Mastodawn

Daniel J. Bernstein 20h ago

The IETF TLS chairs have now issued a "last call" for objections to non-hybrid signatures in TLS. Do they admit that their previous "last call" re non-hybrid KEMs ended up with a _majority_ in opposition, and that many opposition statements obviously also apply to signatures? No.

Why do they want non-hybrid KEMs and signatures, anyway? Seems like a bad idea to protect all of everything with nothing but unproven crypto.

Daniel J. Bernstein 19h ago

@argv_minus_one I have an introductory chart https://blog.cr.yp.to/20260221-structure.html showing the arguments and counterarguments.

Most common argument from proponents: NSA is asking for non-hybrids, ergo support non-hybrids. This argument works for (1) companies chasing NSA money, (2) companies that take any excuse for extra options as a barrier to entry for competitors, and (3) people who think that "NSA Cybersecurity" isn't a conduit for https://www.eff.org/files/2014/04/09/20130905-guard-sigint_enabling.pdf but rather an independent pro-security agency.

ARGVMI~1.PIF 19h ago

Welp, I think it's safe to assume that ML-KEM is already broken and so is the IETF TLS committee. Lovely.

@darkuncle Sorry to see you promoting this. He's done great work, but this whole thread is crazy conspiracy thinking.

Scott Francis 18h ago

@rsalz DJB sees a conspiracy where one may not exist ... but has a history of seeing one where it did very much in fact exist.

I think cryptographers erring on the side of extreme caution is a net benefit (and his points about unjustified and unexplained foot-dragging and resistance on Classic McEliece adoption have been well documented)

Scott Francis 18h ago

@rsalz I feel like the whole Dual_EC_DRBG saga kind of permanently poisoned the well here

@darkuncle At the time of Dual_EC, NIST was required by law to take NSA's advice. They no longer are. But what history of seeing conspiracy where it did exist are you thinking of?

Scott Francis 18h ago

@rsalz Dual_EC specifically is an example of NSA hijacking the standards process for nefarious purposes. Maybe that was the only one ever, and an anomaly! (But see also DES back in the 90s ...)

But it would be wise to proceed with skepticism on all future contributions from a source that proved to be a bad actor. When an actor has a documented history of bad behavior, it's both natural and wise that all their future behavior face extra scrutiny and skepticism.

More recently, the arguments against hybrids seem ... weak. See e.g., https://blog.cr.yp.to/20240102-hybrid.html and https://blog.cr.yp.to/20251004-weakened.html (which has six sequels)

@darkuncle I don't recall Dan suspecting dual EC but I may just be forgetting that. NIST, however did learn their lesson and sponsored global contests for AES post quantum etc. Not NSA.

Scott Francis 18h ago

@rsalz NSA and other intel agencies still influencing standards process (see prior links), which is what I think is cause for skepticism if not suspicion

@darkuncle as an active participant in many of the working groups, and colleagues with NSA and others, I do not believe there is any covert influence happening. His arguments have devolved to little more than ad hominem attacks. Kind of sad. I've known him for 30 years.

Scott Francis 17h ago

@rsalz this is good news in terms of engagement from the agency! However, given their mission to subvert foreign comms (that primarily rely on the same standards to which NSA contributes) that at least we should consider where incentives lie.

Koos Pol 🇺🇦11h ago

@rsalz @darkuncle This is an very naive stance. Ofcourse they are. It's their god given purpose on earth. As long as the NSA is tasked to know more about me than for me to know more about them, my decision is made. Also "I've know him for 30 years" is an ad hominem in itself.

@darkuncle Yes, erring on the side of extreme caution is right. But you completely discount Bas Westerban, Sophie Schmeig, etc?

Scott Francis 18h ago

@rsalz not at all! Bas and Sophie in particular are awesome cryptographers and good people; I'm just saying that proceeding with the assumption that cryptographic proposals from NSA require greater-than-average skepticism seems wise based on the history.

Paul_IPv6 17h ago

@darkuncle @rsalz

DJB has always been touchy and can really get into the weeds on some conspiracy theory. really smart guy but i tend to take his rants with a heavy grain of salt.

it's been this way since early usenet days.

Scott Francis 17h ago

@paul_ipv6 @rsalz as they say, just because you're paranoid doesn't mean they aren't after you. :)

Daniel J. Bernstein 17h ago

@rsalz @darkuncle You think https://www.eff.org/files/2014/04/09/20130905-guard-sigint_enabling.pdf is a conspiracy theory?

PedroMJ 17h ago

@djb @rsalz @darkuncle We can try to amend such kind of dangerous situations with a new draft.

@djb @darkuncle no I do not, but that does not mean that the NSA is corrupting the IETF.

Daniel J. Bernstein 16h ago

@rsalz @darkuncle Let me see if I understand. You're agreeing that NSA has a large budget to sabotage "standards and specification for commercial public key technologies" etc., but you presume that this doesn't include IETF, since the document doesn't _specifically_ name IETF? Also, just checking: by the same logic, you presume that this doesn't include ISO? NIST? IEEE? When we recommend proactive steps to protect SDOs against sabotage, you accuse us of being crazy conspiracy theorists?

@djb @darkuncle I presumed nothing. Read what I wrote. Twisting words to win an argument. Your better than this Dan.

Paul Hoffman 15h ago

@rsalz @djb Do you have any evidence of that last statement, Rich?

@paulehoffman Very funny. :). And sad :(

Daniel J. Bernstein 14h ago

@rsalz @darkuncle You wrote "this whole thread is crazy conspiracy thinking" but I'm unable to figure out what you're disputing, i.e., what specifically you're claiming is a conspiracy theory. You _don't_ seem to be questioning the authenticity of https://www.eff.org/files/2014/04/09/20130905-guard-sigint_enabling.pdf, an internal NSA document on NSA's massive budget to weaken "standards and specification for commercial public key technologies" etc. so as to make those "exploitable". What, then, _are_ you disputing?

@djb @darkuncle

Everything I wrote is simple and consistent and, if you look at the context of when they were made, easy to follow. For those just jumping in.

1. As a long-time person involved with the IETF I have not seen any hidden/coercive NSA involvement.

2. I accept that the EFF budget piece is accurate.

3. The term "crazy conspiracy thinking" referred to your blog posts on this topic.

I do not argue with NSA/NIST and pointed out why they could do that in the past. I find it amusing that ISO refused to standardize NSA's Simon and Speck. Perhaps they're not as good at influence as they used to be.

Joe Brockmeier 20m ago

@rsalz @djb @darkuncle dumb questions from the sidelines:

1: doesn’t it make sense to treat NSA preferences with a bit of suspicion given their history and mission?

2: if there is strong opposition to non-hybrid, besides djb’s, doesn’t that bear listening to? What’s the benefit here in overriding the concerns?

Very much not a crypto expert, I’m assuming there’s a lot I don’t know or understand here. Appreciate any answers.

ARGVMI~1.PIF 12h ago

Do you have another explanation for the inexplicable push for the IETF to specify non-hybrid ML-KEM?

I looked at the list of arguments compiled by @djb at https://blog.cr.yp.to/20260221-structure.html and I don't see any particularly compelling argument in favor of such a move. Nor can I think of one myself. Certainly nothing to justify going full speed ahead like this.

@argv_minus_one If you really want to know, troll through the mail archives. It is not an easy task. But listening just to Dan is like getting all your news from Q-Anon.