Bonum Certa Men Certa

Lots of Talk About NIST in Relation to Encryption and Standards, But NIST Fronts for Imperialism, Not Privacy, and There Are Software Patent Elephants in the Room

posted by Roy Schestowitz on Aug 25, 2024,
updated Aug 25, 2024

nist.gov logo

NIST links to CHIPS.gov site

THE OFFICIAL WEB SITE of NIST is (right at this very moment) celebrating mega-bailouts for failing chipmakers that put back doors (and defects, bug doors etc.) in all their current chips, except perhaps for those tailored/specially-made for military purposes. The front page says: "CHIPS for America: Investments in innovation, resilience and a more competitive American future..."

We've long (over a decade!) pointed out that NIST does not pursue real security. The same is true for NSA, IETF, and several other internationally-recognised entities. Well, there are nearly a dozen of these in the US alone and most people recognise the acronyms/logos; they're used a lot - sparingly in fact - in the sciences, typically framed or presented like trusted establishments to be blindly worshiped, adored, followed, conformed and adhered to. IETF is US like ITC is US. Look beyond the ludicrous facade. Whose authority is obeyed?

A lot of those entrusted to standardise encryption are - at the same time - interested in undermining/bypassing encryption (intercepts and wiretapping). They want encryption reserved to those who are in positions of powers; to everybody else they already gave fake encryption and fake security. This self-aggrandising sense of entitlement and empowerment comes naturally to people drunk on power.

NIST et al routinely get caught in "oversights", "oopses", accidents", and "mistakes" in their recommendations (poor specifications that become implementations will never be secure!), which probably make no sense at all even before such "bugs" or "loopholes" are found. They talk about hypothetical and theoretical (prospective) risks while overlooking and intentionally ignoring imminent and even existing ones.

Only a week or so ago the media said that NIST released "First Post-Quantum Encryption Algorithms"...

Wow, "Quantum"!!! Amazing!! Let's not ask any questions or they'll make us look dumb and arcane.

But, as noted to us today, there are also software patents to worry about.

"NIST realises that software patents are ruining encryption," we said, citing this older thread, but that's actually NIST being confronted by outsiders in NIST-related discussion channels. "Ruining encryption," an associate noted, means "sabotaging security". I said this was potential lawfare ("I cannot break it, but I can sue you").

"If one wanted to be paranoid," the associate said, "one could ask who put them up to that patent nonsense. Sure the patsies stand to gain financially but that is a small thing compared to the interests which gain by eliminating air tight-encryption and having someone else take the blame for it. (c.f. [Telegram Founder Pavel] Durov arrest over his proprietary "app")."

"Signal is AGPL (copyleft) all the way through, unlike Telegram which is proprietary. The proprietary, centralized nature of Telegram possibly makes it feasible to wrest control from the owner. Whereas with Signal, people would just spin up new instances and, in the worst case, fork the code. Thus copyleft may have provided some unexpected protection for privacy. However, Signal has traditionally been tied to actual identities via mobile phone numbers up until this year. So it's not truly anonymous either." [ 1, 2] (IMEI)

The subject of software patents seems to have been brought up as recently as months ago by "D. J. Bernstein" <djb@cr.yp.to>, who wrote:


The elephant in the room is the patent minefield surrounding Kyber. NIST says it has bought Kyber licenses for the two oldest patent families, but
* those licenses are only for exactly what NIST ends up standardizing (supposedly the standards will appear this year), so IETF doesn't have change control---for example, if security continues to degrade (as I expect it will), then presumably IETF will consider modifying Kyber to provide security levels beyond Kyber-1024, but this would go beyond what's allowed by the licenses; and
* there are other patents in the area, including at least one patent holder publicly claiming Kyber coverage, with no public response from NIST or from the Kyber team.

There's more in there, but this message is more detailed and not so old:


Paul Wouters writes: > Should the IETF really recommend a dropped candidate at this stage?
Yes. IETF policy prefers algorithms with no known patent claims. BCP 79 does not authorize delegating IETF's patent-related decisions to NIST.
Furthermore, the notion that NIST is speaking for a unified community is easy to disprove. For example,
https://web.archive.org/web/20230401090854/https://secdev.ieee.org/wp-content/uploads/2022/10/LaMacchia-Keynote-IEEESecDev2022.pdf
revealed that ISO's crypto group agreed---in October 2022, months after NIST announced its selection---to initiate a preliminary work item on a very different list of algorithms. There are three algorithms on that list; one matches a NIST selection (Kyber), one is under consideration by NIST for possible future standardization (Classic McEliece), and one was dropped by NIST (FrodoKEM).
> Patent claims are not the issue, as long as the conditions for using > the patents are not encumbered.
As I wrote before: "there are other patents in the area, including at least one patent holder publicly claiming Kyber coverage, with no public response from NIST or from the Kyber team". I quoted and cited a message that says "Kyber is covered by our patents"; I commented that the author of that message "holds patents CN107566121 etc., filed before Kyber was published".
Clearly this qualifies as a "known IPR claim" under BCP 79. I see no evidence of an "offer of royalty-free licensing" under BCP 79.
> It seems that those will not be an issue as otherwise the NIST chosen > algorithm would not be useful.
My message already cited examples of the patent minefield to some extent delaying and to some extent deterring Kyber deployment. If "will" is alluding to the activation of the patent licenses once NIST actually issues a standard: sure, that deals with two patents (assuming NIST has been correctly summarizing the license terms), but the minefield is bigger than that, as illustrated by the further patent claim above.
> The Crypto Panel review also listed some technical points, which you > seem to have left out in your latest email
No, I didn't leave them out. I explicitly focused on the Crypto Review Panel comments regarding sntrup---because I was explicitly replying to comments you made regarding sntrup. Here's your text (followed by many more recent references to NIST's actions regarding sntrup):
With this NTRUprime case, we have a less clear example. Itâs not broken but the IETF Crypto Panel also said the cryptographic method used was somewhat dated and would no longer be recommended by the larger cryptographic community at this point.
Your SAAG presentation at IETF 119 claimed that the review had said "we would have done it like this 15 years ago but these days we wouldn't do it like this anymore so we shouldn't really like standardize that".
Looking broadly at how the review as a whole is being used, I see four basic issues:
* The review and the followup action both failed to consider the patent situation. This is not in line with BCP 79.
* The portion of the review regarding sntrup was completely non-technical, with no evident content beyond delegating IETF/IRTF cryptographic decisions to NIST. The review was not "critical, objective, timely and consistent review of cryptographic algorithms".
* While I agree that the review did make technical comments regarding an issue beyond sntrup (the choice of combiner), those comments are not even marginally consistent with how combiners are being handled elsewhere in IETF and IRTF. (In case readers are interested in the details, see postscript below.)
* The text of the review does not match what it has been portrayed in SAAG as saying.
As an example of the last issue: The SAAG portrayal is that the review text expressed opposition to documentation and/or standardization of what has been deployed in real-world SSH. The actual review text
https://mailarchive.ietf.org/arch/msg/crypto-panel/kDiLLcVOhwoix5BUDdv4r91ZhfY/
sounds much less extreme, with mere "suggestions" to "describe much more explicitly the combiner use", to add citations, and to "consider" including Kyber.
As another example, I see nothing in the review text assigning a positive/negative rating, so it's improper to attribute such a rating to the review. This rating appears to be something that a particular AD projected onto the review. The source should be properly labeled.
> The fact that the cryptographic research communities are focusing on > NIST candidates does mean that those proposed algorithms will see a > lot more scrutiny and research.
The hypothesis and conclusion of this circular argument are both easily disproven by the available data. Skimming https://eprint.iacr.org/2024 from top down right now for the ten most recent post-quantum papers, I find the following:
https://eprint.iacr.org/2024/564 (attacking isogenies generally) https://eprint.iacr.org/2024/561 (an isogeny proposal) https://eprint.iacr.org/2024/555 (attacking lattices generally) https://eprint.iacr.org/2024/551 (Kyber and NewHope) https://eprint.iacr.org/2024/548 (NTRU) https://eprint.iacr.org/2024/530 (an NTRU variant) https://eprint.iacr.org/2024/523 (Kyber) https://eprint.iacr.org/2024/512 (Dilithium) https://eprint.iacr.org/2024/500 (SPHINCS+) https://eprint.iacr.org/2024/490 (new MPC-based signatures)
A solid half of these are on algorithms that have been either removed by NIST or that are newer than anything submitted to NIST. Another two are _overlapping_ NIST but also including other cryptosystems. Only three fit within the alleged "focus".
> that is not a political argument
The text I quoted from the Crypto Review Panel regarding sntrup is purely making claims about politics (again, dictionary definition: "competition between competing interest groups or individuals for power and leadership"). Making claims that _aren't_ in the text, and saying that _those_ claims aren't political, doesn't contradict this.
More to the point, my description of the review had nothing whatsoever to do with the identity of the reviewer, so it wasn't an ad-hominem attack. Please withdraw your claim to the contrary.
> Some people prefer to not engage with you due to previous negative > experiences with your method of discussion.
Now _that's_ an ad-hominem attack. Please (1) apologize and (2) keep yourself under control in the future. Thanks in advance.
Getting back to sntrup: You've referred to secret "informal conversations" as supposedly justifying opposition to sntrup. Let me point out that this provides an easy explanation for the gaps between
* the Crypto Review Panel text and * your description of that text.
Specifically, couldn't it be that what you're attributing to the Crypto Review Panel is actually what's coming from those secret conversations, and you simply lost track of the source?
Also, have you considered the possibility that the conclusions in those conversations come from underlying errors that would be corrected if the arguments were raised in public? Look at the above "scrutiny" claim: it's the sort of error that can easily be repeated because it _sounds_ reasonable, but transparency allows the claim to be rapidly debunked.
> your statement that Roman promised publication [ etc. ]
I don't know what statements you're referring to here; certainly they're not from me. If you're mixing up the NTRU Prime team, the OpenSSH team, the author list for this I-D, etc., then please be more careful.
---D. J. Bernstein
P.S. In case readers are interested, here's the combiner issue.
One way to combine pre-quantum and post-quantum shared secrets into a key for (e.g.) AES-256 or ChaCha20 is to hash the concatenation of the secrets. This is typically just fine, the main risk being that
* quantum computers break the pre-quantum system and * a bad choice of post-quantum system is also breakable (as in the CECPQ2b experiment, which used SIKE to encrypt real user data).
However, there are various papers pointing out contexts where stopping attacks requires hashing more than the shared secrets. All security recommendations in these papers are handled by a combiner that hashes the shared secrets and the full transcript (pre-quantum and post-quantum public keys and ciphertexts).
Someone reviewing a combiner with anything less than transcript hashing has to look at the context and ask whether skimping on the hashing is safe in that context. It's easier for the reviewer to skip this review and just say "Why aren't you hashing more?". That's what happened in the Crypto Review Panel review of the combiner in this SSH draft---it wasn't reviewing whether this is safe in SSH; it was pointing out that this is doing something that in _some_ contexts is unsafe.
Transcript hashing is cheap. I like making cryptographic choices that save time for reviewers. So I'd like to see new proposals settling on _one_ combiner that includes transcript hashing. (To be clear, I don't see this as an argument against documenting something that has been widely deployed for two years now.)
Meanwhile there are other people saying that transcript hashing costs millions of dollars in aggregate and that any unnecessary hash should be skipped---even if this means that reviewers have to look at different combiners for different contexts, and check that each of the faster combiners is safe in the contexts where the combiner is being used.
Here are three examples of combiners not using full transcript hashing:
* A proposal called "X-Wing" uses an ad-hoc "QSF" combiner. This combiner is unsafe in some contexts.
* draft-ietf-tls-hybrid-design uses a simple concatenation combiner. This combiner is unsafe in some contexts.
* draft-josefsson-ntruprime-ssh uses a simple concatenation combiner, This combiner is unsafe in some contexts.
Now compare how this context switch is being handled:
* X-Wing is currently under consideration by CFRG.
* My understanding is that draft-ietf-tls-hybrid-design has reached consensus except for settling some code points.
* Meanwhile an AD is opposing draft-josefsson-ntruprime-ssh, where, as far as I can tell, the only _technical_ complaint is that it's using a concatenation combiner.
This is not even marginally consistent. Sure, X-Wing is in CFRG and hasn't reached consensus, but this procedural distinction doesn't work for the TLS example, and it's also missing the point about the content. The Crypto Review Panel charter asks for "consistent review"; given that new proposals are being allowed in CFRG and TLS with combiners that can be unsafe in other contexts, why is draft-josefsson-ntruprime-ssh being selectively targeted with a complaint that its combiner can be unsafe in other contexts?

Many questions deserve to be asked here because even software like SSH is at stake, set aside PGP, TLS stuff, disk encryption, and so on. There are too many crackpots in this industry/sector speaking in insults and rude words instead of making sense from a scientific perspective. They resort to name-calling instead of debating. Sometimes they try to make things sound a lot more complicated than they actually are to discourage/repel outside audits, participation, scrutiny etc. So it's filled with posers, imposters, fakers, and narcissistic liars. They want nobody else to participate and they defame the best in the area.

It used to be a field of science, not spies.

Other Recent Techrights' Posts

Crime and Corruption at Microsoft GitHub Cannot be Covered Up by SLAPPs in Another Continent
We'll write about this for a long time to come
Slop Videos Are Disappointing Garbage, Nothing New, Just Brute Force up on Display or a Pedestal of Slop
Slop videos aren't a new thing
Slopwatch: Linux Journal, Linuxsecurity, and Google News Getting Even Worse (More Slopfarms Added Which Attack Linux With Bruce-Force SPAM)
Google News is part of the same problem
GNU/Linux is Replacing Microsoft Windows. But We Need to Eradicate Microsoft, It's a Hub of Crime.
I have been writing about Microsoft since the 1990s when I was in school
 
Links 04/07/2025: Microsoft's H-1B Visa Applications Show Another Crisis Unfolding, Many More Deep Cuts and Shutdowns Revealed, Complete Microsoft Exits
Links for the day
Gemini Links 04/07/2025: A Day To Remember and "Stop Killing Games"
Links for the day
Weeks After Microsoft Bankruptcy in Russia the Company Shuts Down in Pakistan, Too
Last month Windows' share in Pakistan fell to an all-time low
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, July 03, 2025
IRC logs for Thursday, July 03, 2025
The War on Local Storage (People Hosting Their Files Locally and Privately)
There's nothing wrong with controlling one's computing
What Digital Independence Means
Independence in the digital realms means abandoning platforms like GitHub, not just rejecting proprietary software
NVidia is a Bubble
they temporarily see fortunes and wrongly assume perpetuity thereof
Fedora Does Not Care About Diversity and Inclusion, It's About Optics (Corporate Image)
any notion of inclusion is superficial and misleading
Don't Buy the Excuses for Microsoft's Mass Layoffs
Back in the 90s, Microsoft bought a lot of companies to get and stay ahead
Happy Independence Day to Our American Readers
Maybe tomorrow will be a good opportunity to explain to American people - in terms of concepts, not brands - which tools respect their independence
Links 03/07/2025: More Cuts and Cancellations at Microsoft Revealed
Links for the day
Gemini Links 03/07/2025: Favourite Child and Launching WikiGem
Links for the day
Mystery Surrounding the PCLinuxOS Sites and PCLinuxOS Magazine
Let's hope this isn't something major
People and Companies Do Learn Some Lessons From Their Mistakes (Stubborn Ones Don't)
Brett Wilson LLP is an example of one that would rather drown in mistakes
Links 03/07/2025: 'Hey Hi' Slop Ridiculed Some More and Microsoft's Layoffs Tally for 2025 Reaches About 29,000 in Just 6 Months (Almost 5,000 Per Month)
Links for the day
Microsoft Staff Harassing Women, Strangling Women, Telling Women to Kill Themselves and Worse? Not a Problem!
Two women have left Brett Wilson LLP
The Slopfarms Are Losing the Plot (and Google is Propping Up Rogue Sites)
Google is part of the attack on the Web, on information, and on technology
New BetaNews Realises There's No Potential or Future in Slopfarms, Prior Editor Wayne Williams is Back
They realise that slop (so-called "AI") cannot replace humans
Claims That Microsoft Looks for Staff That Works More and Gets Paid Less (or Can Only Code by Grabbing Other People's Code, Under the Guise of "AI")
People can form their own opinion
Richard Stallman Was Right About Reasons Not to Use Microsoft
last updated 2017
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, July 02, 2025
IRC logs for Wednesday, July 02, 2025
Gemini Links 03/07/2025: No to Cloudflare and Small Web July
Links for the day
Links 02/07/2025: Deep Microsoft Cuts, Macron Speaks to Putin
Links for the day
Confirmed: Microsoft Shutdowns Today, Not Only Mass Layoffs
"The Initiative is the only studio closure planned today, although some other teams have seen cuts of varying degrees."
Microsoft Windows Nosedives in Switzerland While GNU/Linux Leaps Above 6%
sooner or later they might have to make the move anyway
Anxiety at Microsoft: Many Workers (Maybe Over 10,000) Still Don't Know They're Being Laid Off Just Before US Independence Day
"Has anyone gotten the notification yet?"
Microsoft "Declined to Say How Many People Would be Laid Off," According to Associated Press
Some other prominent publications said they reached out for comment from Microsoft and received none
The X War is Over and the "Wayland People" Lost
People will gravitate towards what works for them
20 Years Since My Thesis
It's still online
GNU/Linux is Replacing Windows in Laptops/Desktops
The world will move on while Windows and Microsoft shrink
Now Comes the Expected Webspam, Framing Microsoft Layoffs as "Hey Hi" Success Story (False Marketing That's Piggybacking the Layoffs)
falsely marketed as "intelligence"
Hungary: Microsoft Windows Sinks to 17% "Market Share"
In many nations in Europe it seems like the era of Windows is coming to an end
Microsoft Media Operatives and Bill Epsteingate-Funded Sites Said Microsoft Lays Off 9,000, But Other Sites Say More (Including 2,300 in Redmond Alone)
We might never know the real number/s (Microsoft will keep the cards close to its chest) until there are leakers or unless there are whistleblowers with hard proof
Microsoft Layoffs in Spain, Portugal Record for GNU/Linux
in Portugal we see GNU/Linux at record levels
GNU/Linux Reaches All-Time High in the United States of America
Windows is trending down
Yes, Microsoft is Again Using Its Favourite Liars (Stenographers) to Seed Fake Layoff Numbers, Much Lower Than What's Really Happening
It is Jordan Novet again, just as we predicted
Will Microsoft Once Again Choose Its Favourite Liar to Spread Lies About Today's Layoffs, Quickly to be Replicated and Spread by Slopfarms?
What lies is Microsoft briefing its media moles to tell today?
"OSS Fetishism" Wins After Ferenc Zsolt Szabó Ousted (Microsoft Mole From Capgemini)
Many people said 2025 would be the "year of Linux on the desktop"
There is Nothing That LLMs Can Offer Honest People
LLMs are a passing fad; they're expensive and offer poor "value" for energy; they usually offer no value at all unless you are a cheater, spammer, and liar
What statCounter Shows Today Helps Explain Microsoft's Helplessness, Mass Layoffs
Since many US journalists are already away on holiday almost nobody will dare ask the difficult questions or give a voice to whistleblowers
Microsoft Gets the Chop in South America
The notion of digital sovereignty gained a lot of popularity
Europe Has an 'Exit'
Let's see what happens the rest of this year
El Presidente Talks, Canada Walks (Away From Windows)
GNU/Linux rising
Cities in France and Germany Move to GNU/Linux and statCounter Detects Big Differences
Will governments lead by example?
Microsoft Lost Its Foothold in Africa
How many of these are "old" Windows machines converted to GNU/Linux? Probably a lot.
Led by Europe, GNU/Linux Makes Big Gains This Month
statCounter started showing new/fresh stats
Links 02/07/2025: Massive Microsoft Layoffs About to Commence, "Tesla's Robotaxi Program Is Failing"
Links for the day
Why the Microsoft People Who Started SLAPPs Against Techrights Could Very Well be Sent Back to Prison
White-collar crime is also a crime
The Company Run by Former (and Last Proper) Red Hat CEO, Promoting Microsoft Mono, Faces Shock as Senior Partner Jailed for 33 Sexual Offenses Including Pedophilia
"As reported by The Oxford Mail in April 2025, the offenses include rape, sexual assault, engaging in non-penetrative activity with a child, and more."
Microsoft Lost 29% of Windows Users, Based on Microsoft, Now Come Massive Layoffs
Microsoft collapse is today
Slopwatch: Google Serves to People Linux Slop and Linux FUD (Made by Bots)
"Slopwatch" finds it difficult to ignore Google's role in encouraging LLM slop
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, July 01, 2025
IRC logs for Tuesday, July 01, 2025
"Wayland People" Behave Like the Googles and Microsofts of This World
Published yesterday by Igor Ljubuncic
Gemini Links 02/07/2025: Arch Linux and Fulfillment in Gemini
Links for the day