Cryptologist DJB Criticizes Push to Finalize Non-Hybrid Security for Post-Quantum Cryptography (cr.yp.to) 21
In October cryptologist/CS professor Daniel J. Bernstein alleged that America's National Security
Agency (and its UK counterpart GCHQ) were attempting to influence NIST to adopt weaker post-quantum cryptography
standards without a "hybrid" approach that would've also included pre-quantum ECC.
Bernstein is of the opinion that "Given how many post-quantum proposals have been broken and the continuing flood of side-channel attacks, any competent engineering evaluation will conclude that the best way to deploy post-quantum [PQ] encryption for TLS, and for the Internet more broadly, is as double encryption: post-quantum cryptography on top of ECC." But he says he's seen it playing out differently: By 2013, NSA had a quarter-billion-dollar-a-year budget to "covertly influence and/or overtly leverage" systems to "make the systems in question exploitable"; in particular, to "influence policies, standards and specification for commercial public key technologies". NSA is quietly using stronger cryptography for the data it cares about, but meanwhile is spending money to promote a market for weakened cryptography, the same way that it successfully created decades of security failures by building up the market for, e.g., 40-bit RC4 and 512-bit RSA and Dual EC. I looked concretely at what was happening in IETF's TLS working group, compared to the consensus requirements for standards-development organizations. I reviewed how a call for "adoption" of an NSA-driven specification produced a variety of objections that weren't handled properly. ("Adoption" is a preliminary step before IETF standardization....) On 5 November 2025, the chairs issued "last call" for objections to publication of the document. The deadline for input is "2025-11-26", this coming Wednesday.
Bernstein also shares concerns about how the Internet Engineering Task Force is handling the discussion, and argues that the document is even "out of scope" for the IETF TLS working group This document doesn't serve any of the official goals in the TLS working group charter. Most importantly, this document is directly contrary to the "improve security" goal, so it would violate the charter even if it contributed to another goal... Half of the PQ proposals submitted to NIST in 2017 have been broken already... often with attacks having sufficiently low cost to demonstrate on readily available computer equipment. Further PQ software has been broken by implementation issues such as side-channel attacks.
He's also concerned about how that discussion is being handled: On 17 October 2025, they posted a "Notice of Moderation for Postings by D. J. Bernstein" saying that they would "moderate the postings of D. J. Bernstein for 30 days due to disruptive behavior effective immediately" and specifically that my postings "will be held for moderation and after confirmation by the TLS Chairs of being on topic and not disruptive, will be released to the list"...
I didn't send anything to the IETF TLS mailing list for 30 days after that. Yesterday [November 22nd] I finished writing up my new objection and sent that in. And, gee, after more than 24 hours it still hasn't appeared... Presumably the chairs "forgot" to flip the censorship button off after 30 days.
Thanks to alanw (Slashdot reader #1,822) for spotting the blog posts.
Bernstein is of the opinion that "Given how many post-quantum proposals have been broken and the continuing flood of side-channel attacks, any competent engineering evaluation will conclude that the best way to deploy post-quantum [PQ] encryption for TLS, and for the Internet more broadly, is as double encryption: post-quantum cryptography on top of ECC." But he says he's seen it playing out differently: By 2013, NSA had a quarter-billion-dollar-a-year budget to "covertly influence and/or overtly leverage" systems to "make the systems in question exploitable"; in particular, to "influence policies, standards and specification for commercial public key technologies". NSA is quietly using stronger cryptography for the data it cares about, but meanwhile is spending money to promote a market for weakened cryptography, the same way that it successfully created decades of security failures by building up the market for, e.g., 40-bit RC4 and 512-bit RSA and Dual EC. I looked concretely at what was happening in IETF's TLS working group, compared to the consensus requirements for standards-development organizations. I reviewed how a call for "adoption" of an NSA-driven specification produced a variety of objections that weren't handled properly. ("Adoption" is a preliminary step before IETF standardization....) On 5 November 2025, the chairs issued "last call" for objections to publication of the document. The deadline for input is "2025-11-26", this coming Wednesday.
Bernstein also shares concerns about how the Internet Engineering Task Force is handling the discussion, and argues that the document is even "out of scope" for the IETF TLS working group This document doesn't serve any of the official goals in the TLS working group charter. Most importantly, this document is directly contrary to the "improve security" goal, so it would violate the charter even if it contributed to another goal... Half of the PQ proposals submitted to NIST in 2017 have been broken already... often with attacks having sufficiently low cost to demonstrate on readily available computer equipment. Further PQ software has been broken by implementation issues such as side-channel attacks.
He's also concerned about how that discussion is being handled: On 17 October 2025, they posted a "Notice of Moderation for Postings by D. J. Bernstein" saying that they would "moderate the postings of D. J. Bernstein for 30 days due to disruptive behavior effective immediately" and specifically that my postings "will be held for moderation and after confirmation by the TLS Chairs of being on topic and not disruptive, will be released to the list"...
I didn't send anything to the IETF TLS mailing list for 30 days after that. Yesterday [November 22nd] I finished writing up my new objection and sent that in. And, gee, after more than 24 hours it still hasn't appeared... Presumably the chairs "forgot" to flip the censorship button off after 30 days.
Thanks to alanw (Slashdot reader #1,822) for spotting the blog posts.
This looks like Season 2 of Dual_EC_DRBG (Score:2)
This Is What Happens (Score:3)
This is what happens when bureaucratic control is more important that knowledge and expertise.
It must be maddening for DJB.
Worse than you think (Score:2, Informative)
Re: Worse than you think (Score:1)
National Insecurity Agency
Re: (Score:2)
Never attribute to malice what is adequately explained by entrenched bureaucracy. The IETF got taken over by standards bureaucrats years ago, you don't need any deliberate action by the NSA to turn things into endless bickering, red tape, petty power struggles and turf wars, and insistence on following arbitrary "procedure" to the letter, including making up the procedures as you go to make sure any alternate view is shut down. Unfortunately when someone like djb comes along with an engineering approach a
Re: (Score:2)
Never attribute to malice what is adequately explained by entrenched bureaucracy.
Not if the party in question has been repeatedly caught concealing malice. You'd be a fool to trust, or even assume good will, when dealing with anything by Microsoft, NSA, Facebook, etc.
Here, we have something that looks bad and has been done by a prior offender. Thus, it needs to be viewed with suspicion by default.
Sucks but I'll work around it (Score:4, Informative)
Wouldn't be the first time I needed to change a default config to work around NSA / Five Eyes fuckery, won't be the last:
https://blog.stribik.technolog... [blog.stribik.technology]
Re:Sucks but I'll work around it (Score:4, Informative)
While it was good info back in the day, I've used it myself. That blog is almost a decade out of date at this point. It has some updates, but it kind of needs a complete rewrite. Fully a 1/3 of the ciphers, MACs, etc... have been deprecated & replaced.
T
The bad guys (Score:1)
is USA, then?
Re: (Score:2)
Re: (Score:2)
So a yes then.
DJB is right (Score:2)
But, as usual, the enemies of privacy cannot stop pushing.
NSA pushes weaker post-quantum cryptography (Score:3)
Nuts (Score:1)
Sometimes you feel like a nut, sometimes you are one.
Re: (Score:3)
DJB is hardly a nut, he's a competent researcher in the field of cryptography and a prolific opensource contributor.
Here, let me introduce you to his work.
https://cr.yp.to/papers.html [cr.yp.to]
Re: (Score:2)
Very competent people can still be totally nuts. Intelligence and insanity have a nice slice of commonality.
Re:Nuts (Score:4, Insightful)
Email, how does it work? (Score:2)
I didn't send anything to the IETF TLS mailing list for 30 days after that. Yesterday [November 22nd] I finished writing up my new objection and sent that in. And, gee, after more than 24 hours it still hasn't appeared... Presumably the chairs "forgot" to flip the censorship button off after 30 days.
turns out he sent the objection from an email address which wasn't subscribed to the IETF TLS mailing list, and then didn't receive the automatic reply about his email being ignored because his qsecretary autoresponder [jdebp.uk] dumped the IETF autoresponder reply.
Looks like an old-fashioned case of aiming at your foot, pulling the trigger, and then wondering why everything hurts.
https://mailarchive.ietf.org/a... [ietf.org]
too many (Score:2)
Too many buzzwords in one headline. Overloadddddd. Zzzzzzzzzzzzz.
Just another forum for those with power (Score:2)
Now the WG is again being told, again without a rationale, that some unspecified cryptographic experts with money are demanding non-hybrids. Even if it's true that NSA is banning hybrids (is it?), I'm opposed to non-hybrids on security grounds and on BCP 188 grounds.
Contrary to what readers would expect from a "last call" for objections, several people (including me) had already filed earlier objections that haven't been resolved.
It shouldn't be necessary to repeat the objections, but Thomas Bellebaum promptly replied to the "last call" by highlighting various objections. That was on the 6th, more than two weeks ago. I've seen no response.
This mirrors my experience /w IETF effectively embracing voting and kings. So long as you pay lip service to process hoops and spew effectively unfalsifiable rhetoric to justify whatever position your hearts desire you can check all the boxes to move whatever you want. If the IETF is intended to simply serve as a forum for those with power to communicate they should drop the bullshit and own up to it.
The IETF meaning of consensus is supposed to be grounded in technical merit. Even if you have a consensus