These are a few examples of information revealed so far by the results of the ongoing NSA-NIST-PQC FOIA lawsuits. Each example also provides previously public context for the information.
NIST's goal is not security. Public context first: In 2013, the Snowden documents revealed that NSA had a quarter-billion-dollar-a-year budget to "influence" information technology to make it "exploitable through SIGINT collection ... To the consumer and other adversaries, however, the systems' security remains intact." NSA's targets of "influence" included "policies, standards and specification for commercial public key technologies". News stories pointed to an existing NIST standard as an example of successful NSA sabotage. NIST then withdrew that standard, held a big public post-mortem regarding that standard, and promised to improve its processes.
The FOIA results show NIST secretly describing the goal of this post-mortem as reputation management: "Managed the PR and Reputational issues raised with “Snowden” allegations of NIST corrupting standards and its work. Rebuilt international trust in NIST encryption processes and faith in NISTs ability to adhere to our core values. This required working with a special VCAT subcommittee, open publishing of all related work items, responding to multiple FOIAs, re-setting MOUs and interactions with the NSA and active discussions with standards bodies and international partners."
NIST deliberately violated its promises of transparency. NIST announced a Post-Quantum Cryptography Standardization Project in 2016. NIST repeatedly promised and claimed transparency for this project (for example: "We operate transparently. We've shown all our work"). The FOIA results show that NIST actually kept a wide range of project documents secret, often marking the documents "Not for public distribution".
NIST's Post Quantum Cryptography Team was mostly NSA. The FOIA results show that what NIST publicly labeled as the "Post Quantum Cryptography Team, National Institute of Standards and Technology (NIST), pqc@nist.gov" actually had more NSA members than NIST members. The secret NSA members of the pqc@nist.gov team were Bradley C. Lackey, Daniel Kirkwood, David Hubbard, David Tuller, Jerry Solinas, John McVey, Laurie Law, Mark Motley, Nick Gajcowski, Scott Simon, and later Rich Davis.
NSA had frequent secret meetings with NIST about post-quantum cryptography. NIST admitted in 2020 that NSA was involved in the project, but portrayed NSA's involvement as merely "review of our report" producing "minor editorial feedback". NIST claimed that its decisions were based purely on public information, with no NSA influence.
The FOIA results show that there was a torrent of secret input from NSA to NIST regarding post-quantum cryptography, including frequent secret meetings between NSA and NIST on the topic. Some examples from 2016: NSA's Scott Simon was scheduled to secretly visit NIST on 12 January 2016. NIST's next secret meeting with "the NSA PQC folks" was scheduled for 26 January 2016. NIST's Dustin Moody secretly wrote that he "appreciated the feedback" from NIST's "NSA friends", as "they gave us a perspective I think we were lacking".
NSA's secret input to NIST specifically promoted lattice submissions. The NIST project collected public submissions in 2017. Advances in public attacks then reduced the security level of most submissions, including every lattice submission, despite a few public sources having hyped the supposed security of lattices. NIST downplayed the advances and the future risks, for example publicly describing lattice problems in 2020 as "among the most studied and analyzed cryptographic problems in existence today". The FOIA results show a secret document from NSA to NIST in February 2018 praising lattices as supposedly "well-studied cryptographic primitives" with "a long history of analysis for a significant number of schemes" where "the security profile of the underlying cryptographic primitive for many of these designs is well understood".
NSA's secret input to NIST specifically promoted Kyber. When NIST disqualified NewHope in favor of Kyber, half of its official text regarding NewHope was an erroneous mathematical argument that "In a technical sense, the security of NewHope is never better than that of KYBER". The FOIA results show that the text "In a technical sense, the security is never better than Kyber" was secretly provided by NSA's Morgan Stern to NIST. The text received only superficial review from NIST before it ended up in NIST's report.
NIST bit off more than it could chew. The FOIA results show that the errors in NIST's public reports were only the tip of the iceberg. NIST thought that the Google-Cloudflare CECPQ2 experiment used Kyber rather than NTRU, thought that post-quantum IKE can't work without fast key generation, thought that keeping encryption secure for 264 queries is incompatible with AES (so NIST didn't know about "beyond-birthday-bound" encryption modes), thought that the literature had no proposals for post-quantum static-static key exchange (so NIST didn't know about, e.g., CRS), etc. The FOIA results also suggest that each submitted document, instead of being perused by the full NIST team for thorough evaluation, was delegated to just one person, who then tried to summarize the document in PowerPoint.