Re: [Cfrg] On "non-NIST"

Peter Gutmann <> Sat, 28 February 2015 08:59 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 978161A039A for <>; Sat, 28 Feb 2015 00:59:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.51
X-Spam-Status: No, score=-1.51 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rMa-VnBt0gSa for <>; Sat, 28 Feb 2015 00:59:48 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 04E371A038A for <>; Sat, 28 Feb 2015 00:59:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=uoa; t=1425113988; x=1456649988; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=mv4ODfnBh9hWcU1LRhAwO7zlIM6jw+QKJDZ9a1uWhqk=; b=SfUOl37kww9hxU3qK8zTwar+XLTe7ky4uZEBYMX6GM5DKhkZvi+ghApj V4vHqXghGc2NBnAp4giFhDEeArRpZwOqHcX6Syd2igoicVqHh2uTbvCr0 qpIHMoRoRU2O1YyB5gBebUfVtt5Ntln7nqio4K7co5TZYG0lLcqwAwYNy M=;
X-IronPort-AV: E=Sophos;i="5.04,630,1406548800"; d="scan'208";a="310333394"
X-Ironport-Source: - Outgoing - Outgoing
Received: from ([]) by with ESMTP/TLS/AES128-SHA; 28 Feb 2015 21:59:43 +1300
Received: from ([]) by ([]) with mapi id 14.03.0174.001; Sat, 28 Feb 2015 21:59:43 +1300
From: Peter Gutmann <>
To: "''" <>
Thread-Topic: [Cfrg] On "non-NIST"
Thread-Index: AdBTNOQsZXbvxijpQGGR9F+Bwdj2Vw==
Date: Sat, 28 Feb 2015 08:59:42 +0000
Message-ID: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Cfrg] On "non-NIST"
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 28 Feb 2015 08:59:53 -0000

Paul Hoffman <> writes:

>The term "non-NIST" is predictive, and the crypto community kinda sucks at
>predictions. We have no idea what NIST will do in the future if a bunch of
>IETF WGs adopt specific elliptic curves that are not P256/P384.

Why is NIST seen as the ultimate arbiter of what's appropriate though?  Look
at what's happened with SHA-3, if you look at what independent standards
efforts are going with it's pretty much anything but Keccak (Blake2 seems to
be the most popular at the moment).

So while NIST's idea of the next hash standard may be Keccak, the industry's
one looks like being Blake2, or at least not Keccak.  It's a variation of the
old "what if they had a war and no-one came", if NIST declares the standard to
be X and no-one wants it then that's perfectly OK, the usual suspects who are
in it for the USG handouts will do X (Suite B anyone?) and everyone else can
ignore it and use the better alternative.