Daniel J. Bernstein1d ago
The IETF TLS chairs have now issued a "last call" for objections to non-hybrid signatures in TLS. Do they admit that their previous "last call" re non-hybrid KEMs ended up with a _majority_ in opposition, and that many opposition statements obviously also apply to signatures? No.
Show threadARGVMI~1.PIF1d ago

@djb

Why do they want non-hybrid KEMs and signatures, anyway? Seems like a bad idea to protect all of everything with nothing but unproven crypto.

Show threadDaniel J. Bernstein1d ago

@argv_minus_one I have an introductory chart https://blog.cr.yp.to/20260221-structure.html showing the arguments and counterarguments.

Most common argument from proponents: NSA is asking for non-hybrids, ergo support non-hybrids. This argument works for (1) companies chasing NSA money, (2) companies that take any excuse for extra options as a barrier to entry for competitors, and (3) people who think that "NSA Cybersecurity" isn't a conduit for https://www.eff.org/files/2014/04/09/20130905-guard-sigint_enabling.pdf but rather an independent pro-security agency.

Show threadrsalz1d ago
@darkuncle Sorry to see you promoting this. He's done great work, but this whole thread is crazy conspiracy thinking.
Show threadScott Francis

@rsalz DJB sees a conspiracy where one may not exist ... but has a history of seeing one where it did very much in fact exist.

I think cryptographers erring on the side of extreme caution is a net benefit (and his points about unjustified and unexplained foot-dragging and resistance on Classic McEliece adoption have been well documented)

Apr 10 at 9:47pmWeb
Show threadScott Francis1d ago
@rsalz I feel like the whole Dual_EC_DRBG saga kind of permanently poisoned the well here
Show threadrsalz1d ago
@darkuncle At the time of Dual_EC, NIST was required by law to take NSA's advice. They no longer are. But what history of seeing conspiracy where it did exist are you thinking of?
Show threadScott Francis1d ago

@rsalz Dual_EC specifically is an example of NSA hijacking the standards process for nefarious purposes. Maybe that was the only one ever, and an anomaly! (But see also DES back in the 90s ...)

But it would be wise to proceed with skepticism on all future contributions from a source that proved to be a bad actor. When an actor has a documented history of bad behavior, it's both natural and wise that all their future behavior face extra scrutiny and skepticism.

More recently, the arguments against hybrids seem ... weak. See e.g., https://blog.cr.yp.to/20240102-hybrid.html and https://blog.cr.yp.to/20251004-weakened.html (which has six sequels)

Show threadrsalz1d ago
@darkuncle I don't recall Dan suspecting dual EC but I may just be forgetting that. NIST, however did learn their lesson and sponsored global contests for AES post quantum etc. Not NSA.
Show threadScott Francis1d ago
@rsalz NSA and other intel agencies still influencing standards process (see prior links), which is what I think is cause for skepticism if not suspicion
Show threadrsalz1d ago
@darkuncle as an active participant in many of the working groups, and colleagues with NSA and others, I do not believe there is any covert influence happening. His arguments have devolved to little more than ad hominem attacks. Kind of sad. I've known him for 30 years.
Show threadScott Francis1d ago
@rsalz this is good news in terms of engagement from the agency! However, given their mission to subvert foreign comms (that primarily rely on the same standards to which NSA contributes) that at least we should consider where incentives lie.
Show threadKoos Pol πŸ‡ΊπŸ‡¦18h ago
@rsalz @darkuncle This is an very naive stance. Ofcourse they are. It's their god given purpose on earth. As long as the NSA is tasked to know more about me than for me to know more about them, my decision is made. Also "I've know him for 30 years" is an ad hominem in itself.
Show threadrsalz1d ago
@darkuncle Yes, erring on the side of extreme caution is right. But you completely discount Bas Westerban, Sophie Schmeig, etc?
Show threadScott Francis1d ago
@rsalz not at all! Bas and Sophie in particular are awesome cryptographers and good people; I'm just saying that proceeding with the assumption that cryptographic proposals from NSA require greater-than-average skepticism seems wise based on the history.
Show threadPaul_IPv61d ago

@darkuncle @rsalz

DJB has always been touchy and can really get into the weeds on some conspiracy theory. really smart guy but i tend to take his rants with a heavy grain of salt.

it's been this way since early usenet days.

Show threadScott Francis1d ago
@paul_ipv6 @rsalz as they say, just because you're paranoid doesn't mean they aren't after you. :)