[Cryptography] NSA up to their old tricks - stuffing the IETF WGs with their supporters for weakened standards

Nico Williams nico at cryptonector.com
Mon Dec 8 00:49:24 EST 2025 

On Thu, Dec 04, 2025 at 11:11:32AM -0500, Paul Wouters via cryptography wrote:
> On Sun, 12 Oct 2025, iang via cryptography wrote:
> 
> > DJB writes: https://blog.cr.yp.to/20251004-weakened.html (long read)
> 
> I think  Sophie Schmieg's response blog was great:
> 
> https://keymaterial.net/2025/11/27/ml-kem-mythbusting/

DJB doesn't allege that ML-KEM is backdoored.  DJB does not even allege
that ML-KEM is weak -- DJB supposes that it might be.

SS convincingly shows that ML-KEM is not backdoored.  SS assumes that
NSA would not use weak cryptography.

We have two well-known "attacks" by NSA on the industry: a) the
weakening of DES from 64-bit keys to 56 (while also strengthening it
against differential cryptanalysis), and b) Dual_EC + TLS extended
nonces in TLS (which together function as a key escrow system).

I think it's safe from ML-KEM's pedigree that NSA did not weaken it.

But what if NSA's secret cryptanalysis of ML-KEM shows it to be no more
than 2^80, and maybe they think they can improve on that later.  This is
a complete hypothetical.  Would they push for ML-KEM in that case?

SS writes:

> [...], and any internal cryptanalysis you might have will be caught up
> eventually by academia.

We're in a much better place to replace turns-out-to-be-weak crypto
today than 25 years ago, so if ML-KEM turns out to be weak then the only
thing to worry about is store-now-decrypt-later attacks.  For some
things that's a real worry, and for others not really.  But a TLS stack
can't know when the application's data needs to be protected for
decades.  So NSA stands to gain _something_ given their price-is-no-
object storage and their network taps.  How much?  Who knows.  But
remember, many of you were applauding Snowden not so many years ago for
revealing that sort of thing.

On the other hand, if we use hybrid cryptography then the result should
be no weaker than the stronger of the two algorithms used.  Seems like a
no-brainer.  Except there's economic cost to consider (extra power,
cycles/time, and bytes on the wire spent on extra crypto, "combinatorial
explosion").  Combinatorial explosion is very much a solvable problem,
but the others are real and need to be considered.

Ultimately the issue is one of trust.  In this case it's "trust that NSA
doesn't have successful cryptanalysis of ML-KEM that they are keeping
secret".  Trust has been damaged, so it's not surprising to find
mistrust.

But because the relevant IANA registries are Specification Required,
this ship has sailed.

SS pokes fun at the mandatory-to-implement concerns, and that's mostly
right, but there is still something to be gained -maaaybe- by the public
from a denial of "RFC" status.  It's just that, well, the ship has
sailed, so we're talking about a symbolic gesture.

If only you had pointed this out to DJB, that the ship has sailed and
that symbolic gesture wouldn't accomplish much...  Instead you and the
rest of the IESG acted like you have an agenda, or maybe like you find
DJB intolerable, but either way instead of disarming him your provoked
him.

Bah,

Nico
--

More information about the cryptography mailing list