[Cryptography] NSA up to their old tricks - stuffing the IETF WGs with their supporters for weakened standards
iang
iang at iang.org
Sun Oct 12 13:46:57 EDT 2025
DJB writes: https://blog.cr.yp.to/20251004-weakened.html (long read)
2025.10.04: NSA and IETF: Can an attacker simply purchase
standardization of weakened cryptography? #pqcrypto #hybrids #nsa #ietf
#antitrust
It's normal for post-quantum cryptography to be rolled out as an extra
layer of security on top of traditional pre-quantum cryptography, rather
than as a replacement.
For example, Google's CECPQ1 experiment was double encryption with
traditional pre-quantum ECC (specifically X25519) and post-quantum
NewHope1024. CECPQ2, a joint experiment between Google and Cloudflare,
was ECC+NTRUHRSS701. CECPQ2b was ECC+SIKEp434. Ten SSH implementations
support ECC+sntrup761. Today's usage of post-quantum cryptography by
browsers is approaching half of the connections seen by Cloudflare,
where 95% of that is ECC+MLKEM768 and 5% is ECC+Kyber768.
If post-quantum cryptography is designed to be super-strong, so strong
that it even survives future quantum computers, then why are we keeping
the ECC layer? Same reason that you wear your seatbelt: in the real
world, cars sometimes crash, and seatbelts reduce the damage.
Google already explained this back in 2016: "The post-quantum algorithm
might turn out to be breakable even with today's computers, in which
case the elliptic-curve algorithm will still provide the best security
that today's technology can offer." We've seen many breaks of
post-quantum proposals since then, including the sudden public collapse
of SIKE three years after CECPQ2b applied SIKE to tens of millions of
user connections. The only reason that this user data wasn't immediately
exposed to attackers is that CECPQ2b encrypted data with SIKE and with
ECC, rather than switching from ECC to just SIKE. As another example,
the reference Kyber/ML-KEM software went through two rounds of security
patches for KyberSlash at the end of 2023, and then had another security
patch in mid-2024.
Deploying ECC+PQ rather than just PQ is an easy common-sense win. ECC
software is practically everywhere anyway, and nobody has identified an
application that can afford PQ without being able to afford ECC+PQ.
Typically people talk about deploying ECC+PQ as deploying "hybrids"
rather than "non-hybrids", although you have to be careful with this
terminology since the word "hybrid" also has other meanings in
cryptography. It's more descriptive to talk about "double encryption"
and "double signatures" rather than "single encryption" and "single
signatures".
The problem in a nutshell. Surveillance agency NSA and its partner GCHQ
are trying to have standards-development organizations endorse weakening
ECC+PQ down to just PQ.
...
More information about the cryptography
mailing list