2021.06.10 21:41:49 (1403074946637570049) from Daniel J. Bernstein, replying to "Paul Crowley (@ciphergoth)" (1402994824635056143):
Random example: NIST IR 7977 clearly states that, for a NIST "competition", winners relinquish intellectual property rights so that the winner can be used royalty-free. NISTPQC is _not_ called a "competition" and did _not_ require this. _Some_ NISTPQC submitters did it anyway.
2021.06.10 21:49:40 (1403076919625539584) from Daniel J. Bernstein:
Many cryptanalysts were already putting a lot of time into analyzing candidates, including patented candidates, during the half year before NIST posted patent statements. That's valuable public time burned because NIST didn't want to be subjected to the rules for a "competition".
2021.06.10 21:53:59 (1403078006801793026) from Daniel J. Bernstein:
Even after NIST posted the statements, think about the choice facing cryptanalysts: if everyone stops studying security of the patented algorithm, maybe NIST says "Wow, looks solid, let's standardize it" even if it's horrifyingly easy to break. Clear danger to the public.
2021.06.10 22:08:55 (1403081764906496000) from Daniel J. Bernstein:
A rule of having only one winner doesn't matter, since two winners can comply with the rule by simply merging; we've seen some mergers already in NISTPQC. Rules about patents and transparency _do_ matter, and NIST doesn't want to follow them; so NISTPQC isn't a "competition".
2021.06.10 14:25:46 (1402965208969015297) from Daniel J. Bernstein:
NIST's Dual EC post-mortem https://www.nist.gov/system/files/documents/2017/05/09/VCAT-Report-on-NIST-Cryptographic-Standards-and-Guidelines-Process.pdf stated various transparency principles. It has been clear for a year that NIST isn't following those principles. Somehow I didn't realize until now that this is also why NIST refuses to formally label #NISTPQC as a "competition".
2021.06.10 14:30:43 (1402966453909819396) from Daniel J. Bernstein:
Running a "competition", as strongly recommended in the post-mortem, would _force_ NIST to follow various procedural rules, including general due-process rules and NIST's own declarations of how a "competition" works. So NIST repeatedly insists that NISTPQC isn't a "competition".
2021.06.10 14:36:31 (1402967915918336004) from Daniel J. Bernstein:
Of course it _is_ a competition, and NIST people keep slipping up and calling it a competition and saying whoops-we're-not-allowed-to-call-it-that, and everybody laughs. There's also a cover story claiming, falsely, that a "competition" isn't allowed to select multiple outputs.
2021.06.10 16:23:27 (1402994824635056143) from "Paul Crowley (@ciphergoth)":
What's an example of a "competition" rule they are not following?