No, and that wasn't the case under prior administrations either. Remember Dual_EC_DRBG[0]?
NIST is an untrustworthy government agency that occasionally produces useful encryption standards. The answer to "should we use a NIST standard" is to look at what the wider academic cryptography community is talking about. Dual_EC_DRBG was complained about immediately (for various strange statistical properties that made it impractical) and people found the ability to hide a backdoor in Dual_EC_DRBG in 2004.
If anything, the biggest issue is that the security experts pointing out the obvious and glaring flaws with NIST standards don't get listened to enough.
[0] A random number generator standard designed specifically with a back door that only the creator of its curve constants could make use of or even prove had been inserted. It was pushed by NIST during the Bush Jr. administration.
I recommend this video by Computerphile - He talks about how NIST may have been pressured into enforcing compromised (backdoored?) cryptography methods as a standard - Dual_EC_DRBG to be exact. He also gives a super cool/intuitive breakdown on how this came to be. It will definitely grow some food for thought.
Small summary, courtesy of Wikipedia which makes a stronger claim than "may have been pressured":
> In September 2013, both The Guardian and The New York Times reported that NIST allowed the National Security Agency (NSA) to insert a cryptographically secure pseudorandom number generator called Dual EC DRBG into NIST standard SP 800-90 that had a kleptographic backdoor that the NSA can use to covertly predict the future outputs of this pseudorandom number generator. [...] the NSA worked covertly to get its own version of SP 800-90 approved for worldwide use in 2006. The whistle-blowing document states that "eventually, NSA became the sole editor".
if it's any consolation, decisions like these (normally) have a very long lead time measured in years. now, these are not normal times, but even so I'd be more concerned about NIST decisions coming out nearer to the end of this administration rather than just now at the beginning.
Not to defend the practice, but the layoffs have been for employees with 0-3 years in role, which probably does not include the people selecting post-quantum encryption algorithms.
Perhaps, but what surprised the DOGE folks is that “in role” included some people who were recently promoted or had changed teams.. so many of the laid off employees were actually long-time employees with a ton of institutional knowledge. Perhaps they would have learned as much if they had done literally any due diligence to understand the departments they were tasked with organizing, but I guess we’ll never know.
Claiming loyalty is a litmus test for layoffs is a bit incendiary and a needless introduction of a strongly biased view of politics into the conversation. No doubt for leadership levels an active disinterest in helping enable open inquiry into the state of things would be fireable, but calling this a loyalty test is a strong spin. One that’s been normalized lately to be sure, but there’s no need to further it.
I’d be more concerned with whether NIST colludes with the NSA to approve algorithms they could crack.
That's the thing about politics... they touch everything. There's a popular youtuber that I like, he's got a funny saying "You might not fuck with politics, but politics will fuck with you!" Fits well here.
You might wanna ignore politics when talking about something that should be pure math, but now that we're talking about why crypto is going to be the standards that all commercial software must support. Suddenly we now need to consider how confident we are in something. And really, that's all crypto boils down to is confidence in the difficulty of some maths. Was this recommended (soon mandated) with more or less care then the other options? How would we be able to tell. Is NIST likely to remake their previous unethical mistakes?
> i doubt the Trump admin has strongly vested interest in which post-quantum scheme is selected
That's not the argument being made, you're using that as a strawman to distract from the actual position, which is that indiscriminate layoffs (which is what DOGE is doing) reduce institutional competence and increase the likelihood that whatever scheme is selected is not fit for purpose. Address that argument, not the one you've invented in your head.
kmeisthax|11 months ago
NIST is an untrustworthy government agency that occasionally produces useful encryption standards. The answer to "should we use a NIST standard" is to look at what the wider academic cryptography community is talking about. Dual_EC_DRBG was complained about immediately (for various strange statistical properties that made it impractical) and people found the ability to hide a backdoor in Dual_EC_DRBG in 2004.
If anything, the biggest issue is that the security experts pointing out the obvious and glaring flaws with NIST standards don't get listened to enough.
[0] A random number generator standard designed specifically with a back door that only the creator of its curve constants could make use of or even prove had been inserted. It was pushed by NIST during the Bush Jr. administration.
qzx_pierri|11 months ago
https://www.youtube.com/watch?v=nybVFJVXbww
diggan|11 months ago
> In September 2013, both The Guardian and The New York Times reported that NIST allowed the National Security Agency (NSA) to insert a cryptographically secure pseudorandom number generator called Dual EC DRBG into NIST standard SP 800-90 that had a kleptographic backdoor that the NSA can use to covertly predict the future outputs of this pseudorandom number generator. [...] the NSA worked covertly to get its own version of SP 800-90 approved for worldwide use in 2006. The whistle-blowing document states that "eventually, NSA became the sole editor".
https://en.wikipedia.org/wiki/National_Institute_of_Standard...
tptacek|11 months ago
affinepplan|11 months ago
dylan604|11 months ago
dialup_sounds|11 months ago
mikeyouse|11 months ago
nartho|11 months ago
doikor|11 months ago
natch|11 months ago
I’d be more concerned with whether NIST colludes with the NSA to approve algorithms they could crack.
krunck|11 months ago
It's more than a concern that the US government will select algorithms that their top spook agency can crack. One must assume it is the case.
ZiiS|11 months ago
unknown|11 months ago
[deleted]
grayhatter|11 months ago
rdtsc|11 months ago
garbageman|11 months ago
jedisct1|11 months ago
whimsicalism|11 months ago
e: and yes, i am aware of the history around nist and crypto
grayhatter|11 months ago
That's the thing about politics... they touch everything. There's a popular youtuber that I like, he's got a funny saying "You might not fuck with politics, but politics will fuck with you!" Fits well here.
You might wanna ignore politics when talking about something that should be pure math, but now that we're talking about why crypto is going to be the standards that all commercial software must support. Suddenly we now need to consider how confident we are in something. And really, that's all crypto boils down to is confidence in the difficulty of some maths. Was this recommended (soon mandated) with more or less care then the other options? How would we be able to tell. Is NIST likely to remake their previous unethical mistakes?
Analemma_|11 months ago
That's not the argument being made, you're using that as a strawman to distract from the actual position, which is that indiscriminate layoffs (which is what DOGE is doing) reduce institutional competence and increase the likelihood that whatever scheme is selected is not fit for purpose. Address that argument, not the one you've invented in your head.
kewho|11 months ago
[deleted]
123yawaworht456|11 months ago
[deleted]