Despite the NSA scandal, NIST is courting trust for its post-quantum standardization process. Crypto researcher Dan Bernstein now wants to enforce transparency.
Noted crypto researcher Dan Bernstein filed a lawsuit against the National Institute for Standards and Technology (NIST). The US authority responsible for the selection of quantum-safe crypto standards has refused to provide information about its cooperation with the US secret service National Security Agency (NSA). In Bernstein’s opinion, this not only violates its own promises of transparency, but also violates US regulations on freedom of information.
In 2016, NIST launched an open selection process to search for crypto-algorithms that can withstand decryption by future powerful quantum computers. Together with colleagues, Bernstein himself submitted several proposals in the process. Of these, the Sphinx+ signature method was selected for standardization and the Bit Flipping Key Encapsulation (BIKE) proposal was sent into the fourth round.
Bernstein teaches at the Ruhr-Uni Bochum and is part of the CASA excellence cluster there, from which the Kyber key encapsulation method selected by NIST and the Dilithium signature method also come. Bernstein filed a lawsuit against the US government for the first time in 1995 in order to be able to present his cryptographic research abroad in violation of US crypto export regulations.
NSA influence opaque
In the ongoing NIST post-quantum cryptography case, the unruly crypto guru sent a total of seven freedom of information requests to the US agency. With number seven, in March 2022, he asked the authority to disclose its communication with the National Security Agency (NSA) during, but also before the start of the selection process. Because the authority did not comply with this request for information, he now turned to the US Federal Court for Washington DC.
The authority already answered the first six requests with incomplete information, writes Bernstein. According to the lawsuit, she did not even answer the current Freedom of Information Act (FOIA) request about the NSA.
In a detailed blog post over the weekend, Bernstein explains why he insists so emphatically on information about the influence of the NSA. “The well-documented history of NSA sabotage, coupled with the clear intelligence agency’s influence over NIST, make review of NSA interventions a priority, even though it is likely that other organizations have attempted to sabotage the NIST process.” , warns Bernstein. Before the court, his lawyers point to evidence that the NSA made representations to NIST in the post-quantum standardization process well before 2020.
Fool me twice, shame on me
Bernstein recaps the history of NSA interference in crypto standardization processes to justify his suspicion. The best-known example, and one ultimately conceded by NIST in the wake of the Snowden revelations, is the Dual Elliptic Curve Deterministic Random Bit Generator. The pseudo-random number generator standardized by NIST at the request of the NSA was a US intelligence submarine. Knowing the constants used, he was able to calculate the alleged random numbers and thus break the encryption.
Security researchers like Bruce Schneier had long criticized the weaknesses of the Dual EC before the authority finally officially withdrew the standard in 2014. After the cryptographic community had already considered standardizing new crypto algorithms themselves in the future, NIST vowed improvement and, above all, comprehensive transparency of its own processes.
Bernstein believes that the authorities are now violating this again. However, only openness about who you are communicating with and also which criteria are decisive for a selection in the end could prevent manipulation of the crypto standards that are so important. Overall, the researcher warns, the “private” statements that NIST repeatedly requests are a delicate matter, since they remove part of the decision-making process from scrutiny by the research community and the public.
warning sign?
For Bernstein, there have long been signs of delicate interventions by the NSA. He warns against following the NSA’s assessment of abandoning today’s common crypto methods when migrating to post-quantum encryption and signatures. Currently, typical cryptographic applications like OpenSSH use a combination of traditional and PQC encryption (specifically NTRU with X25519 ECD).
In a tweet, the NSA spoke out against this so-called hybrid encryption. But Bernstein warns that the new key procedures have not yet been tested enough to be able to do without such double protection. The recently successful attack against the 4-round candidate SIKE demonstrated this quite impressively.
reticence among colleagues
In the crypto community, on the other hand, prominent researchers have expressed doubts about Bernstein’s approach. while about Matthew Green and Filippo Valsorda While generally supporting calls for transparency, they warn that Bernstein is mixing well-intentioned concerns with conspiracy theories and baseless allegations against colleagues. This makes it difficult for the community to work together.
