I don't think the "these finalist teams are trustworthy" argument is completely watertight. If the US wanted to make the world completely trust and embrace subtly-broken cryptography, a pretty solid way to do that would be to make competition where a whole bunch of great, independent teams of cryptography researchers can submit their algorithms, then have a team of excellent NSA cryptographers analyze them and pick an algorithm with a subtle flaw that others haven't discovered. Alternatively, NIST or the NSA would just to plant one person on one of the teams, and I'm sure they could figure out some clever way to subtly break their team's algorithm in a way that's really hard to notice. With the first option, no participant in the competition has to that there's any foul play. In the second, only a single participant has to know.
Of course I'm not saying that either of those things happened, nor that they would be easy to accomplish. Hell, maybe they're literally impossible and I just don't understand enough cryptography to know why. Maybe the NIST truly has our best interest at heart this time. I'm just saying that, to me, it doesn't seem impossible for the NIST to ensure that the winner of their cryptography contests is an algorithm that's subtly broken. And given that there's even a slight possibility, maybe distrusting the NIST recommendations isn't a bad idea. They do after all have a history of trying to make the world adopt subtly broken cryptography.
If the NSA has back-pocketed exploits on the LWE submission from the CRYSTALS authors, it's not likely that a purely academic competition would have fared better. The CRYSTALS authors are extraordinarily well-regarded. This is quite a bank-shot theory of OPSEC from NSA.
It's true that nothing is 100% safe. And to some degree, that makes the argument problematic; regardless of what happened, one could construct a way for US government to mess with things. If you had competition of the world's leading academic cryptographers with a winner selected by popular vote among peers, how do you know that the US hasn't just influenced enough cryptographers to push a subtly broken algorithm?
But we must also recognize a difference in degree. In a competition where the US has no official influence over the result, there has to be a huge conspiracy to affect which algorithm is chosen. But in the competition which actually happened, they may potentially just need a single plant on one of the strong teams, and if that plant is successful in introducing subtle brokenness into the algorithm without anyone noticing, the NIST can just declare that team's algorithm as the winner.
I think it's perfectly reasonable to dismiss this possibility. I also think it's reasonable to recognize the extreme untrustworthiness of the NIST and decide to not trust them if there's even a conceivable way that they might've messed with the outcome of their competition. I really can't know what the right choice is.
That's an argument that would prove too much. If you believe NSA can corrupt academic cryptographers, then you might as well give up on all of cryptography; whatever construction you settle on as trustworthy, they could have sabotaged through the authors. Who's to say they didn't do that to Bernstein directly? If I'd been suborned by NSA, I'd be writing posts like this too!
You're still not recognizing the difference between corrupting a single academic cryptographer and corrupting a whole bunch of academic cryptographers. This isn't so black and white.
For what it's worth, I do think the US government could corrupt academic cryptographers. If I was an academic cryptographer, and someone from the US government told me to do something immoral or else they would, say, kill my family, and they gave me reason to believe the threat was genuine, I'm not so sure I wouldn't have done what they told me. And I know this sounds like spy movie shit, but this is the US government.
One last thing though, if you're giving me the black and white choice between blindly trusting the outcome of a US government cryptography standard competition or distrusting the field of cryptography altogether, I choose the latter.
As long as we're clear that your concern involves spy movie shit, and not mathematics or computer science, I'm pretty comfortable with where we've landed.
If your argument is: “assuming the US government wouldn’t be able to make someone act against their will and stay silent about it, the NIST recommendation is trustworthy”, I’m certainly more inclined to distrust this recommendation than I was before this conversation.
Note that the “forcing someone to comply” thing was just meant as one possibility among many, I don’t see why you completely dismiss the idea of someone who’s good at cryptography being in on the US’s mission to intercept people’s communications. I mean the NSA seems to be full of those kinds of people. You also dismiss the possibility that they just … picked the algorithm that they thought they could break after analysing it, with no participant being in on anything. But I get the feeling that you’re not really interested in engaging with this topic anymore, so I’ll leave it at that. It’s already late here.
It's an interesting thought, but then you would need those cryptographers to not only stay quiet about it, but also spend a good chunk of the next part of their lives selling the lie.
Secrets are hard to keep at scale. Trying to do it with coercion, to a group of people who's entire field of study is covert communication, seems like an unenviable prospect.
Of course I'm not saying that either of those things happened, nor that they would be easy to accomplish. Hell, maybe they're literally impossible and I just don't understand enough cryptography to know why. Maybe the NIST truly has our best interest at heart this time. I'm just saying that, to me, it doesn't seem impossible for the NIST to ensure that the winner of their cryptography contests is an algorithm that's subtly broken. And given that there's even a slight possibility, maybe distrusting the NIST recommendations isn't a bad idea. They do after all have a history of trying to make the world adopt subtly broken cryptography.