Bonum Certa Men Certa

Lots of Talk About NIST in Relation to Encryption and Standards, But NIST Fronts for Imperialism, Not Privacy, and There Are Software Patent Elephants in the Room

posted by Roy Schestowitz on Aug 25, 2024,
updated Aug 25, 2024

nist.gov logo

NIST links to CHIPS.gov site

THE OFFICIAL WEB SITE of NIST is (right at this very moment) celebrating mega-bailouts for failing chipmakers that put back doors (and defects, bug doors etc.) in all their current chips, except perhaps for those tailored/specially-made for military purposes. The front page says: "CHIPS for America: Investments in innovation, resilience and a more competitive American future..."

We've long (over a decade!) pointed out that NIST does not pursue real security. The same is true for NSA, IETF, and several other internationally-recognised entities. Well, there are nearly a dozen of these in the US alone and most people recognise the acronyms/logos; they're used a lot - sparingly in fact - in the sciences, typically framed or presented like trusted establishments to be blindly worshiped, adored, followed, conformed and adhered to. IETF is US like ITC is US. Look beyond the ludicrous facade. Whose authority is obeyed?

A lot of those entrusted to standardise encryption are - at the same time - interested in undermining/bypassing encryption (intercepts and wiretapping). They want encryption reserved to those who are in positions of powers; to everybody else they already gave fake encryption and fake security. This self-aggrandising sense of entitlement and empowerment comes naturally to people drunk on power.

NIST et al routinely get caught in "oversights", "oopses", accidents", and "mistakes" in their recommendations (poor specifications that become implementations will never be secure!), which probably make no sense at all even before such "bugs" or "loopholes" are found. They talk about hypothetical and theoretical (prospective) risks while overlooking and intentionally ignoring imminent and even existing ones.

Only a week or so ago the media said that NIST released "First Post-Quantum Encryption Algorithms"...

Wow, "Quantum"!!! Amazing!! Let's not ask any questions or they'll make us look dumb and arcane.

But, as noted to us today, there are also software patents to worry about.

"NIST realises that software patents are ruining encryption," we said, citing this older thread, but that's actually NIST being confronted by outsiders in NIST-related discussion channels. "Ruining encryption," an associate noted, means "sabotaging security". I said this was potential lawfare ("I cannot break it, but I can sue you").

"If one wanted to be paranoid," the associate said, "one could ask who put them up to that patent nonsense. Sure the patsies stand to gain financially but that is a small thing compared to the interests which gain by eliminating air tight-encryption and having someone else take the blame for it. (c.f. [Telegram Founder Pavel] Durov arrest over his proprietary "app")."

"Signal is AGPL (copyleft) all the way through, unlike Telegram which is proprietary. The proprietary, centralized nature of Telegram possibly makes it feasible to wrest control from the owner. Whereas with Signal, people would just spin up new instances and, in the worst case, fork the code. Thus copyleft may have provided some unexpected protection for privacy. However, Signal has traditionally been tied to actual identities via mobile phone numbers up until this year. So it's not truly anonymous either." [ 1, 2] (IMEI)

The subject of software patents seems to have been brought up as recently as months ago by "D. J. Bernstein" <djb@cr.yp.to>, who wrote:



The elephant in the room is the patent minefield surrounding Kyber. NIST
says it has bought Kyber licenses for the two oldest patent families, but


   * those licenses are only for exactly what NIST ends up standardizing
     (supposedly the standards will appear this year), so IETF doesn't
     have change control---for example, if security continues to degrade
     (as I expect it will), then presumably IETF will consider modifying
     Kyber to provide security levels beyond Kyber-1024, but this would
     go beyond what's allowed by the licenses; and


   * there are other patents in the area, including at least one patent
     holder publicly claiming Kyber coverage, with no public response
     from NIST or from the Kyber team.

There's more in there, but this message is more detailed and not so old:



Paul Wouters writes:
> Should the IETF really recommend a dropped candidate at this stage?


Yes. IETF policy prefers algorithms with no known patent claims. BCP 79
does not authorize delegating IETF's patent-related decisions to NIST.


Furthermore, the notion that NIST is speaking for a unified community
is easy to disprove. For example,


   https://web.archive.org/web/20230401090854/https://secdev.ieee.org/wp-content/uploads/2022/10/LaMacchia-Keynote-IEEESecDev2022.pdf


revealed that ISO's crypto group agreed---in October 2022, months after
NIST announced its selection---to initiate a preliminary work item on a
very different list of algorithms. There are three algorithms on that
list; one matches a NIST selection (Kyber), one is under consideration
by NIST for possible future standardization (Classic McEliece), and one
was dropped by NIST (FrodoKEM).


> Patent claims are not the issue, as long as the conditions for using
> the patents are not encumbered.


As I wrote before: "there are other patents in the area, including at
least one patent holder publicly claiming Kyber coverage, with no public
response from NIST or from the Kyber team". I quoted and cited a message
that says "Kyber is covered by our patents"; I commented that the author
of that message "holds patents CN107566121 etc., filed before Kyber was
published".


Clearly this qualifies as a "known IPR claim" under BCP 79. I see no
evidence of an "offer of royalty-free licensing" under BCP 79.


> It seems that those will not be an issue as otherwise the NIST chosen
> algorithm would not be useful.


My message already cited examples of the patent minefield to some extent
delaying and to some extent deterring Kyber deployment. If "will" is
alluding to the activation of the patent licenses once NIST actually
issues a standard: sure, that deals with two patents (assuming NIST has
been correctly summarizing the license terms), but the minefield is
bigger than that, as illustrated by the further patent claim above.


> The Crypto Panel review also listed some technical points, which you
> seem to have left out in your latest email


No, I didn't leave them out. I explicitly focused on the Crypto Review
Panel comments regarding sntrup---because I was explicitly replying to
comments you made regarding sntrup. Here's your text (followed by many
more recent references to NIST's actions regarding sntrup):


   With this NTRUprime case, we have a less clear example. Itâs not
   broken but the IETF Crypto Panel also said the cryptographic method
   used was somewhat dated and would no longer be recommended by the
   larger cryptographic community at this point.


Your SAAG presentation at IETF 119 claimed that the review had said "we
would have done it like this 15 years ago but these days we wouldn't do
it like this anymore so we shouldn't really like standardize that".


Looking broadly at how the review as a whole is being used, I see four
basic issues:


   * The review and the followup action both failed to consider the
     patent situation. This is not in line with BCP 79.


   * The portion of the review regarding sntrup was completely
     non-technical, with no evident content beyond delegating IETF/IRTF
     cryptographic decisions to NIST. The review was not "critical,
     objective, timely and consistent review of cryptographic
     algorithms".


   * While I agree that the review did make technical comments regarding
     an issue beyond sntrup (the choice of combiner), those comments are
     not even marginally consistent with how combiners are being handled
     elsewhere in IETF and IRTF. (In case readers are interested in the
     details, see postscript below.)


   * The text of the review does not match what it has been portrayed in
     SAAG as saying.


As an example of the last issue: The SAAG portrayal is that the review
text expressed opposition to documentation and/or standardization of
what has been deployed in real-world SSH. The actual review text


   https://mailarchive.ietf.org/arch/msg/crypto-panel/kDiLLcVOhwoix5BUDdv4r91ZhfY/


sounds much less extreme, with mere "suggestions" to "describe much more
explicitly the combiner use", to add citations, and to "consider"
including Kyber.


As another example, I see nothing in the review text assigning a
positive/negative rating, so it's improper to attribute such a rating to
the review. This rating appears to be something that a particular AD
projected onto the review. The source should be properly labeled.


> The fact that the cryptographic research communities are focusing on
> NIST candidates does mean that those proposed algorithms will see a
> lot more scrutiny and research.


The hypothesis and conclusion of this circular argument are both easily
disproven by the available data. Skimming https://eprint.iacr.org/2024
from top down right now for the ten most recent post-quantum papers, I
find the following:


   https://eprint.iacr.org/2024/564 (attacking isogenies generally)
   https://eprint.iacr.org/2024/561 (an isogeny proposal)
   https://eprint.iacr.org/2024/555 (attacking lattices generally)
   https://eprint.iacr.org/2024/551 (Kyber and NewHope)
   https://eprint.iacr.org/2024/548 (NTRU)
   https://eprint.iacr.org/2024/530 (an NTRU variant)
   https://eprint.iacr.org/2024/523 (Kyber)
   https://eprint.iacr.org/2024/512 (Dilithium)
   https://eprint.iacr.org/2024/500 (SPHINCS+)
   https://eprint.iacr.org/2024/490 (new MPC-based signatures)


A solid half of these are on algorithms that have been either removed by
NIST or that are newer than anything submitted to NIST. Another two are
_overlapping_ NIST but also including other cryptosystems. Only three
fit within the alleged "focus".


> that is not a political argument


The text I quoted from the Crypto Review Panel regarding sntrup is
purely making claims about politics (again, dictionary definition:
"competition between competing interest groups or individuals for power
and leadership"). Making claims that _aren't_ in the text, and saying
that _those_ claims aren't political, doesn't contradict this.


More to the point, my description of the review had nothing whatsoever
to do with the identity of the reviewer, so it wasn't an ad-hominem
attack. Please withdraw your claim to the contrary.


> Some people prefer to not engage with you due to previous negative
> experiences with your method of discussion.


Now _that's_ an ad-hominem attack. Please (1) apologize and (2) keep
yourself under control in the future. Thanks in advance.


Getting back to sntrup: You've referred to secret "informal
conversations" as supposedly justifying opposition to sntrup. Let me
point out that this provides an easy explanation for the gaps between


   * the Crypto Review Panel text and
   * your description of that text.


Specifically, couldn't it be that what you're attributing to the Crypto
Review Panel is actually what's coming from those secret conversations,
and you simply lost track of the source?


Also, have you considered the possibility that the conclusions in those
conversations come from underlying errors that would be corrected if the
arguments were raised in public? Look at the above "scrutiny" claim:
it's the sort of error that can easily be repeated because it _sounds_
reasonable, but transparency allows the claim to be rapidly debunked.


> your statement that Roman promised publication
  [ etc. ]


I don't know what statements you're referring to here; certainly they're
not from me. If you're mixing up the NTRU Prime team, the OpenSSH team,
the author list for this I-D, etc., then please be more careful.


---D. J. Bernstein


P.S. In case readers are interested, here's the combiner issue.


One way to combine pre-quantum and post-quantum shared secrets into a
key for (e.g.) AES-256 or ChaCha20 is to hash the concatenation of the
secrets. This is typically just fine, the main risk being that


   * quantum computers break the pre-quantum system and
   * a bad choice of post-quantum system is also breakable (as in the
     CECPQ2b experiment, which used SIKE to encrypt real user data).


However, there are various papers pointing out contexts where stopping
attacks requires hashing more than the shared secrets. All security
recommendations in these papers are handled by a combiner that hashes
the shared secrets and the full transcript (pre-quantum and post-quantum
public keys and ciphertexts).


Someone reviewing a combiner with anything less than transcript hashing
has to look at the context and ask whether skimping on the hashing is
safe in that context. It's easier for the reviewer to skip this review
and just say "Why aren't you hashing more?". That's what happened in the
Crypto Review Panel review of the combiner in this SSH draft---it wasn't
reviewing whether this is safe in SSH; it was pointing out that this is
doing something that in _some_ contexts is unsafe.


Transcript hashing is cheap. I like making cryptographic choices that
save time for reviewers. So I'd like to see new proposals settling on
_one_ combiner that includes transcript hashing. (To be clear, I don't
see this as an argument against documenting something that has been
widely deployed for two years now.)


Meanwhile there are other people saying that transcript hashing costs
millions of dollars in aggregate and that any unnecessary hash should be
skipped---even if this means that reviewers have to look at different
combiners for different contexts, and check that each of the faster
combiners is safe in the contexts where the combiner is being used.


Here are three examples of combiners not using full transcript hashing:


   * A proposal called "X-Wing" uses an ad-hoc "QSF" combiner. This
     combiner is unsafe in some contexts.


   * draft-ietf-tls-hybrid-design uses a simple concatenation combiner.
     This combiner is unsafe in some contexts.


   * draft-josefsson-ntruprime-ssh uses a simple concatenation combiner,
     This combiner is unsafe in some contexts.


Now compare how this context switch is being handled:


   * X-Wing is currently under consideration by CFRG.


   * My understanding is that draft-ietf-tls-hybrid-design has reached
     consensus except for settling some code points.


   * Meanwhile an AD is opposing draft-josefsson-ntruprime-ssh, where,
     as far as I can tell, the only _technical_ complaint is that it's
     using a concatenation combiner.


This is not even marginally consistent. Sure, X-Wing is in CFRG and
hasn't reached consensus, but this procedural distinction doesn't work
for the TLS example, and it's also missing the point about the content.
The Crypto Review Panel charter asks for "consistent review"; given that
new proposals are being allowed in CFRG and TLS with combiners that can
be unsafe in other contexts, why is draft-josefsson-ntruprime-ssh being
selectively targeted with a complaint that its combiner can be unsafe in
other contexts?

Many questions deserve to be asked here because even software like SSH is at stake, set aside PGP, TLS stuff, disk encryption, and so on. There are too many crackpots in this industry/sector speaking in insults and rude words instead of making sense from a scientific perspective. They resort to name-calling instead of debating. Sometimes they try to make things sound a lot more complicated than they actually are to discourage/repel outside audits, participation, scrutiny etc. So it's filled with posers, imposters, fakers, and narcissistic liars. They want nobody else to participate and they defame the best in the area.

It used to be a field of science, not spies.

Other Recent Techrights' Posts

Using SLAPPs to Cover Up Sexual Abuse and Strangulation
The exact same legal team of the Serial Strangler from Microsoft and Garrett already has a history fighting against "metoo"
Adding the Voice of Writers to UK SLAPP Reform
The journey to repair antiquated (monarchy era) laws will likely be long
Slopwatch: A Cause for Hope, the Hype is Dying
For about a month we showed that becoming a slopfarm - for several weeks - resulted in utter failure and ruin for BetaNews
 
Links 12/07/2025: Jail in China for Homoerotica, South Korea Discriminates Against Old Workers
Links for the day
If Only Everything Was Rewritten in Rust, We'd Have No More Security Issues?
Nope.
Links 12/07/2025: Birdwatching and Fake/Misleading Wall Street 'Valuation' Figures
Links for the day
Gemini Links 12/07/2025: How to Avoid Writing, Apps for Android
Links for the day
EPO Staff Committee on Harassment in the Workplace
slides
EPO Takes More Money From Staff for Speculation (Pensions), Actuarial Study Explains the Impact
"The key change in this year’s Actuarial Study, due to cascading the new “risk appetite” from the financial study, is a significant increase of the total pension contribution rate of 5.7 percentage points, up to a total of 37.8%. This is driven by an unprecedented decrease in the discount rate of 105 bps down to 2.2%."
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, July 11, 2025
IRC logs for Friday, July 11, 2025
Microsoft - Like IBM - Does the "Relocation" Tricks (Start Over Elsewhere, Then Get Sacked by Microsoft)
It is a "low blow" or a "dick move"
After the Free Software Foundation's Campaign to Raise Money Let's See Campaigns to Finish Off Microsoft (Vista 11, GitHub etc.)
Microsoft is in effect collapsing
Your Publications Have No Major Impact Unless or Until You "Get Some Heat"
we're on the right track
Links 11/07/2025: Censorship Worsening, 3D Printing Success Stories, UK and France Unite Around Nukes
Links for the day
Gemini Links 11/07/2025: Zorin OS and Scriptonite Updates
Links for the day
Links 11/07/2025: Hardware, Russia, and China
Links for the day
Links 11/07/2025: Intel Collapsing and Microsoft Resorts to Bribery to Push Slop Via Obligatory Education
Links for the day
The EFF Sided With the Team That Strangles Women and Tells Women to Kill Themselves
They say that apathy and inaction are a form of a "stance"
"Nat [Friedman] and [the Serial Strangler From Microsoft] Were Always Exceptionally Close," Says Former Housemate and Colleague
Now Alex (hiding behind another name when that suits him) not only attacks women but also people who merely report what he did to women
Exemplary List of Things That Are Not Artificial Intelligence or Even Intelligence
The "age of AI" or "era of AI" or "AI revolution" mostly boils down to rebranding, just like "the cloud"
New Letter From the European Patent Office Explains How the Office Plots to Grant Many Illegal Patents, a Self-Fulfilling Prophecy of 'Growth'
Open letter to Mr Rowan (VP1) and Mr Aledo Lopez (COO)
Abuse of Process
5RB is employing people who help violent men
What Microsoft's Nat Friedman and Microsoft Lunduke Have in Common
"Get in da car; No time to explain, loser"
Microsoft and IBM Don't Have Much of a Future (They Mostly Pretend at This Point)
IBM and Microsoft are in some ways alike but in many ways different
It's Not Just Twitter (or X.com) That's Dying, Microsoft's Equivalent is Dying Also
Unable to find a business model
GitHub Copilot Can Cause the Bankruptcy of GitHub to Come Sooner and GitHub to be Shut Down Just Like Skype
Some publicly available information suggests that even for each paid subscriber for plagiarism (LLM 'coding') GitHub Copilot still loses more money than it makes
Wayland is Bad for the Planet
If you use Wayland, it'll take you longer to accomplish tasks and you will consume more energy (or battery life)
Legitimising Those Who Sabotage You
Microsoft is a very malicious company
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, July 10, 2025
IRC logs for Thursday, July 10, 2025
On Microsoft Layoffs
we might be looking at about 60,000 Microsoft layoffs since 2023
EPO Management Already Breaks Its Own Promise (Lie) on "Bringing Teams Together"
This gut-punching move happened just 2 days ago
Gemini Links 11/07/2025: Occupation of 2025 and "Old Man Yells At Soundcloud"
Links for the day
Our Lawsuits Against the 'Cancel Mob' (Ringleaders) Helped Reduce Anti-Free Software Online Abuse
That's not to say that lawsuits are the best way to handle terrible people. But that can help.
Tomorrow is the Last Day of the Fund-Raising Campaign of the Free Software Foundation (FSF)
They will probably extend the date, as usual
Fixing Patents in Europe, Little by Little (by Transparency and Reporting of Suppressed Facts)
Tomorrow and throughout the weekend we shall focus some more on the EPO
The Two Lies Microsoft is Telling in "the News" This Week (to Distract From Layoffs and Decreased Interest in Slop/Chaff)
Microsoft is run by liars and frauds who SLAPP critics
Tux Machines Already Destroyed SLAPPs
Attacks on the mere publication of GNU/Linux news won't be tolerated
PCLinuxOS is Available for Download Again
PCLinuxOS is important to us also because its founder, back then the partner of Susan, helped create Tux Machines more than 21 years ago
Links 10/07/2025: Microsoft E-mail 'Services' Collapse Again, "Yet Another Strava Privacy Leak"
Links for the day
Gemini Links 10/07/2025: Automating Git Repo Updates and Small Web 'Zine'
Links for the day
GNU/Linux Leftovers
mostly Linux stuff
Audiocasts/Shows: Going Linux, FLOSS Weekly, and RHEL Clones
3 new picks
We Are Already Fighting - With Considerable Success - SLAPPs in the UK
we intend to tell the full story
Bullies With Pens and Papers (or Apple Macs With Templates)
Not all barristers are evil, but there are perhaps "rotten apples"
Slopwatch: webpronews.com, linuxsecurity.com, linuxjournal.com
a pile of trash disguised as 'articles'
Links 10/07/2025: Linda Yaccarino Divorces MElonazi Site, Wildfires Hit Syria
Links for the day
The History and the Policy of the EPO's Stance on Breastfeeding (Corporate Monopolies Versus Babies' Health)
"The Case for Introducing a Breastfeeding Policy at the EPO"
Gemini Links 10/07/2025: Inventing Chords and "Nightmare Boss"
Links for the day
Igor Ljubuncic Once Again Shows That for Technical Reasons Wayland Still Sucks, Performs Considerably Worse Than What Existed for Decades
That is aside from compatibility factors and other crucial factors
Links 10/07/2025: "Apple Vs The Law" and Twitter Became Full Nazi Bar
Links for the day
Unable to Find Anyone to Work as Their Media Lawyer, Brett Wilson LLP Will Continue Losing Female Staff
What sort of sick person would wish to join Brett Wilson LLP to carry this baton?
Microsoft-Sponsored Propaganda Site Has Removed False 'Hit Piece' About Dr. Stallman (With Fake and Misrepresented Imagery) But Only After 4 Years
So they only removed that page some time around 2025, i.e. about 4 years after it had been published
Always Check Your Inputs
Garbage in, garbage out. Or wrong assumptions, wrong corollary.
Dan Neidle Said That Tax Evasion Facilitator Mr Zahawi (Working to Silence Bloggers Through Brett Wilson LLP) Targeted Not Only Him (But The Others Kept Quiet)
"Mr Neidle said after repelling Mr Zahawi he was contacted by bloggers and tweeters who had received similar threats. They deleted their work “and in most cases never commented publicly on anything again”."
SLAPP Funding Transparency Urgently Needed in the UK and Elsewhere (in Practice, Not Just in Theory)
Writing about crime - including Microsoft crime - is not a crime
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, July 09, 2025
IRC logs for Wednesday, July 09, 2025
Elodie Bergot Still Doing Illegal Things at the EPO, Based on the Local Staff Committee Munich
They keep taking away from the staff while compelling the staff to do illegal things