In October cryptologist/CS professor Daniel J. Bernstein alleged that America's National Security
Agency (and its UK counterpart GCHQ) were attempting to influence NIST to adopt weaker post-quantum cryptography
standards without a "hybrid" approach that would've also included pre-quantum ECC.
Bernstein is of the opinion that "Given how
many post-quantum proposals have been broken and the continuing flood of side-channel attacks, any competent engineering evaluation will conclude that
the best way to deploy post-quantum [PQ] encryption for TLS, and for the Internet more broadly, is as double encryption: post-quantum cryptography on top of ECC." But
he says he's seen it playing out differently:
By 2013, NSA had a quarter-billion-dollar-a-year
budget to "covertly influence and/or overtly leverage"
systems to "make the systems in question exploitable"; in
particular, to "influence policies, standards and specification
for commercial public key technologies". NSA is quietly
using stronger cryptography for the data it cares about, but
meanwhile is spending money to promote a market for weakened
cryptography, the same way that it successfully created decades of
security failures by building up the market for, e.g., 40-bit
RC4 and 512-bit
RSA and Dual EC.
I looked concretely at what was happening in IETF's
TLS working group, compared to the consensus
requirements for standards-development organizations. I reviewed
how a call for "adoption" of an NSA-driven specification produced a variety of objections that weren't
handled properly. ("Adoption" is a preliminary step before IETF standardization....) On 5 November 2025, the chairs issued "last call" for objections to publication of the document. The deadline for input is "2025-11-26", this coming Wednesday.
Bernstein also shares concerns about how the Internet Engineering Task Force is handling the discussion, and argues that the document is even "out of scope" for the
IETF TLS working group
This document doesn't serve any of the official goals in the TLS working group charter. Most importantly, this document is directly contrary to the "improve security" goal, so it would violate the charter even if it contributed to another goal... Half of the PQ proposals submitted to NIST in 2017 have been broken already... often with attacks having sufficiently low cost to demonstrate on
readily available computer equipment. Further PQ software has been broken by implementation issues such as side-channel attacks.
He's also concerned about how that discussion is being handled:
On 17 October 2025, they posted a "Notice of Moderation for Postings by D. J. Bernstein" saying that they would "moderate the postings of D. J. Bernstein for 30 days due to disruptive behavior effective immediately" and specifically that my postings "will be held for moderation and after confirmation by the TLS Chairs of being on topic and not disruptive, will be released to the list"...
I didn't send anything to the IETF TLS mailing list for 30 days after that. Yesterday [November 22nd] I finished writing up my new objection and sent that in. And, gee, after more than 24 hours it still hasn't appeared... Presumably the chairs "forgot" to flip the censorship button off after 30 days.
Thanks to alanw (Slashdot reader #1,822) for spotting the blog posts.
Agency (and its UK counterpart GCHQ) were attempting to influence NIST to adopt weaker post-quantum cryptography
standards without a "hybrid" approach that would've also included pre-quantum ECC.
Bernstein is of the opinion that "Given how
many post-quantum proposals have been broken and the continuing flood of side-channel attacks, any competent engineering evaluation will conclude that
the best way to deploy post-quantum [PQ] encryption for TLS, and for the Internet more broadly, is as double encryption: post-quantum cryptography on top of ECC." But
he says he's seen it playing out differently:
By 2013, NSA had a quarter-billion-dollar-a-year
budget to "covertly influence and/or overtly leverage"
systems to "make the systems in question exploitable"; in
particular, to "influence policies, standards and specification
for commercial public key technologies". NSA is quietly
using stronger cryptography for the data it cares about, but
meanwhile is spending money to promote a market for weakened
cryptography, the same way that it successfully created decades of
security failures by building up the market for, e.g., 40-bit
RC4 and 512-bit
RSA and Dual EC.
I looked concretely at what was happening in IETF's
TLS working group, compared to the consensus
requirements for standards-development organizations. I reviewed
how a call for "adoption" of an NSA-driven specification produced a variety of objections that weren't
handled properly. ("Adoption" is a preliminary step before IETF standardization....) On 5 November 2025, the chairs issued "last call" for objections to publication of the document. The deadline for input is "2025-11-26", this coming Wednesday.
Bernstein also shares concerns about how the Internet Engineering Task Force is handling the discussion, and argues that the document is even "out of scope" for the
IETF TLS working group
This document doesn't serve any of the official goals in the TLS working group charter. Most importantly, this document is directly contrary to the "improve security" goal, so it would violate the charter even if it contributed to another goal... Half of the PQ proposals submitted to NIST in 2017 have been broken already... often with attacks having sufficiently low cost to demonstrate on
readily available computer equipment. Further PQ software has been broken by implementation issues such as side-channel attacks.
He's also concerned about how that discussion is being handled:
On 17 October 2025, they posted a "Notice of Moderation for Postings by D. J. Bernstein" saying that they would "moderate the postings of D. J. Bernstein for 30 days due to disruptive behavior effective immediately" and specifically that my postings "will be held for moderation and after confirmation by the TLS Chairs of being on topic and not disruptive, will be released to the list"...
I didn't send anything to the IETF TLS mailing list for 30 days after that. Yesterday [November 22nd] I finished writing up my new objection and sent that in. And, gee, after more than 24 hours it still hasn't appeared... Presumably the chairs "forgot" to flip the censorship button off after 30 days.
Thanks to alanw (Slashdot reader #1,822) for spotting the blog posts.
Read more of this story at Slashdot.
/s3/static.nrc.nl/wp-content/uploads/2025/11/23223414/231125SPO_2024482592_Calgary02.jpg)