[fitblipper]

> My interpretation leans more towards NIST making an internal mistake in evaluating the algorithms, rather than NSA pushing its agenda.

Why do you say this? The NSA has done this exact thing in the past[1], so why give them the benefit of the doubt this time?

[1] https://en.m.wikipedia.org/wiki/Dual_EC_DRBG

[BoppreH]

Because Dual_EC_DRBG was very heavy handed. It was driven by NSA itself (and based on a paper named "Kleptography"!); the backdoor was obvious; and they had to ~bribe~ monetarily incentivize companies to actually implement and use it.

Meanwhile, both NTRU and Kyber are lattice-based, and their designs came from honest attempts. To be an NSA effort, there would need to exist an exploitable flaw in Kyber, but not NTRU, known only to the NSA. And it's not like NTRU as a whole got disqualified; only the fastest variant did.

That's the problem with spy agencies, you never know what they are capable of. But if it was an NSA effort, it would be, by far, the most subtle one uncovered so far.

[akdor1154]

There is definitely a selection bias if judging 'subtlety of NSA activities' by only examining 'NSA activities that were unsubtle enough to be discovered'.

[vlovich123]

There’s no reason to believe that the NSA doesn’t learn and evolve from past efforts.

Changing rules on the fly and improperly applying said rules could be a way to select a weak option you can break while having stronger plausible deniability than what happened with Dual_EC_DRBG (which btw wasn’t actually confirmed until the Snowden leak). So here’s someone claiming NIST is being suspicious in how the algorithm selection happened. The rules really need to be set in stone at the beginning of the competition or before the phases at least. And you can’t pick diametrically opposed rule sets between phases (as happened if you read Bernstein’s letter), only tweaks.

[TMWNN]

On the other hand, DES is an example of where people were sure that NSA persuaded IBM to weaken it but, to quote Bruce Schneier, "It took the academic community two decades to figure out that the NSA 'tweaks' actually improved the security of DES". <https://www.cnet.com/news/privacy/saluting-the-data-encrypti...>

[staunton]

NSA did persuade them to weaken DES by shortening the key size. The "magic S-boxes" were chosen to be resistant to differential cryptanalysis (which was successfully kept secret for decades to come) but that doesn't change the fact NSA had the means to break DES by brute force.

[red_admiral]

Half true. The S-box thing strengthened the cipher. Cutting the key length from 64 bits to 56 arguably weakened the cipher.