Why do they want non-hybrid KEMs and signatures, anyway? Seems like a bad idea to protect all of everything with nothing but unproven crypto.
@argv_minus_one I have an introductory chart https://blog.cr.yp.to/20260221-structure.html showing the arguments and counterarguments.
Most common argument from proponents: NSA is asking for non-hybrids, ergo support non-hybrids. This argument works for (1) companies chasing NSA money, (2) companies that take any excuse for extra options as a barrier to entry for competitors, and (3) people who think that "NSA Cybersecurity" isn't a conduit for https://www.eff.org/files/2014/04/09/20130905-guard-sigint_enabling.pdf but rather an independent pro-security agency.
Welp, I think it's safe to assume that ML-KEM is already broken and so is the IETF TLS committee. Lovely.
@rsalz DJB sees a conspiracy where one may not exist ... but has a history of seeing one where it did very much in fact exist.
I think cryptographers erring on the side of extreme caution is a net benefit (and his points about unjustified and unexplained foot-dragging and resistance on Classic McEliece adoption have been well documented)
@rsalz Dual_EC specifically is an example of NSA hijacking the standards process for nefarious purposes. Maybe that was the only one ever, and an anomaly! (But see also DES back in the 90s ...)
But it would be wise to proceed with skepticism on all future contributions from a source that proved to be a bad actor. When an actor has a documented history of bad behavior, it's both natural and wise that all their future behavior face extra scrutiny and skepticism.
More recently, the arguments against hybrids seem ... weak. See e.g., https://blog.cr.yp.to/20240102-hybrid.html and https://blog.cr.yp.to/20251004-weakened.html (which has six sequels)
DJB has always been touchy and can really get into the weeds on some conspiracy theory. really smart guy but i tend to take his rants with a heavy grain of salt.
it's been this way since early usenet days.
@paulehoffman @rsalz Paul, great to see you showing up here!
We're currently discussing Rich's delusion that NSA doesn't attack IETF. On that topic, can you please state for the record how much NSA paid you for your promotion of TLS randomness extensions in IETF (https://web.archive.org/web/20260331174508/https://sockpuppet.org/blog/2015/08/04/is-extended-random-malicious/)? Or are you denying that this happened?
Also, do you dispute https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/checkoway saying that Dual EC becomes thousands of times cheaper to attack whenever those randomness extensions are deployed?
I would argue that what we had at the time was a frenzied mob, particularly in Vancouver.
This draft defines three hybrid key agreement mechanisms for TLS 1.3 - X25519MLKEM768, SecP256r1MLKEM768, and SecP384r1MLKEM1024 - that combine the post-quantum ML-KEM (Module-Lattice-Based Key Encapsulation Mechanism) with an ECDHE (Elliptic Curve Diffie- Hellman) exchange.
@djb @huitema @paulehoffman @rsalz the analogy is of course ridiculously broken because everyone is building towards and expecting the future to be PQ only.
A better comparison is a scenario where we mandate hybrid cars because perhaps EV technology will fail in the future, even though we know eventually everyone will drive a pure EV.
Some people now prefer gas, some hybrid, some EV. We let people choose because non of the car variants are dangerous.
You are trying to force hybrid cars on everyone because you think EV might break despite years of research of the worlds best experts.
@letoams @huitema @paulehoffman @rsalz Requiring seatbelts in cars reduces the damage to humans from car crashes. Requiring ECC along with PQ reduces the damage to the users from PQ security failures.
Saying that people are trying to prevent PQ failures doesn't break this analogy. People are also trying to prevent car crashes.
I'm unable to decipher your attempt to draw another analogy: e.g., I can't figure out whether "perhaps EV technology will fail" is sticking to the topic of _safety_.
Everything I wrote is simple and consistent and, if you look at the context of when they were made, easy to follow. For those just jumping in.
1. As a long-time person involved with the IETF I have not seen any hidden/coercive NSA involvement.
2. I accept that the EFF budget piece is accurate.
3. The term "crazy conspiracy thinking" referred to your blog posts on this topic.
I do not argue with NSA/NIST and pointed out why they could do that in the past. I find it amusing that ISO refused to standardize NSA's Simon and Speck. Perhaps they're not as good at influence as they used to be.
@rsalz @djb @darkuncle dumb questions from the sidelines:
1: doesn’t it make sense to treat NSA preferences with a bit of suspicion given their history and mission?
2: if there is strong opposition to non-hybrid, besides djb’s, doesn’t that bear listening to? What’s the benefit here in overriding the concerns?
Very much not a crypto expert, I’m assuming there’s a lot I don’t know or understand here. Appreciate any answers.
@jzb To answer your questions:
1. If it were only the NSA, sure, be suspicious. But it's not (IEEE, Ericsson I believe, others) and I do not believe they were all cofrupted.
2. Sure, the IETF is having that discussion. See what you think of https://github.com/tlswg/draft-ietf-tls-mlkem/pull/14/changes for example.
Daniel J. Bernstein
ARGVMI~1.PIF
paepcke.de 
+ 
+ 🇪🇺
rsalz
Scott Francis
Koos Pol 🇺🇦
Paul_IPv6
PedroMJ
Paul Hoffman
Christian Huitema
Eliot Lear
Paul Wouters 🇪🇺🇨🇦
Joe Brockmeier
