Daniel J. Bernstein2d ago
The IETF TLS chairs have now issued a "last call" for objections to non-hybrid signatures in TLS. Do they admit that their previous "last call" re non-hybrid KEMs ended up with a _majority_ in opposition, and that many opposition statements obviously also apply to signatures? No.
Show threadARGVMI~1.PIF2d ago

@djb

Why do they want non-hybrid KEMs and signatures, anyway? Seems like a bad idea to protect all of everything with nothing but unproven crypto.

Show threadDaniel J. Bernstein2d ago

@argv_minus_one I have an introductory chart https://blog.cr.yp.to/20260221-structure.html showing the arguments and counterarguments.

Most common argument from proponents: NSA is asking for non-hybrids, ergo support non-hybrids. This argument works for (1) companies chasing NSA money, (2) companies that take any excuse for extra options as a barrier to entry for competitors, and (3) people who think that "NSA Cybersecurity" isn't a conduit for https://www.eff.org/files/2014/04/09/20130905-guard-sigint_enabling.pdf but rather an independent pro-security agency.

Show threadrsalz2d ago
@darkuncle Sorry to see you promoting this. He's done great work, but this whole thread is crazy conspiracy thinking.
Show threadDaniel J. Bernstein2d ago
@rsalz @darkuncle You think https://www.eff.org/files/2014/04/09/20130905-guard-sigint_enabling.pdf is a conspiracy theory?
Show threadrsalz2d ago
@djb @darkuncle no I do not, but that does not mean that the NSA is corrupting the IETF.
Show threadDaniel J. Bernstein2d ago
@rsalz @darkuncle Let me see if I understand. You're agreeing that NSA has a large budget to sabotage "standards and specification for commercial public key technologies" etc., but you presume that this doesn't include IETF, since the document doesn't _specifically_ name IETF? Also, just checking: by the same logic, you presume that this doesn't include ISO? NIST? IEEE? When we recommend proactive steps to protect SDOs against sabotage, you accuse us of being crazy conspiracy theorists?
Show threadrsalz2d ago
@djb @darkuncle I presumed nothing. Read what I wrote. Twisting words to win an argument. Your better than this Dan.
Show threadDaniel J. Bernstein2d ago
@rsalz @darkuncle You wrote "this whole thread is crazy conspiracy thinking" but I'm unable to figure out what you're disputing, i.e., what specifically you're claiming is a conspiracy theory. You _don't_ seem to be questioning the authenticity of https://www.eff.org/files/2014/04/09/20130905-guard-sigint_enabling.pdf, an internal NSA document on NSA's massive budget to weaken "standards and specification for commercial public key technologies" etc. so as to make those "exploitable". What, then, _are_ you disputing?
Show threadrsalz1d ago

@djb @darkuncle

Everything I wrote is simple and consistent and, if you look at the context of when they were made, easy to follow. For those just jumping in.

1. As a long-time person involved with the IETF I have not seen any hidden/coercive NSA involvement.

2. I accept that the EFF budget piece is accurate.

3. The term "crazy conspiracy thinking" referred to your blog posts on this topic.

I do not argue with NSA/NIST and pointed out why they could do that in the past. I find it amusing that ISO refused to standardize NSA's Simon and Speck. Perhaps they're not as good at influence as they used to be.

Show threadDaniel J. Bernstein20h ago
@rsalz @darkuncle NSA has a huge budget to "covertly influence and/or overtly leverage" cryptographic designs: https://www.eff.org/files/2014/04/09/20130905-guard-sigint_enabling.pdf NSA _paying_ the RSA company to put Dual EC into RSA's BSafe library (https://www.reuters.com/article/us-usa-security-rsa-idUSBRE9BJ1C220131220/) is an example of overt leverage towards the RSA company, and of covert influence for the public not knowing about this. Same for NSA _paying_ companies to put non-hybrids into products. Do you dispute these examples of covert influence and/or overt leverage? If so, why?
Show threadrsalz
@djb @darkuncle I didn't dispute the RSA thing. I don't know about the other things you claimed.
Apr 12 at 9:50pmWeb
Show threadDaniel J. Bernstein13h ago

@rsalz @darkuncle Okay, so you're not disputing the authenticity of https://www.reuters.com/article/us-usa-security-rsa-idUSBRE9BJ1C220131220/ regarding NSA paying the RSA company to roll out Dual EC.

Now let's look at an IETF part of the Dual EC story. Are you disputing the accuracy of, e.g., https://web.archive.org/web/20251229182801/https://blog.cryptographyengineering.com/2017/12/19/the-strange-story-of-extended-random/ and https://web.archive.org/web/20260331174508/https://sockpuppet.org/blog/2015/08/04/is-extended-random-malicious/ saying NSA paid your colleagues Paul Hoffman and Eric Rescorla to coauthor with NSA a series of IETF drafts on "Extended Random" etc.? The payment is again overt leverage towards the consultants.