[BoppreH]

Because Dual_EC_DRBG was very heavy handed. It was driven by NSA itself (and based on a paper named "Kleptography"!); the backdoor was obvious; and they had to ~bribe~ monetarily incentivize companies to actually implement and use it.

Meanwhile, both NTRU and Kyber are lattice-based, and their designs came from honest attempts. To be an NSA effort, there would need to exist an exploitable flaw in Kyber, but not NTRU, known only to the NSA. And it's not like NTRU as a whole got disqualified; only the fastest variant did.

That's the problem with spy agencies, you never know what they are capable of. But if it was an NSA effort, it would be, by far, the most subtle one uncovered so far.

[akdor1154]

There is definitely a selection bias if judging 'subtlety of NSA activities' by only examining 'NSA activities that were unsubtle enough to be discovered'.

[vlovich123]

There’s no reason to believe that the NSA doesn’t learn and evolve from past efforts.

Changing rules on the fly and improperly applying said rules could be a way to select a weak option you can break while having stronger plausible deniability than what happened with Dual_EC_DRBG (which btw wasn’t actually confirmed until the Snowden leak). So here’s someone claiming NIST is being suspicious in how the algorithm selection happened. The rules really need to be set in stone at the beginning of the competition or before the phases at least. And you can’t pick diametrically opposed rule sets between phases (as happened if you read Bernstein’s letter), only tweaks.