Is it absolutely necessary to help NIST here? Can't the IETF come up with its own standards and leave it at that? The U.S. government is free to adopt the same standards later on (just like all the other governments) or create its own broken ones, I don't really care about that. The NSA isn't going to use whatever NIST ends up adopting anyway. It's going to use its own crypto for classified stuff.
I'd rather not risk another Dual_EC fiasco with everyone trusting NIST to do the right thing, and then it doesn't. They almost messed up SHA3, too, if it wasn't for vocal opposition from the community. They've proven to be untrustworthy a few too many times.
Dual_EC_DRBG was first standardized through ANSI and ISO, and only later adopted as a FIPS standard through a process completely different than the AES and SHA-3 competitions.
I don't think there was any serious criticism of early SHA-3 proposals. The properties of Keccak's sponge construction gave them legitimate reasons to reassess some of the original criteria. And the proposals were actually drafted with the cooperation and approval of the Keccak authors'. See the authors' reply to the original criticisms here:
http://keccak.noekeon.org/yes_this_is_keccak.html
NIST brings money to the table, both for conferences and for employing reviewers in addition to the friendly and competitive peer review. And more importantly a NIST competition has the potential to be more inclusive than typical standards committees. IETF, not to mention ANSI and ISO, working groups tend to either become captured by industry special interests, or devolve into little cliques of not particularly diverse (in experience) experts[1]. And that's when they're working well. When they don't work well they degenerate into a stalemate, and either fail completely or acquiesce to horrid compromises in attempts to reach consensus.
An open and transparent NIST competition has the potential to offer the best possible outcome by attracting more, and more diverse, participants. And if a rough consensus isn't easily reached, NIST at least can produce a decent standard that doesn't include the kitchen sink. And if it sucks? It can just be ignored. Doubtless there will be plenty of alternatives coming out of the IETF to choose from, NIST or no NIST.
[1] Note that those characterizations are not necessarily negative. Special interests and little cliques have a much easier time reaching consensus, partly because those are often the same people writing the implementations and naturally have fewer degrees of freedom if they want to maintain their investment in their existing software. And there's never any scarcity of standards being published by working groups in those organizations, so failure is less costly and the cream will tend to rise to the top over time. For something like post-quantum crypto, IETF, ANSI, ISO, and similar organizations are really not a particularly good fit.
2 comments
[ 3.6 ms ] story [ 15.1 ms ] threadI'd rather not risk another Dual_EC fiasco with everyone trusting NIST to do the right thing, and then it doesn't. They almost messed up SHA3, too, if it wasn't for vocal opposition from the community. They've proven to be untrustworthy a few too many times.
I don't think there was any serious criticism of early SHA-3 proposals. The properties of Keccak's sponge construction gave them legitimate reasons to reassess some of the original criteria. And the proposals were actually drafted with the cooperation and approval of the Keccak authors'. See the authors' reply to the original criticisms here:
NIST brings money to the table, both for conferences and for employing reviewers in addition to the friendly and competitive peer review. And more importantly a NIST competition has the potential to be more inclusive than typical standards committees. IETF, not to mention ANSI and ISO, working groups tend to either become captured by industry special interests, or devolve into little cliques of not particularly diverse (in experience) experts[1]. And that's when they're working well. When they don't work well they degenerate into a stalemate, and either fail completely or acquiesce to horrid compromises in attempts to reach consensus.An open and transparent NIST competition has the potential to offer the best possible outcome by attracting more, and more diverse, participants. And if a rough consensus isn't easily reached, NIST at least can produce a decent standard that doesn't include the kitchen sink. And if it sucks? It can just be ignored. Doubtless there will be plenty of alternatives coming out of the IETF to choose from, NIST or no NIST.
[1] Note that those characterizations are not necessarily negative. Special interests and little cliques have a much easier time reaching consensus, partly because those are often the same people writing the implementations and naturally have fewer degrees of freedom if they want to maintain their investment in their existing software. And there's never any scarcity of standards being published by working groups in those organizations, so failure is less costly and the cream will tend to rise to the top over time. For something like post-quantum crypto, IETF, ANSI, ISO, and similar organizations are really not a particularly good fit.