Daniel J. Bernstein23h ago
The IETF TLS chairs have now issued a "last call" for objections to non-hybrid signatures in TLS. Do they admit that their previous "last call" re non-hybrid KEMs ended up with a _majority_ in opposition, and that many opposition statements obviously also apply to signatures? No.
Show threadARGVMI~1.PIF22h ago

@djb

Why do they want non-hybrid KEMs and signatures, anyway? Seems like a bad idea to protect all of everything with nothing but unproven crypto.

Show threadDaniel J. Bernstein22h ago

@argv_minus_one I have an introductory chart https://blog.cr.yp.to/20260221-structure.html showing the arguments and counterarguments.

Most common argument from proponents: NSA is asking for non-hybrids, ergo support non-hybrids. This argument works for (1) companies chasing NSA money, (2) companies that take any excuse for extra options as a barrier to entry for competitors, and (3) people who think that "NSA Cybersecurity" isn't a conduit for https://www.eff.org/files/2014/04/09/20130905-guard-sigint_enabling.pdf but rather an independent pro-security agency.

Show threadrsalz21h ago
@darkuncle Sorry to see you promoting this. He's done great work, but this whole thread is crazy conspiracy thinking.
Show threadScott Francis21h ago

@rsalz DJB sees a conspiracy where one may not exist ... but has a history of seeing one where it did very much in fact exist.

I think cryptographers erring on the side of extreme caution is a net benefit (and his points about unjustified and unexplained foot-dragging and resistance on Classic McEliece adoption have been well documented)

Show threadScott Francis21h ago
@rsalz I feel like the whole Dual_EC_DRBG saga kind of permanently poisoned the well here
Show threadrsalz21h ago
@darkuncle At the time of Dual_EC, NIST was required by law to take NSA's advice. They no longer are. But what history of seeing conspiracy where it did exist are you thinking of?
Show threadScott Francis21h ago

@rsalz Dual_EC specifically is an example of NSA hijacking the standards process for nefarious purposes. Maybe that was the only one ever, and an anomaly! (But see also DES back in the 90s ...)

But it would be wise to proceed with skepticism on all future contributions from a source that proved to be a bad actor. When an actor has a documented history of bad behavior, it's both natural and wise that all their future behavior face extra scrutiny and skepticism.

More recently, the arguments against hybrids seem ... weak. See e.g., https://blog.cr.yp.to/20240102-hybrid.html and https://blog.cr.yp.to/20251004-weakened.html (which has six sequels)

Show threadrsalz21h ago
@darkuncle I don't recall Dan suspecting dual EC but I may just be forgetting that. NIST, however did learn their lesson and sponsored global contests for AES post quantum etc. Not NSA.
Show threadScott Francis
@rsalz NSA and other intel agencies still influencing standards process (see prior links), which is what I think is cause for skepticism if not suspicion
Apr 10 at 10:28pmWeb
Show threadrsalz20h ago
@darkuncle as an active participant in many of the working groups, and colleagues with NSA and others, I do not believe there is any covert influence happening. His arguments have devolved to little more than ad hominem attacks. Kind of sad. I've known him for 30 years.
Show threadScott Francis20h ago
@rsalz this is good news in terms of engagement from the agency! However, given their mission to subvert foreign comms (that primarily rely on the same standards to which NSA contributes) that at least we should consider where incentives lie.
Show threadKoos Pol πŸ‡ΊπŸ‡¦14h ago
@rsalz @darkuncle This is an very naive stance. Ofcourse they are. It's their god given purpose on earth. As long as the NSA is tasked to know more about me than for me to know more about them, my decision is made. Also "I've know him for 30 years" is an ad hominem in itself.