Daniel J. Bernstein21h ago
The IETF TLS chairs have now issued a "last call" for objections to non-hybrid signatures in TLS. Do they admit that their previous "last call" re non-hybrid KEMs ended up with a _majority_ in opposition, and that many opposition statements obviously also apply to signatures? No.
Show threadARGVMI~1.PIF21h ago

@djb

Why do they want non-hybrid KEMs and signatures, anyway? Seems like a bad idea to protect all of everything with nothing but unproven crypto.

Show threadDaniel J. Bernstein20h ago

@argv_minus_one I have an introductory chart https://blog.cr.yp.to/20260221-structure.html showing the arguments and counterarguments.

Most common argument from proponents: NSA is asking for non-hybrids, ergo support non-hybrids. This argument works for (1) companies chasing NSA money, (2) companies that take any excuse for extra options as a barrier to entry for competitors, and (3) people who think that "NSA Cybersecurity" isn't a conduit for https://www.eff.org/files/2014/04/09/20130905-guard-sigint_enabling.pdf but rather an independent pro-security agency.

Show threadrsalz20h ago
@darkuncle Sorry to see you promoting this. He's done great work, but this whole thread is crazy conspiracy thinking.
Show threadDaniel J. Bernstein19h ago
@rsalz @darkuncle You think https://www.eff.org/files/2014/04/09/20130905-guard-sigint_enabling.pdf is a conspiracy theory?
Show threadrsalz18h ago
@djb @darkuncle no I do not, but that does not mean that the NSA is corrupting the IETF.
Show threadDaniel J. Bernstein17h ago
@rsalz @darkuncle Let me see if I understand. You're agreeing that NSA has a large budget to sabotage "standards and specification for commercial public key technologies" etc., but you presume that this doesn't include IETF, since the document doesn't _specifically_ name IETF? Also, just checking: by the same logic, you presume that this doesn't include ISO? NIST? IEEE? When we recommend proactive steps to protect SDOs against sabotage, you accuse us of being crazy conspiracy theorists?
Show threadrsalz17h ago
@djb @darkuncle I presumed nothing. Read what I wrote. Twisting words to win an argument. Your better than this Dan.
Show threadDaniel J. Bernstein
@rsalz @darkuncle You wrote "this whole thread is crazy conspiracy thinking" but I'm unable to figure out what you're disputing, i.e., what specifically you're claiming is a conspiracy theory. You _don't_ seem to be questioning the authenticity of https://www.eff.org/files/2014/04/09/20130905-guard-sigint_enabling.pdf, an internal NSA document on NSA's massive budget to weaken "standards and specification for commercial public key technologies" etc. so as to make those "exploitable". What, then, _are_ you disputing?
1:54amWeb
Show threadrsalz2h ago

@djb @darkuncle

Everything I wrote is simple and consistent and, if you look at the context of when they were made, easy to follow. For those just jumping in.

1. As a long-time person involved with the IETF I have not seen any hidden/coercive NSA involvement.

2. I accept that the EFF budget piece is accurate.

3. The term "crazy conspiracy thinking" referred to your blog posts on this topic.

I do not argue with NSA/NIST and pointed out why they could do that in the past. I find it amusing that ISO refused to standardize NSA's Simon and Speck. Perhaps they're not as good at influence as they used to be.

Show threadJoe Brockmeier1h ago

@rsalz @djb @darkuncle dumb questions from the sidelines:

1: doesn’t it make sense to treat NSA preferences with a bit of suspicion given their history and mission?

2: if there is strong opposition to non-hybrid, besides djb’s, doesn’t that bear listening to? What’s the benefit here in overriding the concerns?

Very much not a crypto expert, I’m assuming there’s a lot I don’t know or understand here. Appreciate any answers.