
DualEC was a mess, no doubt, and should never have been standardized. I'm guessing they were railroaded by NSA. What is bizarre is that everyone knew it sucked. Not only the backdoor potential but also that it was slow. In fact the backdoor was even patented: https://worldwide.espacenet.com/publicationDetails/biblio?CC... which is my personal favorite part of the saga.
So while DualEC was a mess and the export policy was disliked, generally speaking the NIST process for standardising things is widely regarded.
Of course that does not mean you should trust them blindly, but examine the evidence. AES, SHA3, the lightweight crypto competition and the pqc process will all produce ciphers from largely non-US scientists and there are detailed discussions on the forums and at the workshops.
Of course if they decide to shut down these forums for discussion or ignore community consensus then there are definitely reasons to worry.
> [...] I'm not sure how much choice they had in this - I suspect NSA/US gov more widely here. [...]
Note that when parent says "you can't trust NIST" and you counter with something along the lines of "that's unfair... NIST acts untrustworthy/knowingly recommends subpar options because of NSA", it doesn't really counter what is being said.
If NIST decisions are based mostly on "whatever the NSA tells them to do", rather than the actual technical merits of the things they recommend, then... yes, they are generally not worthy of trust (blind or otherwise), because you'll always have to double-check their statements against other sources (e.g. your own knowledge, expert cryptographers, etc.).
Fool me once, shame on you; fool me twice, shame on me.
That's the problem of being untrustworthy once in a while... it's easier to lose your reputation than to regain it.
As it is... if you use anything recommended by NIST without first checking with the actual trustworthy community of researchers, you're asking for it.
TL;DR: Trying to justify why the NIST is seen as untrustworthy (or acts as such) does not change the fact that it is seen as untrustworthy by many people (and, as far as I can tell, fairly so).
> "Intentional use of escrow keys can provide for back up functionality. The relationship between P and Q is used as an escrow key and stored by for a security domain. The administrator logs the output of the generator to reconstruct the random number with the escrow key." [1]
We were just using it wrong, it's a backup tool, not an encryption standard. ;-)
To clarify: the deliberate weakening for DES was literally reducing the key size. There was also some suspicious behaviour with the S-boxes, but that turned out not to be a attack. Sadly, but unsurpisingly, it's not as simple as "Do the oppposite of what the nation state adversary recommends.", although these days independent research is doing well enough that "Ignore them[0] unless they have a non-'trust us' justification." is a adequate policy.
0: for crypto design advice; obviously they're still a attacker and you need to deal with that
The deliberate weakening generally comes from the NSA, but NIST is required to work with them on security standards.
A number of reputable security researchers claim that NIST's misdeeds were all unintentional and they've learned their lesson and there won't be any more backdoors. Perhaps. Ultimately they serve the US administration, so in the long term it depends on whether future administrations actually want everyone to have unbreakable cryptography. Doesn't seem like a safe thing to count on.