[Cryptography] It's probably kleptography.

Ray Dillinger bear at sonic.net
Tue Mar 31 18:48:36 EDT 2026 

In what may be related news, Bennett and Brassard have been awarded this 
year's Turing prize for their discovery of Quantum Cryptography.  
Quantum Cryptography is more viable than Quantum Cryptanalysis, but 
that's not really saying much.  I don't want to denigrate their 
theoretical work. It is real and apparently true.

However, I have an additional theory, which is that the decision to give 
them that award was likely influenced by people who have no interest in 
protecting people from Quantum Cryptanalysis.

We've been hearing a whole lot about Quantum Cryptography lately. And 
considering the state of play in terms of actual quantum computers, it's 
hard to justify how much fear, uncertainty, and doubt there is.

I am a suspicious, half-paranoid guy, but hear me out:

This standard (SKEIN, KYBER, KEM) is promulgated by NIST, the same 
people who brought us the Dual-EC DRBG standard. So... they aren't above 
suspicion of facilitating a Kleptographic Standards attack.

The committee awarding the Turing Prize seem likely to have consulted 
various people associated with three-letter agencies in assessing the 
importance of Bennett and Brassard's contribution. Those agencies, in 
turn, seem like the agencies most likely to carry out a Kleptographic 
Standards attack, again given the prior precedent.

Meanwhile, there are fiddly delicate machines demonstrating basic 
principles that vaguely indicate a possibility that one day actual 
quantum computers could be constructed. But they are in practice 
useless. Further, in the estimation of a fair number of people they are 
not all that promising.  There is good reason to think the methodology 
may never scale to the point of finding factors whose values were not 
already known and used to set up the factoring program.

The mismatch between perceived threat and demonstrated threat is so 
spectacular that it looks like a FUD campaign. Which is a necessary step 
in a Kleptographic Standards attack. Kleptographic Standards are 
promulgated addressing fear of some threat, so that the fear can be used 
as a lever to get people to do something stupid.

That brings my suspicious mind back to the likelihood that the 
attackers, affiliated with the agencies consulted about the value of 
Bennett & Brassard's work, may have deliberately influenced the Turing 
Prize committee to promote the awareness and perceived legitimacy of a 
Quantum Cryptanalysis threat.  Even though the threat is, a far as we 
can tell, entirely bogus.

And the algorithms (SKEIN, KYBER, KEM) are too new for a standard, 
haven't been studied enough to trust on the same level of evidence as 
existing non-quantum algorithms, and NIST is advocating their use alone, 
specifically telling people to avoid usage layered with established and 
trusted algorithms. As people here have noted, that seems like bad 
advice.  That seems a whole lot like trying to get those established and 
trusted algorithms out of the way.  And getting them out of the way 
would be the most likely motivator for making a Kleptographic Standards 
attack.

  So.... I know I'm being a bit paranoiac and may be inferring too much 
cause and too many connections based on not very much evidence. So I 
thought about it for a moment.  I decided I needed to know more about 
these new algorithms.  Maybe they have been studied enough (while I 
wasn't looking) for a standard, and I face the possibility that I'm just 
shadow-boxing. Or maybe they have been studied, the way Bernstein 
studied Dual-EC DRBG, and found lacking, and my paranoia would seem more 
justified.  So let's check the literature!

And I found these:

https://eprint.iacr.org/2022/1681.pdf

https://link.springer.com/chapter/10.1007/978-3-031-82852-2_11

Oh look, algorithms in this class may have backdoors structurally built 
into them!  Isn't that special.

God damn it.  I hate it every time I'm a paranoid suspicious bastard 
assuming the worst of people and turn out to be right again.

These papers are not reassuring.  These remind me of Bernstein's paper 
when the Dual-EC DRBG was being standardized.  Sure, that paper caused 
some suspicion, but only for suspicious, half-paranoid guys. We didn't 
know for sure until the Snowden leaks blew the lid off it, but  those 
suspicious, half-paranoid guys were right.

So... to make a long story short:

Quantum Cryptography, while intellectually neat, does not present a 
practical attack that we need protection against at this time. 
Kleptographic Standards on the other hand are very much a practical 
attack that we need to protect against at this time.

When a standards body tells you that you should cast aside well-studied 
cryptographic algorithms which have earned their trust through dozens of 
years of examination, testing, and motivated attackers, for the sake of 
protection against Quantum Crypto? The attack you should be protecting 
against isn’t Quantum Crypto.


Bear

Who is a suspicious, half-paranoid bastard, apparently.

More information about the cryptography mailing list