[cedws]

There was a post recently about suspicion of NIST, specifically from Daniel Bernstein. We also have reason to believe there was funny business around Dual_EC_DRBG.

If NIST really is up to no good on behalf of US intelligence agencies, it's reasonable to believe they'd be doing everything they can to prevent strong post-quantum crypto.

Also, here's an idea I had: let's say you wrapped a plaintext in three different encryption algorithms authored in adversarial countries. Even if you assume all three are backdoored by their creators, you'd have something that could only be unwrapped if the three adversarial countries worked together. Is there anything out there that does this?

[NavinF]

Cascade encryption is pretty common. I remember using 3 ciphers with TrueCrypt in the 2000s. There are some theoretical issues that prevent you from using cipher1(cipher2(x)) though. See https://en.wikipedia.org/wiki/Multiple_encryption#Importance...

In practice post-quantum encryption is always combined with normal encryption so this sorta thing should become even more common in the future.

[nabla9]

GSMK CryptoPhone protocol uses TwoFish-256 and AES-256 in parallel counter mode XOR'ed together.

[twiss]

This post is also by Daniel J. Bernstein, so DJB seems to be the only person with suspicions of NIST. Dual_EC_DRBG was created by the NSA, not NIST (who merely standardized it). NIST also merely standardises Kyber, they didn't create it. So there's no real reason to suspect "funny business" unless you believe the NSA is influencing the Kyber team.

[imjonse]

That would be very inefficient though even if more reassuring.