So I wrote a long-ass rundown of this but it won’t post for some reason (too long)? So TLDR: this is a 17,600-word nothingburger.
DJB is a brilliant, thorough and accomplished cryptographer. He has also spent the past 5 years burning his reputation to the ground, largely by exhaustively arguing for positions that correlate more with his ego than with the truth. Not just this position. It’s been a whole thing.
DJB’s accusation, that NSA is manipulating this process to promote a weaker outcome, is plausible. They might have! It’s a worrisome possibility! The community must be on guard against it! But his argument that it actually happened is rambling, nitpicky and dishonest, and as far as I can tell the other experts in the community do not agree with it.
So yes, take NIST’s recommendation for Kyber with a grain of salt. Use Kyber768 + X448 or whatever instead of just Kyber512. But also take DJB’s accusations with a grain of salt.
So I wrote a long-ass rundown of this but it won’t post for some reason (too long)? So TLDR: this is a 17,600-word nothingburger.
DJB is a brilliant, thorough and accomplished cryptographer. He has also spent the past 5 years burning his reputation to the ground, largely by exhaustively arguing for positions that correlate more with his ego than with the truth. Not just this position. It’s been a whole thing.
DJB’s accusation, that NSA is manipulating this process to promote a weaker outcome, is plausible. They might have! It’s a worrisome possibility! The community must be on guard against it! But his argument that it actually happened is rambling, nitpicky and dishonest, and as far as I can tell the other experts in the community do not agree with it.
So yes, take NIST’s recommendation for Kyber with a grain of salt. Use Kyber768 + X448 or whatever instead of just Kyber512. But also take DJB’s accusations with a grain of salt.