zdwOct 4, 2025

NSA and IETF: Can an attacker purchase standardization of weakened cryptography?

https://blog.cr.yp.to/20251004-weakened.html

cr.yp.to: 2025.10.04: NSA and IETF

Show threadschoen

DJB has been complaining about this NSA position since 2022 (I guess long before it was an issue at the TLS WG):

https://blog.cr.yp.to/20220805-nsa.html

I'm actually quite surprised that anyone is advocating the non-hybrid PQ key exchange for real applications. If it isn't some sort of gimmick to allow NSA to break these, it's sure showing a huge amount of confidence in relatively recently developed mechanisms.

It feels kind of like saying "oh, now that we can detect viruses in sewage, hospitals should stop bothering to report possible epidemic outbreaks, because that's redundant with the sewage monitoring capability". (Except worse, because it involves some people who may secretly be pursuing goals that are the opposite of everyone else's.)

Edit: DJB said in that 2022 post

> Publicly, NSA justifies this by
>
> . pointing to a fringe case where a careless effort to add an extra security layer damaged security, and
> . expressing "confidence in the NIST PQC process".

cr.yp.to: 2022.08.05: NSA, NIST, and post-quantum cryptography

Oct 5, 2025 at 3:16amWeb
Show threadtptacekOct 5, 2025
Expand on "recently-developed mechanisms".