The microblog: 2022.09.03 13:22:00

2022.09.03 13:22:00 (1566023701727875072) from Daniel J. Bernstein:

Last year I had a paper rejected on a non-isogeny-based proposal (not announced yet; have been prioritizing other things) for non-interactive post-quantum key exchange. Here are some review quotes illustrating how incompetent the cryptographic community is at risk management.

2022.09.03 13:22:02 (1566023709999054848) from Daniel J. Bernstein:

"Jao and Urbanik in Mathcrypt 2019 proposed a post-quantum NIKE based on SIDH" allegedly much faster than this new proposal X. "And when it comes to NIKE, it seems vanishingly unlikely that ... attacks against isogenies will improve to the point where they become slower" than X.

2022.09.03 13:22:04 (1566023718345748480) from Daniel J. Bernstein:

"Vanishingly unlikely"? A year later, almost the entire mountain, or maybe I should say volcano, of SIDH/SIKE proposals has exploded into ashes. CRS/CSIDH is qualitatively different and still doing fine, but would it really be _that_ surprising if there's a devastating attack?

2022.09.03 13:22:06 (1566023726667206656) from Daniel J. Bernstein:

"Cryptographers and practitioners care about performance, and not just a little, we care a whole lot": Indeed, to the extent of advocating focusing _all_ efforts on the most efficient proposals, which experience shows is _not_ the same as minimizing risk within the user's budget.

2022.09.03 13:22:07 (1566023733315129344) from Daniel J. Bernstein:

Here's the really disturbing part to contemplate. Is this actually incompetence? Or has the cryptographic community spent decades optimizing its practices to create frequent failures, which it then points to in its requests for funding? See Section 3.8 of