Cryptologist DJB Alleges NSA is Pushing an End to Backup Algorithms for Post-Quantum Cryptography (cr.yp.to) 38
Cryptologist/CS professor Daniel J. Bernstein is alleging that America's National Security Agency is attempting to influence NIST post-quantum cryptography standards.
Bernstein first emphasizes that it's normal for post-quantum cryptography (or "PQ") to be part of "hybrid" security that also includes traditional pre-quantum cryptography. (Bernstein says this is important because since 2016, "We've seen many breaks of post-quantum proposals...")
"The problem in a nutshell. Surveillance agency NSA and its [UK counterpart] GCHQ are trying to have standards-development organizations endorse weakening [pre-quantum] ECC+PQ down to just PQ." Part of this is that NSA and GCHQ have been endlessly repeating arguments that this weakening is a good thing... I'm instead looking at how easy it is for NSA to simply spend money to corrupt the standardization process.... The massive U.S. military budget now publicly requires cryptographic "components" to have NSA approval... In June 2024, NSA's William Layton wrote that "we do not anticipate supporting hybrid in national security systems"...
[Later a Cisco employee wrote of selling non-hybrid cryptography to a significant customer, "that's what they're willing to buy. Hence, Cisco will implement it".]
What do you do with your control over the U.S. military budget? That's another opportunity to "shape the worldwide commercial cryptography marketplace". You can tell people that you won't authorize purchasing double encryption. You can even follow through on having the military publicly purchase single encryption. Meanwhile you quietly spend a negligible amount of money on an independent encryption layer to protect the data that you care about, so you're actually using double encryption.
This seems to be a speculative scenario. But Bernstein is also concerned about how the Internet Engineering Task Force handled two drafts specifying post-quantum encryption mechanisms for TLS ("the security layer inside HTTPS and inside various other protocols"). For a draft suggesting "non-hybrid" encryption, there were 20 statements of support (plus 2 more only conditionally supporting it), but 7 more statements unequivocally opposing adoption, including one from Bernstein. The IETF has at times said they aim for "rough consensus" — or for "broad consensus" — but Bernstein insists 7 opposers in a field of 29 (24.13%) can't be said to match the legal definition of consensus (which is "general agreement"). "I've filed a formal complaint regarding the claim of consensus to adopt."
He's also written a second blog post analyzing the IETF's decision-making process in detail. "It's already bad that the IETF TLS working group adopted non-hybrid post-quantum encryption without official answers to the objections that were raised. It's much worse if the objections can't be raised in the first place."
Thanks to alanw (Slashdot reader #1,822) for spotting the blog posts.
Bernstein first emphasizes that it's normal for post-quantum cryptography (or "PQ") to be part of "hybrid" security that also includes traditional pre-quantum cryptography. (Bernstein says this is important because since 2016, "We've seen many breaks of post-quantum proposals...")
"The problem in a nutshell. Surveillance agency NSA and its [UK counterpart] GCHQ are trying to have standards-development organizations endorse weakening [pre-quantum] ECC+PQ down to just PQ." Part of this is that NSA and GCHQ have been endlessly repeating arguments that this weakening is a good thing... I'm instead looking at how easy it is for NSA to simply spend money to corrupt the standardization process.... The massive U.S. military budget now publicly requires cryptographic "components" to have NSA approval... In June 2024, NSA's William Layton wrote that "we do not anticipate supporting hybrid in national security systems"...
[Later a Cisco employee wrote of selling non-hybrid cryptography to a significant customer, "that's what they're willing to buy. Hence, Cisco will implement it".]
What do you do with your control over the U.S. military budget? That's another opportunity to "shape the worldwide commercial cryptography marketplace". You can tell people that you won't authorize purchasing double encryption. You can even follow through on having the military publicly purchase single encryption. Meanwhile you quietly spend a negligible amount of money on an independent encryption layer to protect the data that you care about, so you're actually using double encryption.
This seems to be a speculative scenario. But Bernstein is also concerned about how the Internet Engineering Task Force handled two drafts specifying post-quantum encryption mechanisms for TLS ("the security layer inside HTTPS and inside various other protocols"). For a draft suggesting "non-hybrid" encryption, there were 20 statements of support (plus 2 more only conditionally supporting it), but 7 more statements unequivocally opposing adoption, including one from Bernstein. The IETF has at times said they aim for "rough consensus" — or for "broad consensus" — but Bernstein insists 7 opposers in a field of 29 (24.13%) can't be said to match the legal definition of consensus (which is "general agreement"). "I've filed a formal complaint regarding the claim of consensus to adopt."
He's also written a second blog post analyzing the IETF's decision-making process in detail. "It's already bad that the IETF TLS working group adopted non-hybrid post-quantum encryption without official answers to the objections that were raised. It's much worse if the objections can't be raised in the first place."
Thanks to alanw (Slashdot reader #1,822) for spotting the blog posts.
Yes, NSA is pushing against hybrids (Score:5, Informative)
Re:Yes, NSA is pushing against hybrids (Score:5, Informative)
PQ Hybrids, while inefficient, are designed to both defend against QC and traditional attacks by layering traditional and PQ algorithms. Thinking behind it is that PQ algorithms may have yet to be discovered traditional compute weaknesses.
Or, worse, may have weaknesses that have been discovered, but have not been disclosed.
Re: (Score:2)
The other thing is that they are not really that inefficient. It likely does not matter at all in the greater scheme things and is just another fake "argument" being pushed.
Re: (Score:2)
Last time I checked Wireguard was much faster than OpenVPN, but it's a moot point.
TBH, I don't think I ever noticed a difference while sitting in front of a screen.... it makes little difference with the horsepower available.
apologies for mixed metaphor
Microsoft is chewing up tons of cpu cycles to surveil you. I don't hear anyone bellyaching about that.. for some reason
Re: (Score:2)
Thanks.
Re: (Score:2)
ECC if you don't use NSA's backdoored shitty curves can be very efficient.
Re: (Score:2)
A question for people familiar with cryptology (Score:4, Informative)
Re: (Score:3, Informative)
Is my assumption incorrect that a QC could be made to crack the older encryption methods?
If a more powerful quantum computer can be built, then it could do that. But there's no evidence thus far that an actually useful one can be built.
Re:A question for people familiar with cryptology (Score:4)
Re: (Score:2)
Very likely not. The sheer volume would prevent that. Also, if they have all transactions from TOR, they can do other pretty bad attacks. There is no indication they are even remotely on that level. They may occasionally, with high effort, have something when they know both endpoints, but even that may not work out. It seems all the takedowns of TOR servers done come back to rather conventional vulnerabilities in the applications being run there.
Re: (Score:3)
Unlock all interactions? No. Unlocking a specific interaction? Maybe.
For common uses (like the public web), the most likely approach to decrypting a specific interaction is to break the RSA (cert-based) on the outside and then the Diffie-Hellman (ephemeral per-transaction) on the inside, then recover the symmetric encryption key to decrypt the rest of the conversation. But this is not trivial, and it requires more work than to just toss the transaction into the quantum computer.
The ephemeral layer is where
Re: A question for people familiar with cryptology (Score:3)
A QC running Shor's (or similar) might be able to crack public key crypto. But, ephemeral connections use symmetric encryption (ie AES). This is not believed to be QC crackable.
If the key is generated ephemerally for each conversation (DH or MIL-KEM), each conversation would need to be cracked individually. It's called forward secrecy.
counterpoint (Score:4, Informative)
Re: (Score:2)
In that paper Gutmann argues that the experimental support for the notion quantum can reverse 2 factors is zero alongside time travel, FTL movement, and the startrek transporter while also pointing nearly half of all NIST PQC candidates have been broken and that every other new PKC came with decades of vulnerabilities and attacks.
That doesn't seem like a counterpoint. It seems like a more detailed explanation for the NSA's motive to keep more systems PQ only.
Re: (Score:3)
This is pretty silly. There's also zero experimental evidence that RSA with a key longer than 829 bits can be broken, but we all use 2048 anyway. There's theoretical evidence for both that and quantum factoring, which there is not (quite the contrary) for time travel, FTL and transporters.
Personally I don't think anybody will build a
Yes, but where is RSA today? (Score:2)
The problem isn't building a QC that can crack 2048-bit RSA. That is actually hard. The problem is that building a QC that can crack 128-bit ECC is comparatively a cakewalk.
If current crypto was still using RSA, I wouldn't worry about PQ. But it's not. Besides a few TLS certificates, you have a hard time finding RSA anywhere now. You can't even force SSH to use RSA for anything except a host key.
The funny thing is that of all classic PKC currently in use, the one which was presented as being the most vu
Re: (Score:2)
"The problem isn't building a QC that can crack 2048-bit RSA. That is actually hard. The problem is that building a QC that can crack 128-bit ECC is comparatively a cakewalk."
And currently we are about as close to either as I am to sending myself into lunar orbit with farts.
Re: (Score:2)
"There's also zero experimental evidence that RSA with a key longer than 829 bits can be broken, but we all use 2048 anyway."
Not exactly apples-to-apples. That's like saying there is no experimental evidence that an addition problem with n+1 digits where n is the most anyone has bothered to actually add can be performed. It's the same operation performed for more steps with no known impediment to performing those steps other than taking the time. The burden of proof would be on the person claiming it was so
Re: (Score:2)
Besides my statement being just as true as the one I quoted, it is indeed "apples-to-apples."
You can break factoring-based public key enrcryption with quantum computers, just like you can do with classical computers. Both problems are scaling up. Both problems have possible fundamental limits in the way of scaling
Re: (Score:3)
Not actually. Gutmann says PQ does not matter. That is very likely correct. It would mean however that the NSA very likely knows this and uses PQ as an attack vector against crypto it cannot work. DJB says to make sure any encryption also includes what is known to be secure when QCs are not a factor.
These points are really not at odds with each other.
Post-quantum? (Score:3, Funny)
So quantum cryptography has already run its course and we've moved on past it? There must be a gap in my timeline. Perhaps my mind was entangled.
Re: (Score:3)
So quantum cryptography has already run its course and we've moved on past it? There must be a gap in my timeline. Perhaps my mind was entangled.
The discussion is about quantum computers for cracking cryptography, not about using quantum methods to encrypt. Post-quantum cryptography means cryptography that is not easily succeptible to cracking using a (as yet unrealized) quantum computer.
Re: (Score:2)
Yes, I know what it means. I'm poking fun at the English, which doesn't really match the meaning.
this has happened before (Score:2)
anyone remember the Dual_EC_DRBG controversy?
Re: (Score:2)
Yes, and IIRC in the '90s/early 2000s they recommended a lower grade of AES for civilian vs. military use. And more recently, there was the TrustCor debacle. [slashdot.org]
If the NSA can get the non-hybrid PQ algorithm to be the standard for future versions of TLS that would be the NSA's biggest ever win in cryptography standards sabotage. The level of danger they're willing to heap on all non-military communications again raises the question of whether they think their foreign adversaries are massively inept compared to
DJB's code (Score:2)
a long time ago i had a chat with someone who had looked at the source code for qmail and djbdns and the takeaway was that all DJB's code is post-quantum
Just the usual enemies of freedom at work (Score:2)
Same old, same old, nothing to see here.
DJB's Not Wrong (Score:2)
In the US, the push for non hybrid is all coming from the NSA.
The NIST people know this but can't say it publicly.
There was a pretty much unanimous consensus for hybrid schemes at the most recent ICMC.
I've been saying this since it became a thing which was pretty much at the last ICMC where NIST announced the deprecation of hybrid schemes.
What are the odds that they have a classical break of ML-KEM, or ML-DSA? SIKE was a finalist a fell to a classical attack.
The is the Dual-EC-DRBG all over again. It's good
Who would have thought it? (Score:2)
The no-shit-sherlock department has been getting a real workout lately...
Sigh (Score:2)
Nothing ever changes (Score:2)
I said they would push for PQ only years ago when the hybrid schemes first came out. The IETFs concept of "rough consensus" is supposed to be tied to technical merit rather than mere votes:
https://www.rfc-editor.org/rfc... [rfc-editor.org]
IETF seems to be following a path resembling UN where it merely exists as a forum for those with power to communicate.
What will be the excuse this time? (Score:2)
They went from "nothing to see here" for DUAL_EC_DRBG, to "dog ate my homework" for ECC curves ... what outlandish excuse will they have for their really not a backdoor, pinky promise, constants this time?
Even the NSA wouldn't gamble on being the only ones able to crack it, so it will be some constant encoding a defacto public key yet again, like usual.
As the Talking Heads said... (Score:2)
Same as it ever was.
If true, then the NSA isn't that influential (Score:1)