NIST didn’t design Dual-EC, NSA did. But NIST did the really hard work, which involved slapping their organization’s name on it, and not asking any inconvenient questions.
Thankfully we found a better way that ensures cryptographic security, which is to get former NSA interns to write the PQC standards, instead of proper NSA employees.
As a shorthand for this site, I'm not distinguishing between the two organizations. Which former NSA interns are you talking about? You can get their names from the pq-crystals.org site. Which one should we not be trusting?
A wonderful question that exposes me to legal action if I answer.
A better question: why do you think so many of your cryptographic feline friendz were so excited about isogenies for the past decade? Where do you think they all obtained that identical enthusiasm from? Why do you think SIKE made it so far in the contest and only got eliminated through luck?
Your theory here is that NSA coordinated an action whereby the PQC standard selected could be broken by anybody in the world with a Python script, based on research disclosed to the public in the 1990s.
I'm guessing this isn't a conversation that's going to take us into Richelot isogenies.
You obviously know that the Python script wasn’t submitted to NIST along with the draft standard.
Is Dual-EC-DRBG fine because we never saw the FVEY Python exploit that breaks it?
I think my theory here is that NSA coordinated an action whereby they figured no one was reading obscure algebraic geometry papers from 1997. In our low-attention-span world, it’s not the worst plan.
(Hell, folks didn’t realize TAOSSA contained 0day for a long time. Simply putting something in front of the public doesn’t mean they’ll read or comprehend it.)
It is literally the worst plan, because it leaves every PQC-protected system in the world exposed to everybody in the world. It's a theory that depends on NSA just wanting to watch the world burn.
Dual EC isn't broken by an exploit script. It's broken with a secret key.
I don't know if I count as a "feline friend", but: SIDH kept the DH shape. Being able to upgrade the protocols we had relatively closely is appealing. "Structure is useful but seems precarious" wasn't exactly secret knowledge.
What people on these threads aren't prepared to grok is that cryptography engineers (even the older ones) are gothy af, and the isogeny graph diagrams all looked like black magic stuff out of the Lesser Key of Solomon. Sorry, there isn't more to it than that.
Thankfully we found a better way that ensures cryptographic security, which is to get former NSA interns to write the PQC standards, instead of proper NSA employees.