undefined | Better HN

0 pointsoconnore3y ago0 comments

If NIST feels the need to hedge their bets, why are they publishing at all? The whole point of these recommendations is so that I, a non-expert, don't have to reason about cryptographic bets.

0 comments

kickling3y ago

Well, most modern cryptography is based on assumptions that can not be proven, so having different standards based on different assumptions is probably the only way to safeguard against if one of the assumptions would be proven false in the future.

bawolff3y ago

To nitpick, afaik, its not that they cannot be proven, its that they have not been, and look very hard to prove, which is slightly different (not my area of expertise, but i assume this would be tied to p vs np)

adastra223y ago

I it not tied to P vs NP as far as I’m aware. But it is the same sort of situation: number theory assumptions that are completely unproven despite many attempts.

2 more replies

oconnoreOP3y ago

Maybe it safeguards them from looking like they've screwed this up, but in terms of providing a concrete recommendation to system implementers, how does this safeguard anything? How does offering multiple algorithms in the PQC category help me make systems safer? What am I actually supposed to do here (how do I reflect this hedge in a system design)?

They didn't feel the need to provide multiple recommendations during the AES, or the SHA-3 process, even though Rijndael and Keccak used different constructions relative to RC6/TwoFish and SHA-2/Blake2. Why now?

gdavisson3y ago

The recommendations look clear to me: you should use CRYSTALS-Dilithium (unless you need smaller signatures, in which case use FALCON), but you should also be prepared to switch to SPHINCS+ on short notice if someone breaks CRYSTALS-Dilithium (or structured lattices in general).

So best practice would seem to be to implement both CRYSTALS-Dilithium and SPHINCS+, set CRYSTALS-Dilithium as the default, and provide a switch (config setting, whatever) to switch to SPHINCS+. If you have long-term keys, you should have both forms set up & ready to use.

bawolff3y ago

> They didn't feel the need to provide multiple recommendations during the AES, or the SHA-3 process, even though Rijndael and Keccak used different constructions relative to RC6/TwoFish and SHA-2/Blake2. Why now?

SHA-3 was explicitly alternative reccomendation. The entire point was to come up with something that was not based on sha-2, because they were worried that the attacks on md5/sha1 could be extended to sha2 (which didn't really happen the way people were worried about). Even to this day, general advice is not to use sha3.

Less clear cut for aes, but at time of standardization (and even now afaik), triple des was considered secure, so its not like there wasn't a secure alternative.

These standards arent meant as implementation guides. You still need cryptography knowledge to securely use them.

bawolff3y ago

Life's hard and the world is uncertain. If NIST could make an algorithm that they could prove was 100% safe with no possibility of future cryptoanalytical breakthroughs, i am sure they would, but that is beyond current state of the art.

Beldin3y ago

You mean like a one-time pad? I'm sure the folks at NIST know about it; it is completely unbreakable and had been around for a while. Use is not really practical though, so typically reserved for very specific use cases.

upofadown3y ago

One time pads fall into the symmetrical encryption category. There is no huge issue with symmetrical encryption with respect to the possibility someone might invent a quantum computer. The things people are working on for a post quantum world and NIST is attempting to standardize are in the asymmetrical encryption category.

bawolff3y ago

This is a silly nitpick. I think its pretty well understood from context i meant a practical quantum safe key agreement algorithm. One time pad cannot be used for that purpose at all, let alone practically.

adastra223y ago

Non-cryptographers should not be implementing NIST standards. You should be using higher level APIs written by cryptographers which do employ NIST standards in the details.

astrange3y ago

Implementing them for fun might turn you into a cryptographer, though, especially (or only?) if you manage to find everything you get wrong.

oconnoreOP3y ago

If you're including cryptography in a system design, you are almost certainly relying on NIST standards to select algorithms.

runjake3y ago

They aren't publishing until 2024 at the earliest. This is just a head's up that they will be publishing in the future.

Presumably, they'll have a better idea by then.

Spooky233y ago

Perhaps they want industry to start working on software or hardware to leverage these algorithms?

Cryptography is driven by defense applications. For all us civilian types know, these algorithms have been around for 30 years.

j / k navigate · click thread line to collapse

0 comments

kickling3y ago

bawolff3y ago

adastra223y ago

I it not tied to P vs NP as far as I’m aware. But it is the same sort of situation: number theory assumptions that are completely unproven despite many attempts.

2 more replies

oconnoreOP3y ago

gdavisson3y ago

bawolff3y ago

Less clear cut for aes, but at time of standardization (and even now afaik), triple des was considered secure, so its not like there wasn't a secure alternative.

These standards arent meant as implementation guides. You still need cryptography knowledge to securely use them.

bawolff3y ago

Beldin3y ago

upofadown3y ago

bawolff3y ago

adastra223y ago

Non-cryptographers should not be implementing NIST standards. You should be using higher level APIs written by cryptographers which do employ NIST standards in the details.

astrange3y ago

Implementing them for fun might turn you into a cryptographer, though, especially (or only?) if you manage to find everything you get wrong.

oconnoreOP3y ago

If you're including cryptography in a system design, you are almost certainly relying on NIST standards to select algorithms.

runjake3y ago

They aren't publishing until 2024 at the earliest. This is just a head's up that they will be publishing in the future.

Presumably, they'll have a better idea by then.

Spooky233y ago

Perhaps they want industry to start working on software or hardware to leverage these algorithms?

Cryptography is driven by defense applications. For all us civilian types know, these algorithms have been around for 30 years.

j / k navigate · click thread line to collapse