The microblog: 2022.08.06 11:45:39

2022.08.06 11:45:39 (1555852593825386496) from Daniel J. Bernstein, replying to "Luca De Feo (@luca_defeo)" (1554578344611569664):

I already mentioned the possibility of having the secret generated by (say) ANSSI. The spec could easily have required new secrets; probably this would have evolved to MPC. Would a "you're hiding an attack!" accusation deter you from adding a potentially useful extra defense?


2022.08.02 12:03:14 (1554407468456783872) from Daniel J. Bernstein, replying to "Luca De Feo (@luca_defeo)" (1554398632505483265):

No, it's not theoretical. As I said in the first message, you had the option of following a different path (ahem), generating the standard A at random by applying and then throwing away a secret isogeny. What's interesting about this is that then SIKE wouldn't (yet?) be broken.

2022.08.02 12:13:44 (1554410112252387328) from Daniel J. Bernstein:

In other words, if current attacks are the end of the story, then pushing for elimination of back doors created a SIKE weakness that could have been avoided otherwise. Now think about this situation from the perspective of attackers who secretly knew the weakness from the outset.

2022.08.02 23:18:54 (1554577502911201281) from "Luca De Feo (@luca_defeo)":

So, "avoided otherwise" actually means "by trusting the SIKE developers to generate toxic waste and actually throw it away"? I don't know in which world this would be preferable to an NSA backdoor. We thought about it exactly 5 minutes, and said: Naahhh!

2022.08.02 23:22:14 (1554578344611569664) from "Luca De Feo (@luca_defeo)", replying to "Luca De Feo (@luca_defeo)" (1554577502911201281):

Imagine the current situation had we done it: no one would trust us to have really thrown away the toxic waste, everyone would be accusing us of having been aware of the attack from the outset, and any single agency in the world would be raiding our homes right now.