Cryptology ePrint Archive: Report 2020/1370

A discretization attack

Daniel J. Bernstein

Abstract: This paper presents an attack against common procedures for comparing the size-security tradeoffs of proposed cryptosystems. The attack begins with size-security tradeoff data, and then manipulates the presentation of the data in a way that favors a proposal selected by the attacker, while maintaining plausible deniability for the attacker.

As concrete examples, this paper shows two manipulated comparisons of size-security tradeoffs of lattice-based encryption proposals submitted to the NIST Post-Quantum Cryptography Standardization Project. One of these manipulated comparisons appears to match public claims made by NIST, while the other does not, and the underlying facts do not. This raises the question of whether NIST has been subjected to this attack.

This paper also considers a weak defense and a strong defense that can be applied by standards-development organizations and by other people comparing cryptographic algorithms. The weak defense does not protect the integrity of comparisons, although it does force this type of attack to begin early. The strong defense stops this attack.

Category / Keywords: applications / back doors, NSA, NIST, NISTPQC, category theory

Date: received 30 Oct 2020

Contact author: authorcontact-categories at box cr yp to

Available format(s): PDF | BibTeX Citation

Version: 20201102:104246 (All versions of this report)

Short URL: ia.cr/2020/1370


[ Cryptology ePrint archive ]