[tptacek]

Dual EC was not the product of a contest. The NIST PQC algorithms are all designed by academic cryptographers, many of them not US nationals.

[natch]

And chosen by NIST…

[tptacek]

And? Finish that thought.

[natch]

You are tptacek; I believe you know exactly what I meant. But to indulge you, do you think we can know that the selection process is not comprised?

[tptacek]

Explain what the compromised selection process does here. NIST doesn't control the submissions.

[immibis]

Seems pretty obvious no?

1. Pretend to be someone else and enter a backdoored algorithm. Or pressure someone to enter a backdoored algorithm for you. Or just give them the algorithm for the reward of being the winner.

2. Be NIST, and choose that algorithm.

[tptacek]

You think someone is going to pretend to be Chris Peikert and submit a backdoored construction as him, and that's going to work?

This is the problem with all these modern NIST contest theories. They're not even movie plots. Your last bit, about them paying someone like Peikert off, isn't even coherent; they could do that with or without the contest.

[natch]

Your question presupposes a claim that the selection process is compromised. I'm not saying it is. I just wonder how we know it's not.

In NIST's position one could analyze the submissions for vulnerabilities to closely held (non-public) attacks, then select submissions having those vulnerabilities.