|
|
|
|
|
|
by chasil
1442 days ago
|
|
|
I agree with your sentiment. I wish NIST had conducted the proceedings more professionally, and this collapse in confidence is their own fault. The OpenSSH decision to promote NTRU-prime from an experimental feature to the preferred key exchange was breathtakingly rapid, and final. It is a tacit assertion that NIST is no longer relevant. DJB was on several teams, and I think that OpenSSH would lend greater credence to him than any other council, deservedly so. We might end up with SPHINCS+, but I will be surprised if KYBER is adopted. This moved very fast. |
|
|
One reason KYBER got standardized quickly is that PQC KEMs are time-sensitive if you believe the quantum attack threat is plausibly material within the next 10-15 years. Your adversary in these attacks will almost certainly be state signals intelligence groups, and the expense involved in building attack hardware dwarfs the expense of collecting traffic today to decrypt in 2034. If you're a PQC believer, you want something out the door soon.
I don't understand the special sway you think Bernstein has, versus all the other cryptographers that participate in NISTPQC, with the OpenSSH team. I worry that people believe stuff like this because they know who Bernstein is and what OpenSSH is, and don't off the top of their head know who Tancrède Lepoint is. Note also that the KYBER team includes Peter Schwabe, whose name you should definitely know if you're a Bernstan.