Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
NSA and IETF: Fairness (cr.yp.to)
145 points by WatchDog 1 day ago | hide | past | favorite | 186 comments
 help



The two most important things to understand about this kerfuffle:

(1) MLKEM wasn't designed by NSA, but rather by a team of highly-regarded European academic cryptographers, including Bernstein's former collaborator Peter Schwabe; their submission, Kyber, was selected in an open competition in which Bernstein himself submitted a closely-related algorithm (and then contested the result, suing NIST for documents to clarify the selection.)

(2) The RFC at issue documents the possibility of running TLS with pure MLKEM rather than in a hybrid configuration with ECDH. Hybrid TLS is already the mainstream, documented, standardized method for using PQC in a TLS connection. Bernstein is canvassing opposition to any documentation of the possibility of pure MLKEM in TLS.

Every time Bernstein talks about NSA's sordid history, remember: nothing that's happening here has really anything to do with NSA. It would make more sense for Bernstein to be canvassing against SHA2, which NSA actually did design. But he can't do that, because normal people know enough about cryptography to understand how crazy a claim that is. Unfortunately, we can't yet say that about lattice cryptography, despite it being approximately as well-studied as ECC.


> (2) The RFC at issue documents the possibility of running TLS with pure MLKEM rather than in a hybrid configuration with ECDH. Hybrid TLS is already the mainstream, documented, standardized method for using PQC in a TLS connection. Bernstein is canvassing opposition to any documentation of the possibility of pure MLKEM in TLS.

Two more pieces of context here: 1. The IETF allows code point registrations based purely on the existence of a specification, and the pure ML-KEM code points have already been assigned (https://www.iana.org/assignments/tls-parameters/tls-paramete...). The question at hand is whether the IETF will publish an RFC documenting the ML-KEM cipher suites [edited to make clear that ML-KEM is documented already].

2. It is also possible to publish an RFC via what's called "Independent Submission" (https://www.rfc-editor.org/authors/rfc-independent-submissio...), which is not subject to the IETF Consensus process. This is, for instance, how the GOST RFC (https://datatracker.ietf.org/doc/rfc9367/) was published. If the IETF opts not to publish this draft, the authors can still submit it to the Independent Submissions Editor.


> https://www.iana.org/assignments/tls-parameters/tls-paramete...

Further the draft that this is all about does not make a recommendation for its use. The currently IETF-recommended TLS algorithms are: X25519MLKEM768, x448, x25519, secp384r1, secp256r1.

As noted by someone on the IETF list [1] there are already ML-KEM-only implementations in various libraries, so if we want interoperability then it's best to have a standard document. No one is forcing anyone to use this algorithm, and it's not even 'officially' recommended (per above).

[1] https://mailarchive.ietf.org/arch/msg/tls/SXo4iVmp0ng_vi57ce...


> there are already ML-KEM-only implementations in various libraries, so if we want interoperability then it's best to have a standard document

“People are already doing it, so we might as well rubber-stamp it even if it’s not great” introduces problems of its own: people will perceive that rubber-stamping as validating it, and now they’ll use it even more, where perhaps if you held back, they wouldn’t.

(There are counter-arguments as well, of course. A couple of relevant cases that spring to mind where a body has not aligned with usage or expectations: W3C lost control of HTML, and it was probably for the best, but they remain a relevant body in closely-related areas; and OSI licence approval is a horribly broken political process which is almost universally misunderstood and close to frozen in time, yet they haven’t suffered like they should have for their misdeeds, they pretty much got away with it. There was also that thing somewhat recently about FedRAMP rubber-stamping Microsoft Cloud despite it failing dismally, because US government agencies had already started using it too much; and I wonder what that does to their credibility.)

This is also a concern with informational/independent submissions through IETF. They are frequently perceived as having IETF/standards weight.


These are arguments, but I don't really understand what they're arguments for. At issue here is whether or not the IETF should document usage of pure-MLKEM TLS. There are environments where people are going to use pure-MLKEM TLS, whether Bernstein likes it or not. His argument is that the IETF should pretend that isn't happening, and throw up weird procedural obstacles to it.

I know approximately nothing about the specific case here, and don’t believe I have any skin in the game. I intended my comment purely abstractly: I’m not commenting on anything technical, merely mentioning a procedural concern: that the line I quoted can sound reasonable, but that I don’t think it’s actually a reasonable argument by itself, because of the likely consequences of such actions. (That is: if that happened to be the only argument—though I doubt it is—there’s a compelling case for rejecting it.)

If it's documented it will be implemented by many more libraries and applications, that's the argument

It already exists. In fact, there are environments where it has to exist. So the argument he's making is that the IETF should pretend it doesn't exist.

Can you (or someone else) please give some example of those environments?

Telecoms.

I wrote at length about this debate in my blog post about threat modeling: https://soatok.blog/2026/06/30/soatoks-informal-guide-to-thr...


> “People are already doing it, so we might as well rubber-stamp it even if it’s not great” introduces problems of its own: people will perceive that rubber-stamping as validating it, and now they’ll use it even more, where perhaps if you held back, they wouldn’t.

The GOST cipher, which is Russia's AES equivalent, is also in an RFC:

* https://datatracker.ietf.org/doc/html/rfc9189

* https://en.wikipedia.org/wiki/GOST_(block_cipher)

Is the IETF validating its use?

The GOST document is categorized in the same way as the one currently being debated/discussed: Informational. It also has "N" under the "Recommended" column (like ML-KEM-only will have):

* https://www.iana.org/assignments/tls-parameters/tls-paramete...


In fairness, I do think that this situation is somewhat different. As I noted above (https://news.ycombinator.com/item?id=48812792), there are two main routes to an Informational RFC of this kind.

* Through the IETF

* Through the Independent Stream

The GOST documents went through the Independent Stream and therefore do not have IETF imprimateur. These documents are proposed for the IETF Stream and therefore require IETF Consensus to publish.

I know this is all super confusing. The basic problem is that the vast majority of RFCs come out of the IETF and so people often act as if all RFCs do. This is of course in part why people pursue Independent Stream publication rather than just publishing things on their own..


I have gotten flack for giving ULA+NPTv6 as a possible solution to an IPv6 multi-homing issue because the RFC that describes it was 'only' "Experimental":

* https://datatracker.ietf.org/doc/html/rfc6296

When I pointed out that the NAT(44) RFC (1631/3022) was 'only' "Informational" I got radio silence:

* https://datatracker.ietf.org/doc/html/rfc1631


I have no opinion on ULA+NPTv6, other than Experimental doesn't mean you shouldn't use it. How else would people experiment. It does mean that the level of vetting by the IETF is potentially lower.

WRT IPv4 NAT, I'm not sure how much we can infer from the status. Many people at IETF were (and some still are) very anti-NAT, in part because they felt that IPv6 was the right solution. As a result, the IETF really avoided doing anything that looked like it was endorsing NAT, even though it's obviously just a fact of the Internet.


My general point is that the category or track of an RFC may mean different things to different people (assuming they're even aware of them at all).

No disagreement there.

If it's supported it will be used, e.g. by vendors which decide for some reason to use it

Null encryption used to be supported as well, and no one was forced to use it.

But when something insecure is supported by a protocol it will lead to security hiccups.

If it's dangerous it shouldn't be supported.


But that’s not what the IETF is. They don’t police, they encourage collaboration and standardization between implementers.

Heh heh heh.

I recall the early-to-mid-90s when the IETF was a powerhouse, churning out foundational standards and documents monthly, and every time I read a foundational RFC for some protocol I wanted to learn, the "Security Considerations" section was intentionally left completely blank and un-considered.

I don't know if it was recklessness or expediency or a very calculated tactic (the Internet was invented by DARPA, after all) but Internet protocols were so ridiculously insecure, and based on absurd trust models that were repeatedly broken, and everything always transmitted in plaintext (because, of course, all networks were physically wired, secured, and only the good guys could tap into them).

It was an absolute Wild West clown college as the Internet transitioned to commercial and privatized use cases, and I suppose it guaranteed job security for generations of cybersecurity experts and cryptographers.


In the 90s, you as a private person were not supposed to have access to encyption which could not be broken by NSA.

"The longest key size allowed for export without individual license proceedings was 40 bits, so Netscape developed two versions of its web browser. The "U.S. edition" had the full 128-bit strength. The "International Edition" had its effective key length reduced to 40 bits by revealing 88 bits of the key in the SSL protocol."

https://en.wikipedia.org/wiki/Crypto_Wars


No. In the 1990s, you weren't allowed to export cryptography the NSA couldn't break. Strong cryptography was widely available in the 1990s.

(I had the pleasure of shipping a commercial product, back in the days when those things shipped in shrink-wrapped boxes, that carried strong cryptography, and had to deal with the export regime. It was not fun.)


note that this says something more limited than what you're saying. Specifically, an american company was not allowed to give access to the cryptography you describe to non-Americans.

This was still a very bad policy, but private americans were allowed to have strong cryptography.


They publish what become standards, you can't just support any existing option in an encryption protocol (if you want to have a secure one).

The standardization process should weed out 'footguns' that are prone to accidentally (or maliciously) lowering the security bar.

To point out some positive examples of what RFCs should include:

RFC 5288 s3 (AES-GCM): "Each value of the nonce_explicit MUST be distinct for each distinct invocation of the GCM encrypt function for any fixed key. Failure to meet this uniqueness requirement can significantly degrade security."[1]

RFC 7748 s5 (X25519): "The cswap function SHOULD be implemented in constant time (i.e., independent of the swap argument)."[2]

By contrast, this proposed RFC for MLKEM provides a single encouragement:

"[NIST-SP-800-227] includes guidelines and requirements for implementations on using KEMs securely. Implementers are encouraged to use implementations resistant to side-channel attacks, especially those that can be applied by remote attackers."[3]

It's not even a SHOULD, it's just an encouragement in a non-normative section of the RFC.

When you go to the referred NIST SP 800-227 it then tells you it's all too hard anyway and good luck and have fun figuring it out yourself:

"Cryptographic modules for KEMs should be designed with appropriate countermeasures against side-channel attacks. This includes protecting against timing attacks with constant-time implementations and protecting memory from leakage. Universal guidelines are unlikely to be helpful as exposure to side-channel attacks varies significantly with the desired application, and countermeasures are often costly."[4]

The normative standard FIPS 203[5] which the draft MLKEM RFC relies upon NEVER mentions "side channel", "constant", "timing" or provides any other assistance to implementers on how to securely multiply and/or divide numbers on computers or how to deal with conditional branching. Fair enough it includes a lower case "should" for considering side-channel resistance, but this throwaway comment is inadequate for standardisation.

The main reason it is inadequate is, imagine you're on your Hardened Gentoo or some other uber-geek laptop with the most advanced and thoroughly tested side channel resistant MLKEM client imaginable. You want to access your bank's website that offers MLKEM-only TLS. You don't have any assurance the bank's implementation of MLKEM has implemented any side channel resistance because the RFC they claim to have implemented never required it. If you then extrapolate from historical woes of implementing side channel resistant crypto (ECDSA scalar multiplication for example), it's probably correct to assume someone has, or reasonably could at some point in the future, extract private keys from the bank's side, and thus your expectations of having a secure connection are unmet. This is a standardisation problem because two implementations cannot agree on whether the protocol offers any resistance to side channel leakage to remote adversaries, therefore, what is the security guarantee the two implementations can actually agree upon?

The key missing section of this RFC is perhaps a restriction on its application similar to:

"This standard does not require implementations to consider side-channel attacks. This standard SHOULD NOT be used for protecting data and communications where an adversary may have one or more of: a) physical access to equipment performing cryptographic operations and time and resources necessary to observe physical properties of the equipment (power and signal characteristics, electromagnetic radiation, thermal dissipation), b) ability to execute code on equipment performing cryptographic operations, c) remote access to high-resolution monitoring data of physical properties of equipment performing cryptographic operations, d) ability to observe and/or establish a session to a party using this cryptographic protocol."

Thus it'd only be applicable to low risk environments such as two servers in a government building in separate rooms where an adversary is prevented from conducting a side channel attack by a plethora of other security controls.

[1] https://datatracker.ietf.org/doc/html/rfc5288#section-3

[2] https://datatracker.ietf.org/doc/html/rfc7748#section-5

[3] https://datatracker.ietf.org/doc/draft-ietf-tls-mlkem/

[4] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.S...

[5] https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.pdf


You are confused about what this RFC is. It's not the enabling RFC for PQC in TLS, or for MLKEM. It's documentation about a specific set of parameters for doing pure, as opposed to hybrid, MLKEM. It defers the guidance you're looking for to other RFCs.

From RFC8446 (TLSv1.3) sE.4: "In general, TLS does not have specific defenses against side-channel attacks (i.e., those which attack the communications via secondary channels such as timing), leaving those to the implementation of the relevant cryptographic primitives."[1]

But draft-ietf-tls-mlkem just handballs to FIPS 203 for description of cryptographic primitives, and FIPS 203 doesn't care about side channel resistance. The token reference to NIST SP 800-227 for how to securely implement MLKEM also offers no suggestions on side channel resistance.

The draft MLKEM IKEv2 RFC[2] has the same problem.

Which standard, if not draft-ietf-tls-mlkem, changes the draft-ietf-tls-mlkem specification of the following cryptographic primitive:

Original: "Decaps(sk, ct) -> shared_secret: A decapsulation algorithm, which takes as input a secret decapsulation key sk and ciphertext ct and outputs a shared secret shared_secret."

To include side channel resistance, for example:

Improved: "Decaps(sk, ct) -> shared_secret: A decapsulation algorithm, which takes as input a secret decapsulation key sk and ciphertext ct and outputs a shared secret shared_secret. Decaps() MUST be implemented as a constant time function to ensure the time needed to execute Decaps() does not differ for different sk and ct values."

Some further examples of RFCs which do care about specifying side channel resistance:

RFC 9980 (OpenPGP PQC) s9.3: "This specification makes use of the default "hedged" variants of ML-DSA and SLH-DSA, which mix fresh randomness into the respective signature-generation algorithm's internal hashing step. This has the advantage of an enhanced side-channel resistance of the signature operations according to [FIPS-204] and [FIPS-205]."[3]

RFC 9941 (SSH sntrup761x25519-sha512) s4: "As discussed in the security considerations of [RFC8731], the X25519 shared secret K is bignum-encoded in that document, and this raises the potential for a side-channel attack that could leak one bit of the secret due to the different length of the bignum sign pad. This document resolves that problem by using string encoding instead of bignum encoding."[4]

(this RFC 9941 example has the benefit of showing how draft-ietf-tls-mlkem could take problematic cryptographic primitives from FIPS 203 and tighten the specification within an RFC to enforce side channel resistance)

[1] https://www.rfc-editor.org/info/rfc8446/#appendix-E.4

[2] https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-ml...

[3] https://www.rfc-editor.org/info/rfc9980/#section-9.3

[4] https://www.rfc-editor.org/info/rfc9941/#section-4


Sir, this is a Wendy's. You're giving me a phone book's worth of RFC cites here but not a lot of indication that you spend a lot of time reading RFCs generally. The RFC we're discussing on this thread is an ancillary publication documenting code points for a specific configuration of MLKEM, which is already extensively documented in other RFCs. Ancillary RFCs like these are for obvious reasons brief.

My key point you are avoiding with personal attacks is:

If I see another computer offer TLS named group 0x0200 (MLKEM512) as introduced by draft-ietf-tls-mlkem, do I have any assurance that the other end I'm communicating with uses constant-time Decaps(sk, ct)?

--

The answer as far as I have presented is NO. TLS named group 0x0200 (MLKEM512) is free to be used for leaky MLKEM implementations that have made no effort to be side channel resistant. The end state for MLKEM-only will be the IANA registry stating TLS named group 0x200 (MLKEM512) is specified in RFCxxxx (draft-ietf-tls-mlkem), and this RFC will refer to FIPS 203 for cryptographic primitives. At no time is side channel resistance in any way guaranteed by either draft-ietf-tls-mlkem or FIPS 203.

The situation for TLS named group 0x0029 (x25519) is different. The IANA registry nominates RFC 8446 as the relevant specification.[1] And RFC 8446 nominates a specification (RFC 7748) which does require implementation of cswap as a measure of side channel resistance.[2][3] So when you trace through the specifications starting from the IANA registry, it is unambiguous that TLS named group 0x0029 should provide at least some degree of side channel resistance. Even for this case, I'd argue the SHOULD would be better as a MUST (with possibility to add another TLS named group specifically for x25519-unsafe without constant-time cswap if anyone cares for it). And I'd also argue that RFC 8446/TLSv1.3 should require (not just suggest or hope) that implementations MUST only use constant time functions when processing ECDHE parameters per s4.2.8.2.[2] TSLv1.3 already requires AEAD use elsewhere to force constant-time processing. It's worth noting TLSv1.3 currently doesn't provide any guarantee about side channel resistance of secp256r1, secp384r1, and secp521r1. TLSv1.3 currently just provides this guarantee for X25519 and X448.

[1] https://www.iana.org/assignments/tls-parameters/tls-paramete...

[2] https://www.rfc-editor.org/info/rfc8446/#section-4.2.8.2

[3] https://www.rfc-editor.org/info/rfc7748/#section-5


This isn't responsive to anything I just wrote. Are you generating these comments?

using pure ML-KEM is not a footgun. Some people may have doubts about lattice-based cryptography, despite being securely deployed in Chrome nearly a decade ago. Some people have doubts about many things. The fact that people have doubts does not make the scheme a "footgun".

It is if literally the only thing you've ever read about the technical details of LWE cryptography is Daniel Bernstein.

you'd probably call it "Product NTRU" then, and be a minimum a decade out of date. So you'd probably have to do all that weird shit with co-different ideals Peikert was trying to get us all to do (I know it was "right" but sometimes you need to put a muzzle on the math guys for all of our sakes).

> The question at hand is whether the IETF will publish an RFC documenting the ML-KEM.

The IETF document only documents how and where to put the MLKEM values into TLS. MLKEM itself is specified in FIPS203 and it just references that for the actual cryptographic details. The IETF document is in fact quite short:

https://www.ietf.org/archive/id/draft-ietf-tls-mlkem-08.html

(This doesn't mean the document is a stub or pointless or something like that, you do need a "what goes where".)


You're right. Bad writing on my part. Edited to make it clear.

The ISE has said they aren't progressing crypto drafts anymore.

You are simplifying ad absurdum. The NSA is as likely to compromise hash and signing algorithms as the police are likely to recommend pissing in petri dishes to cast doubt on that troublesome forensic science. The NSA likely has orders more experience with the area of cryptography Kyber comes from than everyone who worked on Kyber. Estimates at one point were that they had more than half of appropriate PhD level Mathematicians in the US, that may have gone down with more cryptocurrency firms, etc, but those firms are not researching algorithm families that may or may not replace the standards with all that much interest.

The NSA had nothing to do with designing Kyber.

He didnt say it did, he said "The NSA likely has orders more experience with the area of cryptography Kyber comes from than everyone who worked on Kyber"

He himself (co-)submitted a lattice KEM to the NIST competition.

Yes, and strongly argued against lattice schemes generally. DJB submitted a lattice scheme under the theory that if the advocates of lattice schemes were able to win the argument about the performance properties then there should be a choice of an extremely conservatively designed one.

DJB himself has consistently advocated for Classic McEliece in any application which can accept its performance characteristics (which are excellent except for the ginormous public keys), and spent many bytes trying to convince people that the set of applications that can is wider than they suspect.


NTRU based schemes are not the most conservative. NTRU is an old design from the 90s, that had some shocking structural attacks against it appear ~2016. These attacks so far are only relevant for moduli q ~ (1/100) n^{2.3...}. This makes them worse than conventional attacks against NTRU-based PKE. But they completely killed roughly half of all NTRU-based fully homomorphic encryption schemes, and are a (major) structural issue with NTRU that RLWE/MLWE does not have.

In other words, Bernstein proposed a NTRU-based scheme under his theory it was the most conservative. The only major attacks on lattice-based schemes since his proposal have been on the hardness assumption his scheme uses. I would personally suggest this means that Bernstein is not an accurate predictor of the security of lattice-based schemes. So far his track record (with this notable example, but also many others) is remarkably bad.


The general C.W. I've heard is that if something happened that made MLKEM look theoretically shaky (pretty unlikely, but whatever), you fall back to something like FrodoKEM, which is plain LWE with no affordance for NTT or anything like it; no structure, no performance.

It really depends on what the precise details of the attack look like.

1. algebraic structure: sure use frodoKEM

2. error rates smaller than those required for worst-case to average-case reductions: idk bump error rates

3. some coding theorist ruins everyone's fun and has linear time decoding for p-ary construction A codes: probably drink a lot idk

fortunately there haven't been any "incremental" attacks in any of these directions, so it is really more an academic discussion.

Also note the primary issue with FrodoKEM isn't performance (though that is definitely worse), but size. My impression from the following

https://blog.cloudflare.com/sizing-up-post-quantum-signature...

https://blog.cloudflare.com/making-protocols-post-quantum/

was that TLS w/ FrodoKEM might have some undesirable performance characteristics, though that isn't directly stated in the articles. Iirc TLS w/ FrodoKEM


> In other words, Bernstein proposed a NTRU-based scheme under his theory it was the most conservative.

This is in fact that what I meant, and should have said: thanks.


His isn't the most conservative lattice construction! This is a hell of a just-so story.

[flagged]


What does this even mean? By the exact same logic you could impeach literally any algorithm.

It means that your argument is “the NSA couldn’t have subverted ML-KEM, it was written by Europeans”.

You assiduously pretend that this scenario isn’t possible: * The NSA reviewed the PQ submissions and realized that there’s one they already know how to break at scale: ML-KEM, because their army of math PhDs spent a couple decades understanding it better than the rest of the world * The NSA decides they want ML-KEM deployed everywhere so that the world is full of transparent-to-NOBUS cryptography * The NSA spends the entire PQ contest placing their thumbs on the scale of the process, violating their 2014 post-Snowden promises of increased transparency, to make their NOBUS dreams happen

The actions of NSA and NIST personnel make the most sense with the assumption that they desperately want to standardize ML-KEM and ML-KEM alone because _they already know how to break it_. What doesn’t make any sense is why the private sector is cheerfully going along with it —- even Charlie stopped letting Lucy hold the football at some point.


You're just restating the same claim with more words. It obviously proves too much. You can stick any algorithm, from MLKEM to SNTRUP to CRC32, in the same comments and get the same result.

No, because if the NSA didn’t already know how to break one of the cryptosystems, their engagement with the contest would have looked much different. They’d genuinely engage with the contestants and provide accurate security margin estimates. They wouldn’t barge in and make illegal procedural demands.

This is called praxeology. One would think that someone who has already been a useful idiot on behalf of the NSA regarding Dual-EC-DRBG might learn to keep their naivete to themselves.


I don't think you understand the argument you're making here. NSA had no hand in MLKEM itself or even in the line of research that led to MLKEM. Whatever advantage you're claiming they have with respect to MLKEM, I could just as straightforwardly claim they had for McEliece, isogenies, HQC, or UOV.

But the NSA didn’t throw their weight around in the NIST or IETF processes trying to standardize McEliece, isogenies, HQC, or UOV. They threw their weight around trying to standardize ML-KEM.

And anticipating your “but SIKE turned out to be easily breakable, why didn’t they try to standardize it?” The answer is “it made it shockingly far, but more importantly, SIKE was broken in the unclassified literature, but ML-KEM is broken in the classified literature.” Secrets in unclassified literature are not NOBUS secrets.


Unfalsifiable just-so argument. The point is that no matter what NIST selected, you could make this argument. Heads, you win, tails, they lose. There's no actual cryptography involved here.

You do realize that the NSA spends many millions on employing mathematicians, right? And that they wouldn’t keep doing that if all the mathematicians did was get really shit-hot at Kerbal Space Program?

An analysis of the comparative risks of these crypto systems should include “The NSA knows a lot of math they’re not sharing, and if they really really like ML-KEM, that’s concerning even if Ptacek keeps pointing out NSA didn’t write it”


When you make an argument that is actually somehow rooted in cryptographic research, I'll have something to reply to. This is all just Schneier-Facts(tm) logic.

To be clear, the Schneier Facts on Dual-EC turned out to be far more accurate than the Ptacek Gut Logic.

Schneier said the same thing I did. I literally got my take from Schneier. You don't even have the Schneier Facts right!

To quote you: “ (I'm among an elite cadre† of cryptography-adjacents who felt it probably wasn't, but only because I thought it was too stupid to actually be used anywhere --- as soon as it was disclosed that (a) it was a default-yes algorithm in BSAFE and (b) big companies actually used BSAFE in important products, it was immediately clear what was going on).”

The BSAFE disclosure happened in 2013 with Snowden. In 2015 you published an article still questioning whether Dual-EC was a backdoor, and providing an immense amount of plausible deniability for folks like Hoffman.

https://sockpuppet.org/blog/2015/08/04/is-extended-random-ma...

You don’t even remember the historical Ptacek Gut Logic!


You don't understand the article you just quoted. It is certainly not the case that I published an article in 2015 questioning Dual EC. You might be the only person in the world with an opinion about Paul Hoffman, by the way. I had to look him up.

I mean, it's obvious what you did here: you went to my blog hoping to find the "Dual EC is fine" story, misread this one, and then took a random name out of it and tried to cast them as an archvillain.


As your article points out, Hoffman wrote a specification for spewing as many NSA-controlled “random” bytes into TLS packets as he could get away with, after Rescorla’s attempt failed. Hoffman’s work became an experimental RFC.

Yet, your article says “In at least one case, Hoffman even attempted to provide a cryptographic rationale for extra randomness. Of course, naming-and-shaming either of them is pretty silly.” This makes no sense. We have names for criminal equivalents of his behavior: criminal mischief, disturbing the peace, conspiracy, etc. But if you do these things on a standards board, you get a pass? This was a concerted well-funded effort to compromise your security and my security. I think he should be put in a pillory and tarred-and-feathered.

You continue to cover for malicious actors with your “but the NSA didn’t write it!” insistence. The classic anti-Schneier Dual-EC take around 2007 was “but the NSA wouldn’t insert a backdoor, they would destroy their public image!” Your insistence is the equivalent of “but the NSA wouldn’t do that AGAIN!” Fool me once…


The article you're talking about literally opens "I think Dual EC is a backdoor". You don't understand it. You don't know who Paul Hoffman even is. Why would we keep discussing this?

Because both the article and your continued arguments about ML-KEM demonstrates that in confirmed cases of NSA sabotage and in hypothetical cases of NSA sabotage, your job is to deflect, minimize, and avoid any responsibility being doled out. I hope you’re well paid for this job.

When we find out that the ML-KEM math was thoroughly broken by NSA for years, your response will be “gosh, nobody could have known that. It’s best not to hold anyone responsible though, certainly not the NIST employees whose names are all over the evidence…”


Again: you pretty clearly don't understand the article you're citing. And that's easy mode compared to LWE vs RLWE. I don't think there's anything productive to be gained from us continuing to talk.

    > Unfortunately, we can't yet say that about lattice cryptography, despite it being approximately as well-studied as ECC.
this is an absurd claim, lattices may be as well studied as elliptic curves, but not the cryptography.

No, it's not an absurd claim. Lattice key establishment goes back into the mid-1990s, and was at one point a serious contender for the alternative-to-RSA/FFDH algorithm that ECC became. Modern LWE lattice KEM is approximately at the same point in its lifecycle (say, compared to original NTRU) as Curve25519 was to ECDH.

It does not matter much how long it goes back, because before its standardization very few people have bothered to study it.

Like for any other cryptographic algorithms, where one or more decades were necessary for a good understanding of their properties, we can expect much more relevant publications about lattice key establishment in the next years, than until now.


this is entirely wrong. Lattice-based cryptography has been extremely well-studied theoretically and practically, even before standardization. For example, a (hybrid) lattice-based KEM was (experimentally) deployed in Chrome in 2016.

https://security.googleblog.com/2016/07/experimenting-with-p...

one or more decades were required to get good understanding of the relevant lattice problems. But they were introduced in

* the ~1990s, for NTRU, and * ~2005, for LWE, and * ~2012, for RWLE

ironically, of all of them LWE is probably understood the best (though our understanding of LWE, RLWE, and MLWE are all roughly similar now). This is because it is a problem more amenable to understanding than NTRU, which is (by comparison) a little more "ad hoc".

For lattice-based KEMs, we also have very strong understanding of things. Roughly, we were able to design the lattice-based KEMs based on our prior understanding of general KEMs. Concretely, we had a much better understanding of the precise details of the FO transform, which fed into teh design of lattice-based KEMs. So most lattice-based KEMs solely had to construct a lattice-based PKE. Doing so from LWE is fairly straightforward. Iirc since ~2005 there was a certain technique known, and then a more optimized technique was developed in ~2011. All lattice-based KEMs (that construct IND-CPA PKE -> FO Transform -> IND-CCA2 PKE) proceed with this ~2011 technique, with various internal knobs tweaked.

Post-standardization there has been some additional research into lattice-based KEMs, but they have (generally) been proceeding by tweaking the core ~2005 hardness assumption to try to get more efficiency. It's an interesting idea, but generally hardness assumptions take the longest time to gain confidence out of any part of a cryptographic algorithm (as they're the only unprovable part), so it might be a bit before we feel "safe" regarding them.


the McEliece cryptosystem goes back to the 70s, doesn't mean it's as well studied as RSA. obviously people study popular cryptographic primitives more.

having said that, I would trust McEliece more than Kyber.


you would make poor decisions then. McEliece recently (in the last month) had a large new attack against it

https://eprint.iacr.org/2026/1232

This doesn't hit classic McEliece yet, but is part of a line of work that Randriambololona has been doing, which are at a minimum very concerning for the security of McEliece.


certainly a concern, and a good reason to use multiple cryptosystems together. unfortunately there are probably similar papers for Kyber which are NSA property and will never see the light of day. they do employ a lot of mathematicians.

for applications where key exchange need not be particularly fast or compact, I would even throw in 4096 MP-RSA in (tuned to whatever size the exchange can tolerate) as a hedge against that if a CRQC is even possible, it would be able to continue to grow in size quickly or at all.


there is no indication there are similar papers. Curiously, the best lattice cryptanalysts in the world are chinese and european (here I'm thinking of people like Ducas, Albrecht, and Ding). It's actually a weird blindspot of american cryptography (this isn't true for all cryptanalysis, but in general European cryptography is "more concrete" vs "theoretical" american cryptography).

This isn't to say that it is impossible for the NSA to have their own private cryptanalysis. It is to say they're not some magical fairy that produces non-trivial attacks. They, like any other organization, need to develop talent. In the past they have been able to do this (they, through the CCR, hired Don Coppersmith in 2005. A VERY notable cryptanalyst at the time). I am unaware of any lattice cryptanalysts who have "gone dark" in a way similar to how Coppersmith did in ~2005.

Note that we also have theoretical reasons to be more confident in the hardness of ML-KEM. The reasons are technical (and worse than the practical reasons we have, namely people have iterated on attacks and the attacks stopped getting appreciably better). But it is (curiously) the hardness assumption we perhaps have the best (theoretical) justification for why it is hard.

Using RSA as a hedge would be incredibly stupid. Index calculus attacks were significantly improved in the 2010s, at least for small characteristic finite field DH. These improvements have only tangentially hit RSA. I've heard a integer factorization record holder directly say there's no real barrier to similar improvements hitting factoring. It hasn't been done, so it isn't "easy". But also people wouldn't be surprised if it was done. The record for binary characteristic finite field DH is ~30k bits (by an academic team. governments could throw more money at it of course).


as a heads up, there is another attack paper against McEliece today

https://eprint.iacr.org/2026/1339

Note that this is by someone from the BSI. It's worth mentioning the BSI is very familiar with lattice-based schemes (they recommend using FrodoKEM rather than Kyber, but whatever). Despite this familiarity, the attacks they are able to publish aren't regarding lattice-based schemes, and instead a different scheme Bernstein was affiliated with.

NTRU-derivatives and McEliece derivatives are (objectively speaking) not a good track record to have, PQC-wise.


You would trust McEliece more than Kyber because...

Because NIST chose it, after non-public input from the NSA. But if I am honest, NIST recommending it at all is enough to suspect it of being compromised. I say that as an American, and my non-american friends equally don't trust NIST on crypto topics.

The real problem I have is best described as I haven't read a single coherent argument responding to and rejecting the real concerns raised by the individual who after nist betrayed the internet with by recommending a compromised standard at the encouragement of the NSA. Is the person who wrote the crypto library everyone uses.

DJB puts his money (time) where his mouth is. I would critique his attachment to his own ego. But I'm in the group of people who haven't contributed enough yet to foss to get to throw stones. So I'll defer to people who can match his contributions. Until that happens, DJB's reputation is cares passionately about crypto and it's community, vs an US government group with a reputation for trying to sabotage crypto systems after passing secrets with the NSA, who refuses to provide details about their most recent secret messages.

I do find some of the arguments and refutations from the mailing lists compelling. But not all the them, and nothing directly from NIST. Equally some of DJB's appear to weaken his points. But like I said, I plan to trust the reputation each party has earned.

NIST has a history of behaving inappropriately, and unethically around it's cryptography recommendations. But the people currently in charge would rather pretend they're above it and not literally directly responsible for the organization with a well earned reputation. If you're given a 2nd chance after your partner catches you cheating, it's a reasonable requirement that you account for every second of your time, until you restore the reputation you destroyed.


This argument is entirely non-falsifiable. You could use the same logic no matter what algorithm won the PQC competition. You can even use Vizzini logic to argue against against algorithms the NIST competition didn't pick.

I'm not making a falsifiable argument. I'm stating that given their history, and current behavior I don't trust NIST and I don't think anyone else should either. They are keeping secrets around a new crypto system, the last time they did that it was to hide a known-broken crypto system.

The controversy over the PQC is the topic at hand. If they'd selected a cipher that didn't carry the objections of someone who's reputation I trust more than NIST. Then I'd trust NIST's decision, by proxy.


Again: it's not their cryptosystem. They didn't design it. They had no hand in its design, or in any of the research that led up to it. They proctored a competition in which everyone involved was unsurprised by the outcome. A pretty big chunk of every academic cryptographer in the world participated, and if you had put the whole thing to a vote, 60% chance you'd have still gotten Kyber and like I don't know 35% chance you'd have gotten SABER.

That's what's so crazymaking about this. People who actually pay attention to cryptography know all this, so much so that Bernstein sounds deranged to many of them. But he's counting on you not knowing any of it. Which is to say: he's preying on your ignorance. It's a bad scene.


I know the backstory. I know there's no real evidence or proof against Kyber's real security, only questions. I've also read the full email threads that I was able to find. Nearly everyone looks like a shithead. I'm sure they're fine people in real life, but there are so many emails that are covered with contempt for the person they're replying to. Trustworthy people don't act like that. > But he's counting on you not knowing any of it. Which is to say: he's preying on your ignorance. It's a bad scene.

I know all of that, I also know I'm years away from the maths to understand the crypto and decide for myself. So, I'm forced to have an opinion because friends and employers will expect me to have one; like them, I'm also forced to operate on trust. Help me with this one? Because my problem is, the only person in the whole scene with ethos is djb. Not a single person in the stack has their name on *anything* that would allow me to trust them given their previous behavior.

So who's the non-deranged person that can put their ego aside, long enough to go point by point down the "deranged man"'s "psychotic rant". Where something everyone who's paying attention can point to and say, djb has stopped taking his crazy pills, here's what reality looks like. Because I went looking for it when I first heard about it, his blog has been linked to from HN many times. But no one has linked to a single other person. I agree with you, the arguments he's making are barely convincing. But one one side, I have a well respected cryptographer (who might want to consider or respond to the accusations he's becoming a bit eccentric) saying hey, y'all are fucking it up. Directly to the people who actively did something ethically inexcusable. Who not only appear to following the exact same pattern as last time, but no one is willing to put their name and time on the line?

What am I supposed to do? Get on board because NIST recommended it already, and there's the RFC for it, so why bother fighting? Just trust the current or next US administration won't do something I object to... like trying to back door crypto... again... I know you'd never actually make that recommendation... well I hope at least. But really; what would you expect me, someone who still trust djb even though his eccentric writing is desperate for an editor, and also, someone who actively believes the people in charge of NIST are ethically questionable. What should I do? where's the evidence that would convince me to switch from believing the guy working to improve foss crypto, to the org with a history of delivering backdoor'd crypto.


You're making my point for me. Nobody in the whole world is asking for you to take NIST's word for anything.

The problem here is that literally the only information you have to work with is Daniel Bernstein, a notorious standards crank. The names of the cryptographers vouching for Kyber don't mean anything to you. Peter Schwabe? Leo Ducas? Chris Peikert? You're not a cryptographer, who could reasonably expect you to know who those people are?

And Bernstein knows it, and plays it to the hilt.

But I already pointed this out. You keep bringing it back to NIST, but I keep telling you: if you simply let a panel of PQC contestants with credible affiliations vote on it, you'd have gotten the same outcome. So we're really just going around in circles here.


My problem is with NIST, your problem is with DJB. Neither of us really want to defend either, (I assume, maybe you do want to defend one of them?) We just disagree which one is more likely to make the world worse.

I'm not taken in by the crazyness on either side, and while if pressed, it's obvious which side I would pick. I'm not so much picking a side, so much as complaining again, how we're letting a group with an earned reputation for being untrustworthy keep secrets about crypto. I hate the whole thing, but that's how little trust I have left in other people. The crazy guy is the on the side I hate less... but what to do?

edit:

> You're making my point for me. Nobody in the whole world is asking for you to take NIST's word for anything.

Literally everyone standardizing on Kyber is asking me to trust NIST, et al, and pay the additional overhead for setting up a TLS connection. I guess you could frame it as they're not asking, because I'm not being physically forced to interact with them... but then I try really hard not to engage with bad faith bait, when I'm able to resist.


No, nobody is asking you to trust NIST.

Did you really need me to specify rhetorically speaking? You weren't able to work out that on your own?

Nobody is even rhetorically asking you to trust NIST.

if you blindly distrust the NSA, you should stop using x25519 immediately. It uses SHA2, which was solely developed by the NSA.

If DJB blindly distrusts the NSA, he would also recommend against SHA2. But he doesn't, and instead wants to mix a scheme developed by European academics with one built by the NSA. If you go by blind distrust, this should be extremely concerning.

Of course, I'm not suggesting you use blind distrust, and only pointing out that none of the blind distrust discourse makes any sense. We all trust SHA2, which was an explicit NSA product. Kyber had no NSA input. why is Kyber the NSA-suspect scheme?


> But if I am honest, NIST recommending it at all is enough to suspect it of being compromised.

NIST isn't the NSA and doesn't have the NSA's goals in mind. They are briefed by NSA on some matters, sure, but they're not the same organization.

NSA has a dual mission: Both SIGINT and COMINT. While the SIGINT folks might rub their hands and laugh evilly at the prospect of backdooring the PQ KEM that the Internet wants to move towards, this plot makes no sense at several levels.

The NSA has, through CNSA 2.0, committed to moving the entire federal government onto ML-KEM for top secret communications. The COMINT guys would shit themselves in rage if it turned out to be backdoored, even if there was enough hubris that the backdoor was NOBUS.

If you can't trust the people, you should always seek to understand their incentives if you want to predict their behavior.

My interpretation of the CNSA 2.0 move was that the NSA believes 1) that ML-KEM is actually the good stuff, and 2) the Suite B transition failed so spectacularly that they want to signal confidence in ML-KEM by recommending it without hybridization. Since pretty much everything they do is top secret, they probably can't comment further.


You're argument is that I shouldn't think of NIST as a patsy for the NSA, is because the NSA can't possibly be recommending a compromised cipher, because if they were, that would mean this US government org is horribly defective and dysfunctional, where one side didn't know what the other was doing?

Incentives are basically all I consider when trying to establish true motive. But you're not required to consider motive when there's a history or pattern. Even if "It's the way we've always done it", wasn't a much, much stronger motive than thought/reason is for any human. It's both logical and desired to treat something as the most dangerous until proven otherwise.

I used to be a nurse. I remember when working in the ED, I was taught that every single woman on childbearing age who comes into the ED with abdominal pain is an extopic pregnancy until proven otherwise. If you ask a woman if it's possible she could be pregnant, regardless of the truth, many will claim it's impossible. If you blindly trust them, and delay treatment, you could needlessly kill your patient, or leave them infertile. Why would someone lie and risk that? Or how dare your medical team make assumptions like that? Well the alternative is worse, the reality should be easy to prove.

NIST has a history of recommending broken ciphers. That's not a mistake a professional would ever make. So thinking about incentives, I'm going to treat it like it was intentional. Here the group with a history for fucking up, isn't being transparent. I would love it if NIST would say enough to make DJB happy or at least stop pretending like they deserve any trust anymore.

Until then, I don't find "they're probably behaving like rational actors" compelling enough to trust them with keeping secrets from somebody who I actually do trust.


> You're argument is that I shouldn't think of NIST as a patsy for the NSA,

Incorrect. My argument is that they aren't the same entity.

The thing you said is a whole different argument. "I like waffles" "So you hate pancakes" is happening.

> Incentives are basically all I consider when trying to establish true motive. But you're not required to consider motive when there's a history or pattern.

Yes you are. You need to consider both factors. Why render yourself willfully ignorant? That's not how you arrive at truth.


> Incorrect. My argument is that they aren't the same entity.

Your mind is going to be blown when you learn about proxy organizations and cut-outs.


NIST does a lot of things that have nothing to do with computer security!

Would you indict NIST MEP https://www.nist.gov/mep/about-nist-mep as being an NSA project without evidence?


The Godfather Part 2 demonstrated overwhelmingly that a good part of Vito Corleone’s ill-gotten gains went to strengthening his community. The Italians in his neighborhood adored him.

What does a work of fiction have to do with whether two distinct government entities are the same thing or not?

That's beyond moving goalposts. Just take the L, dude.


I was making the point that if you have subverted the NIST to do your bidding in what appears to be a neutral way, obviously you’re going to have some feel-good projects in your portfolio. Otherwise, the folks that the Soviets called “useful idiots” wouldn’t have anything to point to to exonerate them.

You're all over the place except where the discussion was actually taking place.

Ok, let me be clear: the NIST is a proxy organization for the NSA. The declassified internal history of the NSA makes it clear that they were subverting the NIST back when they were still called the National Bureau of Standards.

Just because NIST engages in some wholesome activities doesn’t mean that their core purpose isn’t to do the bidding of the NSA.


> Just because NIST engages in some wholesome activities doesn’t mean that their core purpose isn’t to do the bidding of the NSA.

Their core purpose is to recommend standards that everyone can use, and anyone who wants to work with the US government is expected to follow. They have to pick standards for everything, but can't have experts in everything on staff, so are required to defer to other experts willing to help. The NSA took advantage of them. I find the idea that NIST wants to be a lackey to the NSA, stupid. It's ignorance and incompetence that lead NIST to getting duped by the NSA. The problem is, not getting dupe is literally, their *only* job.

It's like hiring a firefighter to protect you and then they set your house on fire; it doesn't matter so much why you don't have a house anymore... you just sure a hell are never letting him near anything important every again.

You're allowed to treat gross incompetence as equivalent to intentional malice, without needing to make something up about how it was intentional.


> Incorrect. My argument is that they aren't the same entity.

Did I claim they were the same?

> The thing you said is a whole different argument. "I like waffles" "So you hate pancakes" is happening.

uh.... you started it? What are we even doing? I'm not above this kinda comment, but I kinda assumed you were? I'd be interested if you have a take I haven't considered; but not if we're just going to try to make straw man of the other.

> Yes you are. [required to consider motive]. Why render yourself willfully ignorant? That's not how you arrive at truth.

I'm not looking for a pure truth. I'm just looking for a heuristic that's just functional enough to keep me, and my data safe. I don't even want to make a perfect is the enemy of good argument. I'm just pointing out, where my line is. I lack the maths knowledge, practical experience, fucks left to give, and spoons remaining for the things I want to spend my time one. Evaluating every bit of information I could possibly gather, and witholding and judgement is a cute idea, but I've got better things to do. NIST has in tandem with the NSA, lied, and shipped a broken crypto system. Let's pretend I don't consider that to be permanently disqualifying, resign, stand up a completely new group from scratch, black tag/non-salvageable. They've burned the default good will everyone starts with, and then peed on it for good measure. Now they're hiding information AGAIN?!

Nah, I could waste my time trying to find the objective truth. Or I could give NIST the finger, and say, make the person with the remaining good will and trust and fucks left to spend on NIST happy. Only then come back to me. Until then, I refuse, and for the same reason I refuse to review LLM PRs; I'm trying to do things, and [they] are trying to DoS my brain.

Ideally, you'd stop helping [the them], or answer the remaining objections line by line, and publicly? Then I'd have someone else with enough good will that I can trust. Because NIST is doing the opposite if they want my confidence.


In the past NSA has weakened encryption standards, for example NSA madified DES standard. The NSA pushed backdoored design of Dual_EC_DRBG was standardized in NIST SP 800-90A.

"Weaknesses in the cryptographic security of the algorithm were known and publicly criticised well before the algorithm became part of a formal standard endorsed by the ANSI, ISO, and formerly by the National Institute of Standards and Technology (NIST). One of the weaknesses publicly identified was the potential of the algorithm to harbour a cryptographic backdoor advantageous to those who know about it—the United States government's National Security Agency (NSA)—and no one else. In 2013, The New York Times reported that documents in their possession but never released to the public "appear to confirm" that the backdoor was real, and had been deliberately inserted by the NSA as part of its Bullrun decryption program."

https://en.wikipedia.org/wiki/Dual_EC_DRBG

"NSA worked closely with IBM to strengthen the algorithm against all except brute-force attacks and to strengthen substitution tables, called S-boxes. Conversely, NSA tried to convince IBM to reduce the length of the key from 64 to 48 bits. Ultimately they compromised on a 56-bit key"

https://en.wikipedia.org/wiki/Data_Encryption_Standard

The NSA published algorithms are not used for the important US secrets. For these system the classified algorithms of NSA Suite A are used.

https://en.wikipedia.org/wiki/NSA_Suite_A_Cryptography

NSA Suite A was probably used for Space Shuttle comunication. NASA scrambled to recover classified communications gear after the Challenger shuttle disaster in 1986.

https://www.globalsecurity.org/org/news/2003/030206-comsec-s...


> In the past NSA has weakened encryption standards, for example NSA madified DES standard.

They made DES more secure against differential cryptanalysis (a method that was classified at the time DES was being designed). Sure, the whole "make the keys 56-bit instead of 64-bit" is a weakening, but differential cryptanalysis would have broken the entire fucking cipher if they didn't prevent it by selecting a secure S-box.

> The NSA pushed backdoored design of Dual_EC_DRBG was standardized in NIST SP 800-90A.

Correct, which another threat actor used in a backdoor by replacing the public key.

I'm not arguing that NIST isn't vulnerable to NSA influence. I'm arguing that they are not the same entity and do not have the same goals or incentives.

I'm not an NSA defender. https://furry.engineer/@soatok/116854899284071513


To extend on this good point--

DJB is not just a mathematician looking over theoretical equations. He's also an expert in the real world _implementation_ of cryptography where most security failures can be expected to occur.

For some mathematician's brilliant cryptography scheme, how easy would it be for implementers to develop constant time / constant power computer algorithms to avoid side channel leakage? Have these computer algorithms been developed, are they easy to implement securely or are implementers going to continually mess it up?

See [1] and [2] for answers. Summary: Technology is not ready.

[1] https://dl.acm.org/doi/10.1145/3569420

[2] https://dl.acm.org/doi/10.1145/3779208.3785290


He's a cryptographer. You're describing cryptographers. You get that other cryptographers designed Kyber/MLKEM, and still more implemented it, right? There are cryptographers besides Daniel J. Bernstein.

I do think it's fair to make an argument that DJB's expertise in practical cryptography (both in e.g. engineering against side channel attacks as well as in publishing his own libraries) gives him a reality-minded perspective/attitude.

That said, personally speaking, his behavior as a software publisher (packaging & whatnot) is something I'd call… let's go with "subpar" and leave it at that. So while I do believe it's a fair argument, I'm not accepting it, because from my perspective he isn't putting in the necessary work to really understand software publishing.


Bernstein as a "software publisher" cannot really be compared with anyone else, because what can be considered as great flaws in comparison with others are compensated by equally great advantages.

He has published a very large quantity of open-source software, but after publication he never bothered with any kind of maintenance, which is understandable, because he went on doing other work.

On the other hand, unlike almost any other software packages, those published by him almost did not need any maintenance. The only required changes, after decades since they were written, have been caused by external changes, e.g. the continuous evolution and instability of the Linux APIs and the replacement of various IETF RFCs.

I am still using several software packages written by DJB, which have been run continuously 24/7 for more than a quarter of century, on many servers, without ever causing any kind of problems or incidents, unlike a lot of much more notorious software packages, which had various bugs despite permanent maintenance.


The problem here is that for too many people, Bernstein is one of two living cryptographers with name recognition.

Ah I see what you were trying to say. It read to me (with "He's a cryptographer. You're describing cryptographers.") like you were dismissing that knowledge about implementing and shipping cryptographic libraries is a relevant expertise (or that every cryptographer would have that, which they absolutely don't.) But, yeah, he's one among a whole bunch of experts in some of these fields and certainly shouldn't be given special weight just due to his name recognition.

Even the side channel stuff in particular --- Bernstein was certainly a popularizer of it, but that's been mainstream in cryptography research since the mid-2000s (and, obviously, it's Paul Kocher's claim to immortality).

One very big problem I have with Bernstein's recent activism is the way he writes to an audience you can just very clearly tell he thinks little of. He's assuming everybody who pays attention to this stuff has paid basically no attention at all to any cryptography he himself didn't write about. It's a bad argument, but that's not my big issue; my big issue is that he's making fools of his supporters. Not OK.


"two timing leaks, KyberSlash1 and KyberSlash2, in every official reference Kyber implementation from 2017 through late 2023"

Cryptographers can be good, bad, be more or less knowledgeable about applied cryptography, and possibly have agendas.


Huh, seen through that light, it's much clearer why we should all have ECC in our cryptosystems, because nothing has ever gone wrong with an ECC implementation.

We do all have ECC in our cryptosystems right now, and given how long it's been there, we can rely on its security much more than something new.

So clearly when I go look back at the archives of Bernstein discussing 25519, I'm going to see him advocating for FFDH/25519 cascades, right?

(If my subtext wasn't clear, by the way: the implementation history of ECC is godawful.)


Was FFDH considered safe?

> the implementation history of ECC is godawful

You do know that new cryptographic code can be godawful, then?


This reads to me as an argument of "If you thought ECDSA was bad, wait until you see MLKEM?"

ECDSA history is repeating itself again when you consider how poorly the proposed MLKEM RFC deals with side channel resistance:

From draft-ietf-tls-mlkem-8:[1]

"Implementers are encouraged to use implementations resistant to side-channel attacks, especially those that can be applied by remote attackers."

From NIST SP 800-227:[2]

"Cryptographic modules for KEMs should be designed with appropriate countermeasures against side-channel attacks. This includes protecting against timing attacks with constant-time implementations and protecting memory from leakage. Universal guidelines are unlikely to be helpful as exposure to side-channel attacks varies significantly with the desired application, and countermeasures are often costly."

MLKEM is more complex and has more chances of stuff-ups in implementation than ECDSA did. A single sentence of encouragement is all that is on offer from this MLKEM RFC. It doesn't even have the lightweight "Security Considerations" section which RFC8032 for EdDSA provided.[3]

As a point of reference for how hard it is to implement side channel resistant MLKEM see [4] (formal verification) and [5] (errors in formal verification). The MLKEM RFC doesn't offer a "Security Considerations" section to explain how difficult it is to implement side channel resistant MLKEM (perhaps it's easy :S), and if it were hard to implement, to recommend use of EdDSA+MLKEM for cryptography implemented on devices an attacker may be able to physically access, or when used on public networks as a workaround given that side channel resistant EdDSA would be easier to implement.

[1] https://datatracker.ietf.org/doc/draft-ietf-tls-mlkem/

[2] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.S...

[3] https://www.rfc-editor.org/info/rfc8032/#section-8.1

[4] https://github.com/pq-code-package/mlkem-native/tree/main/pr...

[5] https://eprint.iacr.org/2026/192

edit: added reference 5


> A single sentence of encouragement is all that is on offer from this MLKEM RFC.

The draft only specifies the MLKEM binding into TLS; it'd be out of scope for it to go into detail on implementation considerations for MLKEM. Those would belong in or adjacent to FIPS 203 (the actual MLKEM specification).

> It doesn't even have the lightweight "Security Considerations" section which RFC8032 for EdDSA provided.[3]

It's actually RFC8032 that this criticism would apply to, since it is actually specifying EdDSA, not just referencing it externally.


The draft considers FIPS 203 to be normative. Therefore FIPS 203 forms part of this draft. You can't implement this draft without first implementing FIPS 203.

FIPS 203 doesn't care about side channel resistance, per my other comment at [1]. And this draft doesn't do anything to tighten the constraints on how FIPS 203 should be implemented to provide side channel resistance.

[1] https://news.ycombinator.com/item?id=48811887


Not all cryptographers (and cryptography standards) care about real world implementation, or have the same use cases in mind for their cryptography algorithms and protocols. Almost every cryptography standard in common use treats side channel resistance as an optional after-thought for implementers. This might be fine for some users, for example, the US government, because they generally don't implement cryptography on systems an attacker would have physical access to, and don't use cryptography protocols on public networks. For these users, having maximum performance at the expense of side channel resistance might be the best trade-off to make.

For most users however, side channel resistance is a very important property that shouldn't be considered an optional after-thought. If standards bodies made it mandatory to consider side channel resistance when standardising cryptography schemes, the choice of what scheme(s) to standardise could look quite different, and thus general use of cryptography would have improved security by default. If some types of users don't care about side channel resistance, then great, make use of non-side-channel-resistant cryptography optional for them to use. Don't standardise it the other way around.

For example:

FIPS 186-5 sB.1 states: "Other (constant time) algorithms that produce an equivalent result may be used."[1]

NIST SP 800-186 sE.4 states: "If one is concerned about side-channel leakage, one should compute the inverse using a constant-time algorithm."[2]

RFC 8032 s8.1 states: "Note that the example implementations in this document do not attempt to be side-channel silent."[3]

A better standard may, for example, _require_ [4] be implemented in order for an implementation to claim conformance with the standard. Not as an optional after-thought. If there are users wanting to trade off side channel resistance for performance gains, then write a new standard to that effect and remove the requirement to implement [4].

A better standardisation process may, for example, only accept candidate algorithms _if_ they are side channel resistant. This opens up the standard to as many use cases as possible. No cutting corners to pretend performance is better for one implementation because it trades off side channel resistance for performance, and no pretending side channel sensitive use cases don't exist.

[1] https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf

[2] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.S...

[3] https://www.rfc-editor.org/info/rfc8032/#section-8.1

[4] https://en.wikipedia.org/wiki/Elliptic_curve_point_multiplic...


I, for one, wouldn't care if Kanye West or his aunt or her neigbours dog came up with a good encryption algo. If it's good, it's good no matter who wrote it. Appeals to authority or the lack thereof draws attention away from the technical debate.

Unfortunately, that's not how modern crypto works. Many mathematical problems on which algorithm rests their security are not proven to be unsolvable, but instead they're believed to be hard to solve. So here are the questions, who believes what is hard, and hard for whom.

Somehow I wouldn't trust my data on mathematical problems, for which the recommendation is that they would challenge Kayne West.


I certainly find it fascinating that the majority of those in favor come from signal intelligence agencies, while the majority of those against are PhD cryptographers.

I was happy to see the lead of Europe’s PQC team also voted with the cryptographers.


> nothing that's happening here has really anything to do with NSA

How can you say that???

It seems to be literally only for their claim to need it that pure MLKEM is being requested..!

A summary at https://blog.cr.yp.to/20251004-weakened.html, or just see e.g. https://keymaterial.net/2025/11/27/ml-kem-mythbusting for an opposite voice stating the same...


I might have expected you'd be once bitten twice shy after having once taking an aggressive position that DUAL-EC would never have backdoored anyone in practice...

The optionality of MLKEM by itself is of a similar shape to standardizing a lame DRBG that 'obviously' no one would use and anyone who would use would use the appendix parameter generation scheme that would have rendered it secure (although still slow). The reality of it was that once it was standardized NSA was able to secretly compel its use.

On one hand MLKEM by itself seems like a better choice than DUAL-EC, on the other hand that fact should make it much easier for a powerful attacker to cause a target to use it if you do have an attack that exploits this fact.

MLKEM was selected out of myriad other options through a NIST process which was directly influenced by NSA (including in manners that NIST failed to disclose and actively mislead the group about). I think this makes the commentary regarding NSA highly relevant. While it seems less like that NSA already knows of a total break in MLKEM (and indeed their influence could have been in a strengthening direction...) it's possible that their influence was motivated by things like that ease of undetectably compromising specific implementations through techniques like dopant adulteration or specialized side channel weaknesses.

If your plan it to tamper with chip mfgr or hit them with a very well aimed e-beam (e.g. to cause ion migration) after the fact then having a non-hybrid scheme is pretty obviously going to make your life much easier... Or perhaps they've taken a route similar to the one they took with Crypto AG-- this time positioning themselves as a fabless silicon vendor to sell MLKEM RTL to a market that doesn't have an implementation but already has many robust ECC implementations to choose from.

...and that's without getting into the unknown possibility of a cryptoanalytic breakthrough.

I don't think it's even safe to say that NSA would only consider NOBUS backdoors-- I don't think any of us can know how inadvisably arrogant the relevant decision makers may be and what they might consider NOBUS. Given how DUAL_EC went in Netscreen's products I think it's reasonable to argument that there is no such thing as a NOBUS backdoor when push comes to shove. Capping DES's key size is candidate example of a very much non-NOBUS weakness that NSA felt comfortable with, as one needed a particularly amount of strength to exploit it which they believed that only they had. Today, of course, a child's video game device can crack DES as a direct product of that part of their influence.

Not a great track record when fear of "store and decrypt later" attacks is much of what motivates the use of PQ key agreement today.

The consistent aggression five-eyes affiliated cryptographic-intelligence groups have had for hybrid schemes is truly difficult to comprehend-- given that practically everyone else considers them obviously prudent in all cases where the resource costs permit -- and I think this justifies the utmost concern and caution. And in terms of caution hybrid schemes are table stakes.

A major theme of DJB's cryptographic security advocacy is that cryptographic security is often as much about what you don't offer as it is what you do. A completently engineered security product is misuse resistant and it's not completely clear to me that a standard which offers the choice of a non-hybrid mlkem qualifies as misuse resistant.

That said, there are plenty of drafts that are in no way misuse resistant. :)


None of this makes any sense once you understand that NSA had no hand in designing MLKEM, or in shaping the LWE research that led to it. NSA designed Dual-EC. MLKEM won an open competition; its entrants are among the most reputable cryptographers in the world.

it's worth clarifying that its entrants were all qualified, and 2 other essentially identical schemes, namely New Hope and Saber, made it very deep into the NIST competition.

All 3 (roughly) took the approach of

1. take the obvious best design, and

2. tweak various internal design knobs you have access to, and

3. that's pretty much it.

So they differ in the internal design knobs they chose. But the fact that 3 independent teams all created something substantially similar to ML-KEM should be an indication of how much harder it would be for the NSA to be behind it.


Post selection is also design. Evolution by natural (or artificial, for that matter) selection works by post-selection.

I'm happy to agree that it affords much less degrees of freedom than original design, but the irrelevance argument depends on no influence rather than a lack of absolute influence.


I'd call this an instance of the genetic fallacy, but it's even less tethered to reason than that.

[flagged]


You’re being rude, which wouldn’t be good even if you weren’t wrong on all three counts. This is not contriving positively.

(Consider the difference between extensive peer-review and “appeal to authority”, not to mention the IETF’s dual role encouraging research along with mainstream deployments)


I have edited my post to remove the rude acronym. Thank you for your feedback.

I do not think the response addresses the claims made, and uses logical fallacies in place of a well reasoned response.

> a team of highly-regarded European academic cryptographers

This is absolutely an appeal to authority.


They didn’t get MLKEM deployed by saying “I’m a professor of computer science at $UNI, do it!” but by working within the community for many years and going through an elaborate review and standardization process with extensive peer review and public comment. That’s not infallible but it’s misleading to talk about it as if it’s the same as the U.S. federal government (a real capital-A authority) mandating it.

This matters because academic reputation is so important in the field: none of these people can force even their own universities to adopt something and if you say they pushed something through covertly you’re making a really serious claim about a core professional trait which reflects not only on them but also many of their colleagues who reviewed and supported that proposal, and that should have evidence that this was bulled through rather than simply asserting it.


Correct. The argument is not about the deployment or the technical quality of MLKEM. Pretending it is, is an appeal to authority, and is moving the goal posts from the actual argument.

DJB has orchestrated a vote rigging campaign against this WGLC, encouraging users to join the list and vote/express their opinion and providing the exact subject header to use. Have any other sides been saying, essentially, just join the group and say you’re for/against?

He’s been moderated during the last call because of his email disclaimer/footnote, and apparently refuses to respond on list during this time. Seems like he’s playing a few steps ahead where he can (yet again) cry foul on the system and cry foul on vote rigging. Despite him being a key instigator. I’ve already seen at least one poster reference a RFC explaining how IETF consensus works and how its not a pure numbers game (5 for and 100 against can still be consensus, depending on the circumstances; the inverse also applies).

What’s his next step if the authors publish as an information RFC? He can’t stop that, right?


> What’s his next step if the authors publish as an information RFC? He can’t stop that, right?

This is a slightly complicated question. There are several main routes to an Informational RFC.

* Through the IETF Stream, either through the Working Group (what is happening now) or via sponsorship by an Area Director. The former is what is happening now (this document is not up for Proposed Standard). I don't think the latter is likely to happen if TLS WG decides not to publish. If the TLS WG does decide to publish, then there are a number of steps afterward (AD review, IETF Last Call, IESG Review), plus potential avenues for appeal at some of these stages.

* Through the Independent Submissions Editor (ISE) (though in another comment wbl says that the ISE is not going to publish cryptography standards https://news.ycombinator.com/item?id=48812844). This is essentially at the sole discretion of the ISE and can't be appealed.

In either case, if the document makes it through all these gates and is eventually published as an RFC, then that's pretty much it, as RFCs aren't changed once published.


Thanks for the clarification. It’s a bit of a shame as going via ISE would have let the group move onto other endeavours. Maybe people will just refer to the draft name and that’s that.

> …information RFC? He can’t stop that, right?

Informational RFCs still need to pass through the IETF consensus process, changing the intended status isn't a procedural bypass. However, the authors can just publish it elsewhere, it makes no difference at all for the codepoint allocations. Only distinction is that it doesn't get the somewhat intangible (but existent) "RFC sheen".


This document actually is being advanced as Informational, though there are also non-IETF Informational RFCs (see upthread).

France and Germany propose hybrid schemes as well: The german position:

https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publicat...

"The quantum-safe mechanisms recommended in this Technical Guideline are generally not yet trusted to the same extent as the established classical mechanisms, since they have not been as well studied with regard to side-channel resistance and implementation security. To ensure the long-term security of a key agreement, this Technical Guideline therefore recommends the use of a hybrid key agreement mechanism that combines a quantum-safe and a classical mechanism."

The french position, also quoting the German position:

https://cyber.gouv.fr/sites/default/files/document/follow_up...

"As outlined in the previous position paper [1], ANSSI still strongly emphasizes the necessity of hybrid wherever post-quantum mitigation is needed both in the short and medium term. Indeed, even if the post-quantum algorithms have gained a lot of attention, they are still not mature enough to solely ensure the security"


The IETF already has a standard hybrid scheme and it's what everybody already uses. That's not what this is about.

This post was pretty technical. Let's explain a couple of terms:

ML-KEM -- Module-Lattice-Based Key-Encapsulation Mechanism

ML-DSA -- Module-Lattice-Based Digital Signature Algorithm

solo PQ -- Using post-quantum crypto on its own

ECC+PQ -- Using post-quantum crypto as a layer on top of traditional elliptical curve cryptography (ECC)

So what's at stake here, is that the PQ crypto is not proven yet, and had recent implementation vulnerabilities (Kyberslash 1 & 2).

In the NSA's defense, combining cryptosystems also creates attack surfaces, timing problems, additional complexity, etc. Perhaps they know something we don't. They have sometimes acted to strengthen public cryptography, as with the DES S-boxes and differential cryptanalysis. Of course, they also weakened the key-space...


1. Kyberslash is mostly marketing. Some implementations (including the Kyber reference implementation, but *not* including the Kyber AVX implementation) had a non-constant time component. This is a meaningful CVE. It is not some fundamental weakness that should cause a panic. Note that the non-constant time implementations were caught ~2 years ago, prior to any deployment. So it was a sign of everything going "as expected", not of some new fundamental issue.

2. combining the cryptosystems, in most settings, is rather low cost. I would personally recommend it as a sensible default. It is not low cost in every setting though, for example in hardware it necessitates both a SHA2 and SHA3 impl, which is fairly expensive. So while hybrids are a sensible default, I would not go as far as to attempt to "ban" use of pure ML-KEM.

3. pure ML-KEM is much more "proven" than people are discussing. The core hardness assumption dates back to 2005, and has been intensely studied (the paper introducing it got a cryptography version of a Nobel prize (Godel prize), as did several follow-up works only achievable using that hardness assumption. The essential components of ML-KEM were proposed in ~2011. An extremely similar scheme (New Hope) was deployed experimentally in a hybrid in Chrome in 2016. Very concretely, the best theoretical attacks on ML-KEM take time ~2^cn for a c that has not changed in the last ~decade. Everything is as boring as you might hope.

On essentially any reasonable measure you could ask for, things have been "stable" with ML-KEM for ~1 decade. In the intervening years, a number of academics/companies have devoted a great deal of money on things built from even more sketchy hardness assumptions (I'm discussing the things underlying Fully Homomorphic Encryption). Even these have been essentially fine (I have some personal quibbles with some assumptions used, though they are technically dense, and are not relevant to ML-KEM in the slightest). So this is to say that there are natural "easier instances" of the thing underlying ML-KEM, and there still haven't been successful attacks of those instances.

Anyway though, the question isn't "should you use pure ML-KEM rather than hybrid". I would personally suggest hybrid unless it is extremely limiting for some particular scenario (and there are scenarios, such as hardware, where it is). The question is "should we standardize how pure ML-KEM TLS works, so implementors can create interoperable implementations?".

The answer to this should (clearly) be yes. ML-KEM is boring, high-quality cryptography. If a quantum computer appeared tomorrow, and only ML-KEM protected me, I would not lose any sleep personally. Efforts to delay standardization rely on "arguments" that do not match reality in the slightest.


> pure ML-KEM is much more "proven" than people are discussing. The core hardness assumption dates back to 2005, and has been intensely studied (the paper introducing it got a cryptography version of a Nobel prize (Godel prize), as did several follow-up works only achievable using that hardness assumption.

The inventor of the lobotomy won a Nobel Prize in Medicine for it.


huh. I really wouldn't want the Nobel Prize committee in medicine doing cryptographic work then. good thing your comment has nothing to do with cryptography then :)

It's brilliant! There's no such thing as time!

> Perhaps they know something we don't

Perhaps

https://blog.cr.yp.to/20260704-bugs.html#damage


> In the NSA's defense, combining cryptosystems also creates attack surfaces, timing problems, additional complexity, etc

Actually, Dr. Nadim Kobeissi formally proved that hybrid is secure, even if ML-KEM fails. [1]

[1] https://eprint.iacr.org/2026/1147


> Secret NSA documents showed that NSA pushed DES in the 1970s to "drive out competitors" while knowing that DES was "weak enough" to break; meanwhile NSA publicly claimed that it would use DES

Is this true? The NSA pushed for weaker cryptography it could break versus stronger cryptography our adversaries couldn't?


It's complicated. The federal government pushed for a smaller DES key size, but also fixed the DES s-boxes to resist differential cryptanalysis.

as mentioned it's complicated, but the general trend of the NSA pushing cryptography they can break and others can't is well-known.

https://en.wikipedia.org/wiki/NOBUS

note that there is no even candidate way the NSA would have a NOBUS-type vulnerability for ML-KEM. DUAL_EC_DRBG was known to plausibly have a NOBUS-style backdoor prior to standardization, provided you used a certain "default" generator (vs freshly generating your own). It was later discovered that the NSA payed RSA (the company) to do this.

While this payment was private, the possibility of a back door was publicly known. There are no publicly known candidate backdoors for ML-KEM. The broad design of an ML-KEM-like scheme permits one ("static" matrix A), but ML-KEM was specifically designed to make this impossible ("ephemeral" matrix A).


DJB wrote a short history of NSA’s malicious meddling in the cryptography we all use, based on a declassified internal history of the NSA.

https://blog.cr.yp.to/20220805-nsa.html


Sure. Everbody knows that

Is there anything different about this DJB mailing list brigading than the other brigading he's done?

Four days ago: https://news.ycombinator.com/item?id=48760490


By dint of not including a list of non-cryptographer cosigners, this one is prima facie somewhat less cringe.

DJB keeps calling the IETF consensus process "voting". That's detrimental to his own case; when there is a vote, the vote can be manipulated. It makes much more sense to argue there is no consensus, which should be quite obvious at this point, and which can be argued even in a "60:40" situation regardless of direction. It also avoids alienating "true IETF believers" (ed.: I am one).

Apart from that, the crux of this is the codepoint allocation in the named group registry. [https://www.iana.org/assignments/tls-parameters/tls-paramete...] The requirement for that allocation (with "recommended=N" - which is what this draft has) is "Specification Required", not "IETF consensus". "Specification" for IANA registries doesn't mean IETF documents, it means:

  […] must be documented in a permanent and readily
  available public specification, in sufficient detail so that
  interoperability between independent implementations is possible.
[https://datatracker.ietf.org/doc/html/rfc8126#section-4.6]

As such I don't understand why the authors are so intent at ramming this through the IETF process when they could just put the same document whereever. The process has been sufficiently and publicly fraught enough to destroy any "reputation" that might (or might not) come associated with it being published as IETF RFC.

[ed.: referenced wrong registry, it's named groups, not cipher suites. Makes no difference, same registration procedure.]

FTR, the only [preliminary] entry with recommended=Y for PQ crypto is:

  4588  X25519MLKEM768  Combining X25519 ECDH with ML-KEM-768  https://datatracker.ietf.org/doc/html/draft-ietf-tls-ecdhe-mlkem-05
[ed.2: this is getting a funky spread of up & down votes, any of the downvoters mind commenting why they're downvoting?]

Adding a little color here... There are already code points registered for pure ML-KEM on the basis of the draft.

The hybrid code point you reference is "preliminary" in the sense that when the RFC for hybrid ECC/ML-KEM is published (it's already been approved, https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/), it will replace the reference in the registry. However, it will have the same code point and the same semantics. If, for some reason, the IETF were to change the semantics, a new code point would have to be assigned for interop reasons.


Actually… what would even be the result of the pure MLKEM document getting dropped by the IETF? I guess the entries would temporarily be marked deprecated or something, until another reference is made available somewhere, describing the same behavior? I'm not sure what procedural blockers this might run into but my general sense is that the IETF & IANA wouldn't "block off" the already allocated codepoints from being specified elsewhere (or allocate new duplicate codepoints) so long as the behavior is identical.

Good question.

If the document is dropped by the IETF, nothing at all would happen. It's already a valid code point registration, and indeed the authors could have just published the document, registered the code points, and stopped (see: https://datatracker.ietf.org/doc/draft-barnes-tls-this-could...).

If the authors decided to later pick up the document somewhere else, then they could probably get the reference changed to whatever that was, as long as the semantics were identical.


Thanks for the link to that amazing document!

> […] "preliminary" in the sense that when the RFC for hybrid ECC/ML-KEM is published […]

Yes, sorry, I was just covering against people nitpicking on the document status :)


The issue with saying that "there's a 60/40 split, therefore there's no consensus" is that the IETF explicitly documents that that isn't the case: RFC 7282, Section 7, "Five people for and one hundred people against might still be rough consensus" (https://datatracker.ietf.org/doc/html/rfc7282#section-7).

The working group chairs have to decide if all of the objections have been "addressed". However, "addressed" doesn't mean "fixed via changes in the document", it can also mean "debunked on the mailing list" or "dismissed out of hand as irrelevant". So your argument that there obviously isn't consensus doesn't actually hold up.


What I said was "It makes much more sense to argue there is no consensus […] can be argued even in a "60:40" situation regardless of direction".

Not "there's a 60/40 split, therefore there's no consensus".

Can be argued even in. That's a statement of allowance, not sufficiency. And I was speaking in the context of contrasting against a vote. You can't argue with a vote's tally.


Sadly, a similar myth/fallacy persists about the Wikipedia consensus process (at least the English project and others deriving policy from it.)

Participants in disputes and RFCs literally call their comments “!vote” in true hacker notation, to repeatedly and clearly emphasize that “vote count” is never a factor in the process of establishing consensus.

(Elections are, however, regularly held, and votes counted, for positions such as Administrator, and the ArbCom seats, but that’s for people, not article content.)


From the way DJB talks about IETF processes, it's quite clear to me though that he has little trust/belief in the IETF consensus process. I thought he said as much somewhere but can't find that right now. (It's particularly obvious in https://blog.cr.yp.to/20260405-votes.html)

Which is why I'm noting the alienation of "IETF believers", which I should maybe clarify I count myself as. The IETF is a lot of people doing a lot of good work. It does include a bunch of questionable actors, anything from ignorant, incompetent, ulterior motives, to outright malicious. But all in all it has brought us the internet as it exists today and I can't help feeling a little, well, alienated by DJB's writs.

[ed.:] https://blog.cr.yp.to/20251004-weakened.html#agreement says:

Anyway, IETF hasn't attempted to issue such a rule. On the contrary, IETF claims that WG decisions are not taken by voting: "Decisions within WGs, as with the broader IETF, are taken by 'rough consensus' and not by voting." This begs the question of what IETF thinks "rough consensus" means. Letting chairs make arbitrary decisions is a violation of due process.

More to the point, IETF can't override the definition of "consensus" in the law. That definition requires general agreement. Adoption of this draft was controversial, and didn't reach general agreement.

DJB making legal-ish arguments (or the idea that the IETF could be sued over a definition of "rough consensus") is absolutely inane to me. The choice of words of the IETF in defining its own processes for itself is not a legal one. And apart from that, which country's laws would that be? (I'm also quite skeptical about such a definition existing in a relevant manner to begin with.)


He famously doesn't support the IETF. In the long-long-long ago, back when I had a "home page" with my username and a tilde in it, I used to have a quote from him on it about the IETF and "ego standards". He's been picking fights like this with different IETF working groups for basically his entire career. This isn't even the first time he's picked a huge fight with IETF cryptography groups; he managed to get Kenny Paterson to publicly take him to task on the CFRG a few years back.

I, too, don't support the IETF (hence the quote on the web page, which I can't find now). But I happen to know enough about the people involved in this particular drama that I can see through his arguments here, and whether he realizes it or not, he's operating in supremely bad faith this time.


> whether he realizes it or not, he's operating in supremely bad faith this time.

I've met him in person, once, at a CCC event about a decade ago, and as someone clueless about cryptography all I can say to that is that he certainly had (has?) a my-way-or-the-highway personality.

> I, too, don't support the IETF

Out of curiosity, how would you maintain e.g. TLS? Something more academic? Raw "throw it all out there, best-wins"? Another SDO (e.g. ITU)? Other more formal international processes?


For the record, he's always been extremely nice to me, online and in person, and generous with his time.

I would maintain TLS the same way WireGuard and OpenSSH are maintained. Both have superior track records. I'm generally an opponent of all security and (especially) cryptographic standards bodies.


> I would maintain TLS the same way WireGuard and OpenSSH are maintained. Both have superior track records. I'm generally an opponent of all security and (especially) cryptographic standards bodies.

Hmm. This doesn't entirely connect for me… WireGuard and OpenSSH are first and foremost implementations. Are you implying people should follow a "primary" implementation? Does WireGuard even have a protocol specification? (searches - ah, yes, it does. I do know there have been a very number of "further" implementations [e.g. on FreeBSD], though I'm not sure if they're derivative or clean-room.)

But then isn't this just replacing IETF processes with whatever community or corporate processes those projects have? Wouldn't that just be "get shit into {the Linux kernel,OpenBSD}"? They've gotten better but both of those communities have their shortcomings. (For Linux, it's not the social interactions anymore, at this point it's the significant corporate interests.)


WireGuard in particular is both an implementation and a design, and the design effectively belongs to Jason Donenfeld.

The problem with cryptographic standards bodies is that committee-based design has a long track record of weakening protocols. Originally, part of the ethos of the IETF was that it was merely providing interop for things that were already happening; rough consensus around real implementations. But that attitude expired decades ago; things are now designed de novo in working groups.

Through a herculean effort, TLS-WG managed through that fucked process to drastically improve TLS in 1.3. It did that in part because a team of cryptographers and cryptography engineers camped on the working group and made sure the outcome was sane. And they nearly failed! Banks fought hard to try to keep static handshakes in the new version, so they could do compliance intercepts.

Unfortunately, fully documenting PQC cryptography isn't as glamorous a task as defining the next generation's version of TLS. And yet, we've got a somewhat diverse team of cryptographers on the working group lined up against Bernstein on this.


He makes the legal argument in more detail in https://blog.cr.yp.to/20251004-weakened.html#standards

The gist of it is that standards organizations like the IETF depend on a specific carve-out in US antitrust law (in order for it to be legal for American companies like Cisco and Google to participate in them), and that carve-out includes a specific definition of what "standards organizations" and "consensus" are. So even if the IETF uses different words to describe its processes, those processes still have to comply with the legal definition that separates a "standards organization" from, like, an illegal cartel.


I can't help but note two things:

* the IETF's approach predates 15 U.S.C. §4302 by more than a decade

* every single case example cited is US-American scoped¹ SDOs: American Society of Mechanical Engineers, National Fire Protection Association, American National Standards Institute²

¹ NB scope ≠ legal domicile. The IETF's legal status is… complicated… but does have US dependencies. Its scope is world-wide though. Not so for any of the mentioned entities, even if…

² …ANSI is a borderline case since it is the constituent ISO member. But still, it's the US entity.

I'm not trying to make a legal argument here, but… I'll say he shouldn't be trying to do that either. Most mathematicians and CS majors make very poor lawyers in any case, and often enough without any awareness of it.


There is a small and noisy contingent here that never fails to get bent about community driven projects accusing them of bias and insinuating that there is some kind of shadowy cabal running things and it would be hilarious if the reasons for it weren’t so transparent. Also those people are 100 percent MAGA

If a US three letter agency recommends it, I don't want it.

the NSA also recommends elliptic curve cryptography, and designed SHA2 themselves. if you want we can talk through how to disable all of these ciphersuites, so you can be stuck with a bunch of shitty stuff from the 90s and feel warm and fuzzy about it.

Didn't the FDA used to recommend pasteurizing milk?

To those who say that approving or not this RFC won't make any difference:

«- Liaisons: We received liaison statements from multiple SDOs including O-RAN[2], IEEE 802.11[4] and from 3GPP[3] expressing support for the publication of draft-ietf-tls-mlkem as an RFC as they rely on the IETF to provide a stable normative reference»

(https://mailarchive.ietf.org/arch/msg/tls/ol2otAvtdDrdz_xY0_...)


Highly recommended reading for effectively understanding the behavior patterns of bad-faith participants in such exchanges: https://www.scribd.com/document/345154863/Guide-to-Forum-Spi...

If the link goes down, the content is available in many other places across the web under the title "The Gentleman's Guide To Forum Spies (spooks, feds, etc.)"


From the other direction, the ITU-T has a highly regarded presentation on how to actually work with consensus procedures & establish said consensus:

https://www.itu.int/en/ITU-T/tutorials/202203/Documents/Rein...


  MLKEM wasn't designed by NSA, but rather by a team of highly-regarded European academic cryptographers, including Bernstein's former collaborator Peter Schwabe
As you know, teams are vulnerable to infiltration and individuals to compromise. Corruption often stems from various motives, including ideology

that's really not possible for ML-KEM. They took a well-known "boring" design, and tweaked certain internal sub-components of it. Their tweaks were good, and their analysis/exposition of it were good. So they deserve to win. But there were many essentially identical schemes (e.g. Saber and New Hope are essentially the same as ML-KEM).

To infiltrate/compromise ML-KEM, then NSA would need to do something like

1. corrupt some europeans for the literal submission, and

2. corrupt the competing submissions, which are substantially similar, and

3. corrupt the entirety of the cryptographic community so they miss a flaw in the (extremely simple tbh) 2011 paper htat kicked off hte design.

If a conspiracy requires corrupting a single person it's plausible. ML-KEM being intentionally weakend by the NSA would quite literally require corrupting like 100+ different people in different countries. it makes no sense.


if i were the nsa, I'd have spent all my research money on attacking ecc+pq, because 1. no self respecting security engineer would deploy bare pq (see cloudflare), 2. no phd research team would attack the combination (well, not before until it's too late) because that's harder than a phd requires (they will target solo pq or solo ecc). 3. it's much easier to "sell". q.e.d. this article.

Probably not. It's been ~13 years when Snowden said what the NSA is doing is going around the encryption by hacking endpoints. Post quantum cryptography doesn't change any of that. You can still lift TLS keys with exploits for transparent MITM. I'd imagine it's much better ROI to look for vulnerabilities with Mythos, than to attack the algorithms.

> is going around the encryption by hacking endpoints

Because they weren't (supposedly) able to break the encryption

> than to attack the algorithms

You have an opportunity to introduce new, broken, algorithms; they exploited it with DES, tried to exploit it with ECC, why wouldn't they try it with post-quantum (which they've kind of been pushing)?


This is completely backwards. The more cryptography-literate you are, the more likely it is you think hybrids are silly. Plenty of cryptographers think this is all bullshit, and that ECC+MLKEM makes about as much sense as an AES+Serpent cascade. It is simultaneously the case that MLKEM is far less mysterious than programmers on message boards think it is, and that conventional ECC and finite field cryptography is much more mysterious and spooky than they think it is.

(I'm only somewhat cryptography-literate and so I would myself default to a hybrid, though that opinion might change the first time I bother banging together an MLKEM implementation.)


> The more cryptography-literate you are, the more likely it is you think hybrids are silly

You are if you're considering a cypher that's extremely likely to be secure.

In this case we're ok to introduce something with a chance to be quantum-resistant before it's been studied enough, because we want a chance of being quantum-resistant soon.

But that's only ok if you add it to the existing, reliable, systems.

Were there not the issue of quantum computers we wouldn't even be considering to use different cyphers at this time.


It's "cipher". But we're not talking about ciphers; we're talking about key establishment algorithms.

It's cypher in British English.

Exercise for the reader (out of genuine interest): find the most important cryptographic paper published in the last 15 years that uses the British spelling.

Isn't it true that OED say that "cipher" is the primary, preferred spelling in modern British English?

Ok, yes, replace "cypher" with cryptographic primitive.

Maybe I said cypher for the AES+Serpent mention (and because I like cyberpunk xD)


Disappointed that there is not more discussion about this as this looks to be a slow march to the government getting its way with a technology that will affect so many.



Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: