2021.06.11 00:56:56 (1403124049459355650) from Daniel J. Bernstein, replying to "Paul Crowley (@ciphergoth)" (1403112957689667585):
The same Dual EC post-mortem is a good source re transparency of crypto standardization. Several of the transparency principles are quoted in Section 5.1 of https://cr.yp.to/papers.html#categories, and the rest of the section covers several examples of NIST's lack of transparency in #NISTPQC.
2021.06.10 21:49:40 (1403076919625539584) from Daniel J. Bernstein:
Many cryptanalysts were already putting a lot of time into analyzing candidates, including patented candidates, during the half year before NIST posted patent statements. That's valuable public time burned because NIST didn't want to be subjected to the rules for a "competition".
2021.06.10 21:53:59 (1403078006801793026) from Daniel J. Bernstein:
Even after NIST posted the statements, think about the choice facing cryptanalysts: if everyone stops studying security of the patented algorithm, maybe NIST says "Wow, looks solid, let's standardize it" even if it's horrifyingly easy to break. Clear danger to the public.
2021.06.10 22:08:55 (1403081764906496000) from Daniel J. Bernstein:
A rule of having only one winner doesn't matter, since two winners can comply with the rule by simply merging; we've seen some mergers already in NISTPQC. Rules about patents and transparency _do_ matter, and NIST doesn't want to follow them; so NISTPQC isn't a "competition".
2021.06.11 00:12:52 (1403112957689667585) from "Paul Crowley (@ciphergoth)":
I 100% agree that this is very bad. Say something about the transparency rules?