2022.06.30 03:47:31 (1542323916458192896) from Daniel J. Bernstein:
We're now up to a solid half year of delay in post-quantum standardization, apparently because NIST picked a new design in the middle of a patent minefield and was somehow confident it could instantly buy its way out of the minefield. Half a year of data given away to attackers.
2022.06.30 03:55:31 (1542325929095049216) from Daniel J. Bernstein:
No, this isn't extra time taken for security review of submissions. NIST has repeatedly said it made its decisions long ago. Public cryptanalysts, not wanting to waste time, have a strong incentive to work on other topics until NIST reveals which submissions have been selected.
2022.06.30 04:08:59 (1542329321028628480) from Daniel J. Bernstein:
At this point it's totally unclear what methodology, if any, NIST used to assess security risks in making its decisions. Could the differences in risks outweigh the now-guaranteed security failure of giving away half a year of user data? Did NIST's analysis include patent risks?
2022.06.30 04:17:35 (1542331482483462144) from Daniel J. Bernstein:
NIST discouraged public patent analysis; was forced by rules to post IP statements but promptly undermined this by saying round 1 should analyze only "technical merits". And post-round 1: "we hope everyone will focus on the technical issues, rather than on the patents right now".
2022.06.30 04:26:03 (1542333613055717377) from Daniel J. Bernstein:
Outright lie from NIST in October 2021: "For example, as Chris noted, we have not been discouraging public discussion on patent issues that may be relevant to the PQC standardization process." This was after pressure built enough that NIST had to pretend it was on top of patents.
2022.06.30 04:37:47 (1542336568496513026) from Daniel J. Bernstein:
I sounded the alarm about post-quantum patents in 2018. NIST should have _encouraged_ public analysis of patents from the outset as an important component of decisions, instead of trying to quietly deal with patents as an afterthought to a holier-than-thou "technical" process.
2022.06.30 04:57:03 (1542341417590149120) from Daniel J. Bernstein:
I hope we'll hear soon what the selections are, and that the buyouts have succeeded, and that the buyouts cover all the patents that matter. But this won't retroactively fix the past half year of delay, and the corresponding half year of user data that we've failed to protect.