Hacker News new | ask | show | jobs
by philodeon 654 days ago
You obviously know that the Python script wasn’t submitted to NIST along with the draft standard.

Is Dual-EC-DRBG fine because we never saw the FVEY Python exploit that breaks it?

I think my theory here is that NSA coordinated an action whereby they figured no one was reading obscure algebraic geometry papers from 1997. In our low-attention-span world, it’s not the worst plan.

(Hell, folks didn’t realize TAOSSA contained 0day for a long time. Simply putting something in front of the public doesn’t mean they’ll read or comprehend it.)
1 comments
tptacek 654 days ago
It is literally the worst plan, because it leaves every PQC-protected system in the world exposed to everybody in the world. It's a theory that depends on NSA just wanting to watch the world burn.

Dual EC isn't broken by an exploit script. It's broken with a secret key.

link
philodeon 654 days ago
> It is literally the worst plan, because it leaves every PQC-protected system in the world exposed to _everybody in the world_.

No, it leaves every SIKE-protected system in the world exposed to _everybody who reads obscure algebraic geometry papers from 1997._ We got really lucky that the two dorks who do read those papers decided to share their insights.

For all you know, there’s a paper sitting at the Institute For Advanced Study that would let you write a marvelous pq-crystals-shattering Python script, but they’ll never tell you the combination to the safe.

(Again: TAOSSA contained 0day exploits, and few noticed for a decade.)

link
tptacek 654 days ago
You seem to believe the only thing preventing people from exploiting Dual EC is not having read the right cryptography papers. No; the reason why that's not the case is plainly evident from Dual EC's structure (if that were true, the NSA would presumably have no need of Dual EC!). Our premises are too far apart to usefully discuss this.
link
vlovich123 653 days ago
I thought PQC systems were wrapping classical encryption within the PQC protection so even if you broke PQC you'd still be left having to crack classical. Of course some hypothetical future QC could then accomplish this task so the future proofing goal of PQC would be violated.
link
zahllos 652 days ago
The proposal is to do exactly this (hybrid schemes using a pre and a post quantum scheme).

However in this context the debate is just over the PQ scheme (not the overall system). Also, NSA are not planning to mandate a hybrid system for government use. Others may do the same.

link