On the TLS mailing list and related forums, he relentlessly argued that dropping the #X25519 "seatbelt" was foolish and dangerous. And not just dangerous — suspicious. He pointed out that no real-world client or server was unable to handle the small extra cost of hybrid handshakes; there was no practical downside to using two algorithms except maybe 64 bytes more network traffic. So why the push for pure #post-quantum? Bernstein's answer: because certain large governmental actors want to weaken our crypto under the guise of moving to the future. He didn't mince words. According to him, "surveillance agency NSA and its partner #GCHQ are trying to have standards-development organizations endorse weakening ECC+PQ down to just PQ" 9. He drew parallels to the Dual EC scandal, noted that #NSA's public "CNSA 2.0" guidelines were ambivalent at best about hybrids, and essentially accused these agencies of leveraging compliance-minded companies to do their bidding.

@CuratedHackerNews https://mastodon.social/@CuratedHackerNews/116109445960984470