DES, AES, SHA-3, LWC and PQC: Are Cryptography Competitions a Good Idea?

We are so lucky to have Daniel J Bernstein coming along for a chat [here], and he has a great new paper on cryptographic competitions for the new Journal of Cryptography [here]:

Overall, Daniel defines that NIST competition has generally reduced security for the sake of improved performance.

He defines that, generally, competitions have been good in defining cryptographic algorithms but outlines how, in some cases, that security has actually been reduced. Daniel outlines that in response to the backdoor found in Dual EC DRBG, NIST should have open competitions:

The CoV individual reports point out several shortcomings and procedural weaknesses that led to the inclusion of the Dual EC DRBG algorithm in SP 800–90 and propose several steps to remedy them. …

The VCAT strongly encourages standard development through open competitions, where appropriate. — “NIST Cryptographic Standards and Guidelines Development Process: Report and Recommendations of the Visiting Committee on Advanced Technology of the National Institute of Standards and Technology” [133], 2014

The main NIST competitions go back to 1974 with DES:

But DES actually had an expoitable key size and an exploitable block size. With AES, many systems use lookup tables for secret indices (“S-table” or “T-table” lookups). These tables were vulnerable to timing attacks. With SHA-3, it was found that there was an aim for a useless level of preimage security.

DES

DES was defined as a standard in 1976, but at an NBS workshop before it was made a standard Diffie and Hellman outlined a modification that improve the DES key schedule, and thus create a longer encryption key. This was rejected by representatives of Collins Radio and Motorola, and who said that DES is “close to the maximum that could be implemented on a chip with present technology”.