Remix.run Logo
tptacek a day ago

The two most important things to understand about this kerfuffle:

(1) MLKEM wasn't designed by NSA, but rather by a team of highly-regarded European academic cryptographers, including Bernstein's former collaborator Peter Schwabe; their submission, Kyber, was selected in an open competition in which Bernstein himself submitted a closely-related algorithm (and then contested the result, suing NIST for documents to clarify the selection.)

(2) The RFC at issue documents the possibility of running TLS with pure MLKEM rather than in a hybrid configuration with ECDH. Hybrid TLS is already the mainstream, documented, standardized method for using PQC in a TLS connection. Bernstein is canvassing opposition to any documentation of the possibility of pure MLKEM in TLS.

Every time Bernstein talks about NSA's sordid history, remember: nothing that's happening here has really anything to do with NSA. It would make more sense for Bernstein to be canvassing against SHA2, which NSA actually did design. But he can't do that, because normal people know enough about cryptography to understand how crazy a claim that is. Unfortunately, we can't yet say that about lattice cryptography, despite it being approximately as well-studied as ECC.

ekr____ a day ago | parent | next [-]

> (2) The RFC at issue documents the possibility of running TLS with pure MLKEM rather than in a hybrid configuration with ECDH. Hybrid TLS is already the mainstream, documented, standardized method for using PQC in a TLS connection. Bernstein is canvassing opposition to any documentation of the possibility of pure MLKEM in TLS.

Two more pieces of context here: 1. The IETF allows code point registrations based purely on the existence of a specification, and the pure ML-KEM code points have already been assigned (https://www.iana.org/assignments/tls-parameters/tls-paramete...). The question at hand is whether the IETF will publish an RFC documenting the ML-KEM cipher suites [edited to make clear that ML-KEM is documented already].

2. It is also possible to publish an RFC via what's called "Independent Submission" (https://www.rfc-editor.org/authors/rfc-independent-submissio...), which is not subject to the IETF Consensus process. This is, for instance, how the GOST RFC (https://datatracker.ietf.org/doc/rfc9367/) was published. If the IETF opts not to publish this draft, the authors can still submit it to the Independent Submissions Editor.

throw0101d a day ago | parent | next [-]

> https://www.iana.org/assignments/tls-parameters/tls-paramete...

Further the draft that this is all about does not make a recommendation for its use. The currently IETF-recommended TLS algorithms are: X25519MLKEM768, x448, x25519, secp384r1, secp256r1.

As noted by someone on the IETF list [1] there are already ML-KEM-only implementations in various libraries, so if we want interoperability then it's best to have a standard document. No one is forcing anyone to use this algorithm, and it's not even 'officially' recommended (per above).

[1] https://mailarchive.ietf.org/arch/msg/tls/SXo4iVmp0ng_vi57ce...

chrismorgan a day ago | parent | next [-]

> there are already ML-KEM-only implementations in various libraries, so if we want interoperability then it's best to have a standard document

“People are already doing it, so we might as well rubber-stamp it even if it’s not great” introduces problems of its own: people will perceive that rubber-stamping as validating it, and now they’ll use it even more, where perhaps if you held back, they wouldn’t.

(There are counter-arguments as well, of course. A couple of relevant cases that spring to mind where a body has not aligned with usage or expectations: W3C lost control of HTML, and it was probably for the best, but they remain a relevant body in closely-related areas; and OSI licence approval is a horribly broken political process which is almost universally misunderstood and close to frozen in time, yet they haven’t suffered like they should have for their misdeeds, they pretty much got away with it. There was also that thing somewhat recently about FedRAMP rubber-stamping Microsoft Cloud despite it failing dismally, because US government agencies had already started using it too much; and I wonder what that does to their credibility.)

This is also a concern with informational/independent submissions through IETF. They are frequently perceived as having IETF/standards weight.

tptacek a day ago | parent | next [-]

These are arguments, but I don't really understand what they're arguments for. At issue here is whether or not the IETF should document usage of pure-MLKEM TLS. There are environments where people are going to use pure-MLKEM TLS, whether Bernstein likes it or not. His argument is that the IETF should pretend that isn't happening, and throw up weird procedural obstacles to it.

chrismorgan a day ago | parent | next [-]

I know approximately nothing about the specific case here, and don’t believe I have any skin in the game. I intended my comment purely abstractly: I’m not commenting on anything technical, merely mentioning a procedural concern: that the line I quoted can sound reasonable, but that I don’t think it’s actually a reasonable argument by itself, because of the likely consequences of such actions. (That is: if that happened to be the only argument—though I doubt it is—there’s a compelling case for rejecting it.)

g-b-r a day ago | parent | prev | next [-]

If it's documented it will be implemented by many more libraries and applications, that's the argument

tptacek a day ago | parent [-]

It already exists. In fact, there are environments where it has to exist. So the argument he's making is that the IETF should pretend it doesn't exist.

g-b-r a day ago | parent [-]

Can you (or someone else) please give some example of those environments?

some_furry a day ago | parent [-]

Telecoms.

I wrote at length about this debate in my blog post about threat modeling: https://soatok.blog/2026/06/30/soatoks-informal-guide-to-thr...

rasengan a day ago | parent | prev [-]

[flagged]

throw0101d a day ago | parent | prev [-]

> “People are already doing it, so we might as well rubber-stamp it even if it’s not great” introduces problems of its own: people will perceive that rubber-stamping as validating it, and now they’ll use it even more, where perhaps if you held back, they wouldn’t.

The GOST cipher, which is Russia's AES equivalent, is also in an RFC:

* https://datatracker.ietf.org/doc/html/rfc9189

* https://en.wikipedia.org/wiki/GOST_(block_cipher)

Is the IETF validating its use?

The GOST document is categorized in the same way as the one currently being debated/discussed: Informational. It also has "N" under the "Recommended" column (like ML-KEM-only will have):

* https://www.iana.org/assignments/tls-parameters/tls-paramete...

ekr____ 19 hours ago | parent [-]

In fairness, I do think that this situation is somewhat different. As I noted above (https://news.ycombinator.com/item?id=48812792), there are two main routes to an Informational RFC of this kind.

* Through the IETF

* Through the Independent Stream

The GOST documents went through the Independent Stream and therefore do not have IETF imprimateur. These documents are proposed for the IETF Stream and therefore require IETF Consensus to publish.

I know this is all super confusing. The basic problem is that the vast majority of RFCs come out of the IETF and so people often act as if all RFCs do. This is of course in part why people pursue Independent Stream publication rather than just publishing things on their own..

throw0101d 17 hours ago | parent [-]

I have gotten flack for giving ULA+NPTv6 as a possible solution to an IPv6 multi-homing issue because the RFC that describes it was 'only' "Experimental":

* https://datatracker.ietf.org/doc/html/rfc6296

When I pointed out that the NAT(44) RFC (1631/3022) was 'only' "Informational" I got radio silence:

* https://datatracker.ietf.org/doc/html/rfc1631

ekr____ 17 hours ago | parent [-]

I have no opinion on ULA+NPTv6, other than Experimental doesn't mean you shouldn't use it. How else would people experiment. It does mean that the level of vetting by the IETF is potentially lower.

WRT IPv4 NAT, I'm not sure how much we can infer from the status. Many people at IETF were (and some still are) very anti-NAT, in part because they felt that IPv6 was the right solution. As a result, the IETF really avoided doing anything that looked like it was endorsing NAT, even though it's obviously just a fact of the Internet.

throw0101d 9 hours ago | parent [-]

My general point is that the category or track of an RFC may mean different things to different people (assuming they're even aware of them at all).

g-b-r a day ago | parent | prev [-]

If it's supported it will be used, e.g. by vendors which decide for some reason to use it

Null encryption used to be supported as well, and no one was forced to use it.

But when something insecure is supported by a protocol it will lead to security hiccups.

If it's dangerous it shouldn't be supported.

lokar a day ago | parent [-]

But that’s not what the IETF is. They don’t police, they encourage collaboration and standardization between implementers.

ButlerianJihad a day ago | parent | next [-]

Heh heh heh.

I recall the early-to-mid-90s when the IETF was a powerhouse, churning out foundational standards and documents monthly, and every time I read a foundational RFC for some protocol I wanted to learn, the "Security Considerations" section was intentionally left completely blank and un-considered.

I don't know if it was recklessness or expediency or a very calculated tactic (the Internet was invented by DARPA, after all) but Internet protocols were so ridiculously insecure, and based on absurd trust models that were repeatedly broken, and everything always transmitted in plaintext (because, of course, all networks were physically wired, secured, and only the good guys could tap into them).

It was an absolute Wild West clown college as the Internet transitioned to commercial and privatized use cases, and I suppose it guaranteed job security for generations of cybersecurity experts and cryptographers.

leonidasrup 21 hours ago | parent [-]

In the 90s, you as a private person were not supposed to have access to encyption which could not be broken by NSA.

"The longest key size allowed for export without individual license proceedings was 40 bits, so Netscape developed two versions of its web browser. The "U.S. edition" had the full 128-bit strength. The "International Edition" had its effective key length reduced to 40 bits by revealing 88 bits of the key in the SSL protocol."

https://en.wikipedia.org/wiki/Crypto_Wars

tptacek 19 hours ago | parent | next [-]

No. In the 1990s, you weren't allowed to export cryptography the NSA couldn't break. Strong cryptography was widely available in the 1990s.

(I had the pleasure of shipping a commercial product, back in the days when those things shipped in shrink-wrapped boxes, that carried strong cryptography, and had to deal with the export regime. It was not fun.)

mswphd 20 hours ago | parent | prev [-]

note that this says something more limited than what you're saying. Specifically, an american company was not allowed to give access to the cryptography you describe to non-Americans.

This was still a very bad policy, but private americans were allowed to have strong cryptography.

g-b-r a day ago | parent | prev | next [-]

They publish what become standards, you can't just support any existing option in an encryption protocol (if you want to have a secure one).

AdamN a day ago | parent | prev [-]

The standardization process should weed out 'footguns' that are prone to accidentally (or maliciously) lowering the security bar.

mswphd 20 hours ago | parent | next [-]

using pure ML-KEM is not a footgun. Some people may have doubts about lattice-based cryptography, despite being securely deployed in Chrome nearly a decade ago. Some people have doubts about many things. The fact that people have doubts does not make the scheme a "footgun".

tptacek 19 hours ago | parent [-]

It is if literally the only thing you've ever read about the technical details of LWE cryptography is Daniel Bernstein.

mswphd 17 hours ago | parent [-]

you'd probably call it "Product NTRU" then, and be a minimum a decade out of date. So you'd probably have to do all that weird shit with co-different ideals Peikert was trying to get us all to do (I know it was "right" but sometimes you need to put a muzzle on the math guys for all of our sakes).

dhx a day ago | parent | prev [-]

To point out some positive examples of what RFCs should include:

RFC 5288 s3 (AES-GCM): "Each value of the nonce_explicit MUST be distinct for each distinct invocation of the GCM encrypt function for any fixed key. Failure to meet this uniqueness requirement can significantly degrade security."[1]

RFC 7748 s5 (X25519): "The cswap function SHOULD be implemented in constant time (i.e., independent of the swap argument)."[2]

By contrast, this proposed RFC for MLKEM provides a single encouragement:

"[NIST-SP-800-227] includes guidelines and requirements for implementations on using KEMs securely. Implementers are encouraged to use implementations resistant to side-channel attacks, especially those that can be applied by remote attackers."[3]

It's not even a SHOULD, it's just an encouragement in a non-normative section of the RFC.

When you go to the referred NIST SP 800-227 it then tells you it's all too hard anyway and good luck and have fun figuring it out yourself:

"Cryptographic modules for KEMs should be designed with appropriate countermeasures against side-channel attacks. This includes protecting against timing attacks with constant-time implementations and protecting memory from leakage. Universal guidelines are unlikely to be helpful as exposure to side-channel attacks varies significantly with the desired application, and countermeasures are often costly."[4]

The normative standard FIPS 203[5] which the draft MLKEM RFC relies upon NEVER mentions "side channel", "constant", "timing" or provides any other assistance to implementers on how to securely multiply and/or divide numbers on computers or how to deal with conditional branching. Fair enough it includes a lower case "should" for considering side-channel resistance, but this throwaway comment is inadequate for standardisation.

The main reason it is inadequate is, imagine you're on your Hardened Gentoo or some other uber-geek laptop with the most advanced and thoroughly tested side channel resistant MLKEM client imaginable. You want to access your bank's website that offers MLKEM-only TLS. You don't have any assurance the bank's implementation of MLKEM has implemented any side channel resistance because the RFC they claim to have implemented never required it. If you then extrapolate from historical woes of implementing side channel resistant crypto (ECDSA scalar multiplication for example), it's probably correct to assume someone has, or reasonably could at some point in the future, extract private keys from the bank's side, and thus your expectations of having a secure connection are unmet. This is a standardisation problem because two implementations cannot agree on whether the protocol offers any resistance to side channel leakage to remote adversaries, therefore, what is the security guarantee the two implementations can actually agree upon?

The key missing section of this RFC is perhaps a restriction on its application similar to:

"This standard does not require implementations to consider side-channel attacks. This standard SHOULD NOT be used for protecting data and communications where an adversary may have one or more of: a) physical access to equipment performing cryptographic operations and time and resources necessary to observe physical properties of the equipment (power and signal characteristics, electromagnetic radiation, thermal dissipation), b) ability to execute code on equipment performing cryptographic operations, c) remote access to high-resolution monitoring data of physical properties of equipment performing cryptographic operations, d) ability to observe and/or establish a session to a party using this cryptographic protocol."

Thus it'd only be applicable to low risk environments such as two servers in a government building in separate rooms where an adversary is prevented from conducting a side channel attack by a plethora of other security controls.

[1] https://datatracker.ietf.org/doc/html/rfc5288#section-3

[2] https://datatracker.ietf.org/doc/html/rfc7748#section-5

[3] https://datatracker.ietf.org/doc/draft-ietf-tls-mlkem/

[4] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.S...

[5] https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.pdf

tptacek 19 hours ago | parent [-]

You are confused about what this RFC is. It's not the enabling RFC for PQC in TLS, or for MLKEM. It's documentation about a specific set of parameters for doing pure, as opposed to hybrid, MLKEM. It defers the guidance you're looking for to other RFCs.

dhx 9 hours ago | parent [-]

From RFC8446 (TLSv1.3) sE.4: "In general, TLS does not have specific defenses against side-channel attacks (i.e., those which attack the communications via secondary channels such as timing), leaving those to the implementation of the relevant cryptographic primitives."[1]

But draft-ietf-tls-mlkem just handballs to FIPS 203 for description of cryptographic primitives, and FIPS 203 doesn't care about side channel resistance. The token reference to NIST SP 800-227 for how to securely implement MLKEM also offers no suggestions on side channel resistance.

The draft MLKEM IKEv2 RFC[2] has the same problem.

Which standard, if not draft-ietf-tls-mlkem, changes the draft-ietf-tls-mlkem specification of the following cryptographic primitive:

Original: "Decaps(sk, ct) -> shared_secret: A decapsulation algorithm, which takes as input a secret decapsulation key sk and ciphertext ct and outputs a shared secret shared_secret."

To include side channel resistance, for example:

Improved: "Decaps(sk, ct) -> shared_secret: A decapsulation algorithm, which takes as input a secret decapsulation key sk and ciphertext ct and outputs a shared secret shared_secret. Decaps() MUST be implemented as a constant time function to ensure the time needed to execute Decaps() does not differ for different sk and ct values."

Some further examples of RFCs which do care about specifying side channel resistance:

RFC 9980 (OpenPGP PQC) s9.3: "This specification makes use of the default "hedged" variants of ML-DSA and SLH-DSA, which mix fresh randomness into the respective signature-generation algorithm's internal hashing step. This has the advantage of an enhanced side-channel resistance of the signature operations according to [FIPS-204] and [FIPS-205]."[3]

RFC 9941 (SSH sntrup761x25519-sha512) s4: "As discussed in the security considerations of [RFC8731], the X25519 shared secret K is bignum-encoded in that document, and this raises the potential for a side-channel attack that could leak one bit of the secret due to the different length of the bignum sign pad. This document resolves that problem by using string encoding instead of bignum encoding."[4]

(this RFC 9941 example has the benefit of showing how draft-ietf-tls-mlkem could take problematic cryptographic primitives from FIPS 203 and tighten the specification within an RFC to enforce side channel resistance)

[1] https://www.rfc-editor.org/info/rfc8446/#appendix-E.4

[2] https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-ml...

[3] https://www.rfc-editor.org/info/rfc9980/#section-9.3

[4] https://www.rfc-editor.org/info/rfc9941/#section-4

tptacek 8 hours ago | parent [-]

Sir, this is a Wendy's. You're giving me a phone book's worth of RFC cites here but not a lot of indication that you spend a lot of time reading RFCs generally. The RFC we're discussing on this thread is an ancillary publication documenting code points for a specific configuration of MLKEM, which is already extensively documented in other RFCs. Ancillary RFCs like these are for obvious reasons brief.

dhx 4 hours ago | parent [-]

My key point you are avoiding with personal attacks is:

If I see another computer offer TLS named group 0x0200 (MLKEM512) as introduced by draft-ietf-tls-mlkem, do I have any assurance that the other end I'm communicating with uses constant-time Decaps(sk, ct)?

--

The answer as far as I have presented is NO. TLS named group 0x0200 (MLKEM512) is free to be used for leaky MLKEM implementations that have made no effort to be side channel resistant. The end state for MLKEM-only will be the IANA registry stating TLS named group 0x200 (MLKEM512) is specified in RFCxxxx (draft-ietf-tls-mlkem), and this RFC will refer to FIPS 203 for cryptographic primitives. At no time is side channel resistance in any way guaranteed by either draft-ietf-tls-mlkem or FIPS 203.

The situation for TLS named group 0x0029 (x25519) is different. The IANA registry nominates RFC 8446 as the relevant specification.[1] And RFC 8446 nominates a specification (RFC 7748) which does require implementation of cswap as a measure of side channel resistance.[2][3] So when you trace through the specifications starting from the IANA registry, it is unambiguous that TLS named group 0x0029 should provide at least some degree of side channel resistance. Even for this case, I'd argue the SHOULD would be better as a MUST (with possibility to add another TLS named group specifically for x25519-unsafe without constant-time cswap if anyone cares for it). And I'd also argue that RFC 8446/TLSv1.3 should require (not just suggest or hope) that implementations MUST only use constant time functions when processing ECDHE parameters per s4.2.8.2.[2] TSLv1.3 already requires AEAD use elsewhere to force constant-time processing. It's worth noting TLSv1.3 currently doesn't provide any guarantee about side channel resistance of secp256r1, secp384r1, and secp521r1. TLSv1.3 currently just provides this guarantee for X25519 and X448.

[1] https://www.iana.org/assignments/tls-parameters/tls-paramete...

[2] https://www.rfc-editor.org/info/rfc8446/#section-4.2.8.2

[3] https://www.rfc-editor.org/info/rfc7748/#section-5

eqvinox a day ago | parent | prev | next [-]

> The question at hand is whether the IETF will publish an RFC documenting the ML-KEM.

The IETF document only documents how and where to put the MLKEM values into TLS. MLKEM itself is specified in FIPS203 and it just references that for the actual cryptographic details. The IETF document is in fact quite short:

https://www.ietf.org/archive/id/draft-ietf-tls-mlkem-08.html

(This doesn't mean the document is a stub or pointless or something like that, you do need a "what goes where".)

ekr____ a day ago | parent [-]

You're right. Bad writing on my part. Edited to make it clear.

wbl a day ago | parent | prev [-]

The ISE has said they aren't progressing crypto drafts anymore.

yasaheblasa a day ago | parent | prev | next [-]

You are simplifying ad absurdum. The NSA is as likely to compromise hash and signing algorithms as the police are likely to recommend pissing in petri dishes to cast doubt on that troublesome forensic science. The NSA likely has orders more experience with the area of cryptography Kyber comes from than everyone who worked on Kyber. Estimates at one point were that they had more than half of appropriate PhD level Mathematicians in the US, that may have gone down with more cryptocurrency firms, etc, but those firms are not researching algorithm families that may or may not replace the standards with all that much interest.

tptacek a day ago | parent [-]

The NSA had nothing to do with designing Kyber.

protocolture a day ago | parent | next [-]

He didnt say it did, he said "The NSA likely has orders more experience with the area of cryptography Kyber comes from than everyone who worked on Kyber"

tptacek a day ago | parent [-]

He himself (co-)submitted a lattice KEM to the NIST competition.

nullc a day ago | parent [-]

Yes, and strongly argued against lattice schemes generally. DJB submitted a lattice scheme under the theory that if the advocates of lattice schemes were able to win the argument about the performance properties then there should be a choice of an extremely conservatively designed one.

DJB himself has consistently advocated for Classic McEliece in any application which can accept its performance characteristics (which are excellent except for the ginormous public keys), and spent many bytes trying to convince people that the set of applications that can is wider than they suspect.

mswphd 20 hours ago | parent | next [-]

NTRU based schemes are not the most conservative. NTRU is an old design from the 90s, that had some shocking structural attacks against it appear ~2016. These attacks so far are only relevant for moduli q ~ (1/100) n^{2.3...}. This makes them worse than conventional attacks against NTRU-based PKE. But they completely killed roughly half of all NTRU-based fully homomorphic encryption schemes, and are a (major) structural issue with NTRU that RLWE/MLWE does not have.

In other words, Bernstein proposed a NTRU-based scheme under his theory it was the most conservative. The only major attacks on lattice-based schemes since his proposal have been on the hardness assumption his scheme uses. I would personally suggest this means that Bernstein is not an accurate predictor of the security of lattice-based schemes. So far his track record (with this notable example, but also many others) is remarkably bad.

tptacek 19 hours ago | parent | next [-]

The general C.W. I've heard is that if something happened that made MLKEM look theoretically shaky (pretty unlikely, but whatever), you fall back to something like FrodoKEM, which is plain LWE with no affordance for NTT or anything like it; no structure, no performance.

mswphd 18 hours ago | parent [-]

It really depends on what the precise details of the attack look like.

1. algebraic structure: sure use frodoKEM

2. error rates smaller than those required for worst-case to average-case reductions: idk bump error rates

3. some coding theorist ruins everyone's fun and has linear time decoding for p-ary construction A codes: probably drink a lot idk

fortunately there haven't been any "incremental" attacks in any of these directions, so it is really more an academic discussion.

Also note the primary issue with FrodoKEM isn't performance (though that is definitely worse), but size. My impression from the following

https://blog.cloudflare.com/sizing-up-post-quantum-signature...

https://blog.cloudflare.com/making-protocols-post-quantum/

was that TLS w/ FrodoKEM might have some undesirable performance characteristics, though that isn't directly stated in the articles. Iirc TLS w/ FrodoKEM

nullc 17 hours ago | parent | prev [-]

> In other words, Bernstein proposed a NTRU-based scheme under his theory it was the most conservative.

This is in fact that what I meant, and should have said: thanks.

tptacek a day ago | parent | prev [-]

His isn't the most conservative lattice construction! This is a hell of a just-so story.

philodeon 20 hours ago | parent | prev [-]

[flagged]

tptacek 19 hours ago | parent [-]

What does this even mean? By the exact same logic you could impeach literally any algorithm.

philodeon 18 hours ago | parent [-]

It means that your argument is “the NSA couldn’t have subverted ML-KEM, it was written by Europeans”.

You assiduously pretend that this scenario isn’t possible: * The NSA reviewed the PQ submissions and realized that there’s one they already know how to break at scale: ML-KEM, because their army of math PhDs spent a couple decades understanding it better than the rest of the world * The NSA decides they want ML-KEM deployed everywhere so that the world is full of transparent-to-NOBUS cryptography * The NSA spends the entire PQ contest placing their thumbs on the scale of the process, violating their 2014 post-Snowden promises of increased transparency, to make their NOBUS dreams happen

The actions of NSA and NIST personnel make the most sense with the assumption that they desperately want to standardize ML-KEM and ML-KEM alone because _they already know how to break it_. What doesn’t make any sense is why the private sector is cheerfully going along with it —- even Charlie stopped letting Lucy hold the football at some point.

tptacek 18 hours ago | parent [-]

You're just restating the same claim with more words. It obviously proves too much. You can stick any algorithm, from MLKEM to SNTRUP to CRC32, in the same comments and get the same result.

philodeon 18 hours ago | parent [-]

No, because if the NSA didn’t already know how to break one of the cryptosystems, their engagement with the contest would have looked much different. They’d genuinely engage with the contestants and provide accurate security margin estimates. They wouldn’t barge in and make illegal procedural demands.

This is called praxeology. One would think that someone who has already been a useful idiot on behalf of the NSA regarding Dual-EC-DRBG might learn to keep their naivete to themselves.

tptacek 18 hours ago | parent [-]

I don't think you understand the argument you're making here. NSA had no hand in MLKEM itself or even in the line of research that led to MLKEM. Whatever advantage you're claiming they have with respect to MLKEM, I could just as straightforwardly claim they had for McEliece, isogenies, HQC, or UOV.

philodeon 18 hours ago | parent [-]

But the NSA didn’t throw their weight around in the NIST or IETF processes trying to standardize McEliece, isogenies, HQC, or UOV. They threw their weight around trying to standardize ML-KEM.

And anticipating your “but SIKE turned out to be easily breakable, why didn’t they try to standardize it?” The answer is “it made it shockingly far, but more importantly, SIKE was broken in the unclassified literature, but ML-KEM is broken in the classified literature.” Secrets in unclassified literature are not NOBUS secrets.

tptacek 18 hours ago | parent [-]

Unfalsifiable just-so argument. The point is that no matter what NIST selected, you could make this argument. Heads, you win, tails, they lose. There's no actual cryptography involved here.

philodeon 18 hours ago | parent [-]

You do realize that the NSA spends many millions on employing mathematicians, right? And that they wouldn’t keep doing that if all the mathematicians did was get really shit-hot at Kerbal Space Program?

An analysis of the comparative risks of these crypto systems should include “The NSA knows a lot of math they’re not sharing, and if they really really like ML-KEM, that’s concerning even if Ptacek keeps pointing out NSA didn’t write it”

tptacek 18 hours ago | parent [-]

When you make an argument that is actually somehow rooted in cryptographic research, I'll have something to reply to. This is all just Schneier-Facts(tm) logic.

philodeon 18 hours ago | parent [-]

To be clear, the Schneier Facts on Dual-EC turned out to be far more accurate than the Ptacek Gut Logic.

tptacek 18 hours ago | parent [-]

Schneier said the same thing I did. I literally got my take from Schneier. You don't even have the Schneier Facts right!

philodeon 17 hours ago | parent [-]

To quote you: “ (I'm among an elite cadre† of cryptography-adjacents who felt it probably wasn't, but only because I thought it was too stupid to actually be used anywhere --- as soon as it was disclosed that (a) it was a default-yes algorithm in BSAFE and (b) big companies actually used BSAFE in important products, it was immediately clear what was going on).”

The BSAFE disclosure happened in 2013 with Snowden. In 2015 you published an article still questioning whether Dual-EC was a backdoor, and providing an immense amount of plausible deniability for folks like Hoffman.

https://sockpuppet.org/blog/2015/08/04/is-extended-random-ma...

You don’t even remember the historical Ptacek Gut Logic!

tptacek 17 hours ago | parent [-]

You don't understand the article you just quoted. It is certainly not the case that I published an article in 2015 questioning Dual EC. You might be the only person in the world with an opinion about Paul Hoffman, by the way. I had to look him up.

I mean, it's obvious what you did here: you went to my blog hoping to find the "Dual EC is fine" story, misread this one, and then took a random name out of it and tried to cast them as an archvillain.

philodeon 17 hours ago | parent [-]

As your article points out, Hoffman wrote a specification for spewing as many NSA-controlled “random” bytes into TLS packets as he could get away with, after Rescorla’s attempt failed. Hoffman’s work became an experimental RFC.

Yet, your article says “In at least one case, Hoffman even attempted to provide a cryptographic rationale for extra randomness. Of course, naming-and-shaming either of them is pretty silly.” This makes no sense. We have names for criminal equivalents of his behavior: criminal mischief, disturbing the peace, conspiracy, etc. But if you do these things on a standards board, you get a pass? This was a concerted well-funded effort to compromise your security and my security. I think he should be put in a pillory and tarred-and-feathered.

You continue to cover for malicious actors with your “but the NSA didn’t write it!” insistence. The classic anti-Schneier Dual-EC take around 2007 was “but the NSA wouldn’t insert a backdoor, they would destroy their public image!” Your insistence is the equivalent of “but the NSA wouldn’t do that AGAIN!” Fool me once…

tptacek 16 hours ago | parent [-]

The article you're talking about literally opens "I think Dual EC is a backdoor". You don't understand it. You don't know who Paul Hoffman even is. Why would we keep discussing this?

philodeon 16 hours ago | parent [-]

Because both the article and your continued arguments about ML-KEM demonstrates that in confirmed cases of NSA sabotage and in hypothetical cases of NSA sabotage, your job is to deflect, minimize, and avoid any responsibility being doled out. I hope you’re well paid for this job.

When we find out that the ML-KEM math was thoroughly broken by NSA for years, your response will be “gosh, nobody could have known that. It’s best not to hold anyone responsible though, certainly not the NIST employees whose names are all over the evidence…”

tptacek 16 hours ago | parent [-]

Again: you pretty clearly don't understand the article you're citing. And that's easy mode compared to LWE vs RLWE. I don't think there's anything productive to be gained from us continuing to talk.

philodeon 16 hours ago | parent [-]

Yes, that’s the deflect part of deflect and minimize.

teravor a day ago | parent | prev | next [-]

    > Unfortunately, we can't yet say that about lattice cryptography, despite it being approximately as well-studied as ECC.
this is an absurd claim, lattices may be as well studied as elliptic curves, but not the cryptography.
tptacek a day ago | parent | next [-]

No, it's not an absurd claim. Lattice key establishment goes back into the mid-1990s, and was at one point a serious contender for the alternative-to-RSA/FFDH algorithm that ECC became. Modern LWE lattice KEM is approximately at the same point in its lifecycle (say, compared to original NTRU) as Curve25519 was to ECDH.

adrian_b 21 hours ago | parent | next [-]

It does not matter much how long it goes back, because before its standardization very few people have bothered to study it.

Like for any other cryptographic algorithms, where one or more decades were necessary for a good understanding of their properties, we can expect much more relevant publications about lattice key establishment in the next years, than until now.

mswphd 20 hours ago | parent [-]

this is entirely wrong. Lattice-based cryptography has been extremely well-studied theoretically and practically, even before standardization. For example, a (hybrid) lattice-based KEM was (experimentally) deployed in Chrome in 2016.

https://security.googleblog.com/2016/07/experimenting-with-p...

one or more decades were required to get good understanding of the relevant lattice problems. But they were introduced in

* the ~1990s, for NTRU, and * ~2005, for LWE, and * ~2012, for RWLE

ironically, of all of them LWE is probably understood the best (though our understanding of LWE, RLWE, and MLWE are all roughly similar now). This is because it is a problem more amenable to understanding than NTRU, which is (by comparison) a little more "ad hoc".

For lattice-based KEMs, we also have very strong understanding of things. Roughly, we were able to design the lattice-based KEMs based on our prior understanding of general KEMs. Concretely, we had a much better understanding of the precise details of the FO transform, which fed into teh design of lattice-based KEMs. So most lattice-based KEMs solely had to construct a lattice-based PKE. Doing so from LWE is fairly straightforward. Iirc since ~2005 there was a certain technique known, and then a more optimized technique was developed in ~2011. All lattice-based KEMs (that construct IND-CPA PKE -> FO Transform -> IND-CCA2 PKE) proceed with this ~2011 technique, with various internal knobs tweaked.

Post-standardization there has been some additional research into lattice-based KEMs, but they have (generally) been proceeding by tweaking the core ~2005 hardness assumption to try to get more efficiency. It's an interesting idea, but generally hardness assumptions take the longest time to gain confidence out of any part of a cryptographic algorithm (as they're the only unprovable part), so it might be a bit before we feel "safe" regarding them.

teravor a day ago | parent | prev [-]

the McEliece cryptosystem goes back to the 70s, doesn't mean it's as well studied as RSA. obviously people study popular cryptographic primitives more.

having said that, I would trust McEliece more than Kyber.

mswphd 20 hours ago | parent | next [-]

you would make poor decisions then. McEliece recently (in the last month) had a large new attack against it

https://eprint.iacr.org/2026/1232

This doesn't hit classic McEliece yet, but is part of a line of work that Randriambololona has been doing, which are at a minimum very concerning for the security of McEliece.

teravor 19 hours ago | parent [-]

certainly a concern, and a good reason to use multiple cryptosystems together. unfortunately there are probably similar papers for Kyber which are NSA property and will never see the light of day. they do employ a lot of mathematicians.

for applications where key exchange need not be particularly fast or compact, I would even throw in 4096 MP-RSA in (tuned to whatever size the exchange can tolerate) as a hedge against that if a CRQC is even possible, it would be able to continue to grow in size quickly or at all.

mswphd 13 hours ago | parent | next [-]

as a heads up, there is another attack paper against McEliece today

https://eprint.iacr.org/2026/1339

Note that this is by someone from the BSI. It's worth mentioning the BSI is very familiar with lattice-based schemes (they recommend using FrodoKEM rather than Kyber, but whatever). Despite this familiarity, the attacks they are able to publish aren't regarding lattice-based schemes, and instead a different scheme Bernstein was affiliated with.

NTRU-derivatives and McEliece derivatives are (objectively speaking) not a good track record to have, PQC-wise.

mswphd 18 hours ago | parent | prev [-]

there is no indication there are similar papers. Curiously, the best lattice cryptanalysts in the world are chinese and european (here I'm thinking of people like Ducas, Albrecht, and Ding). It's actually a weird blindspot of american cryptography (this isn't true for all cryptanalysis, but in general European cryptography is "more concrete" vs "theoretical" american cryptography).

This isn't to say that it is impossible for the NSA to have their own private cryptanalysis. It is to say they're not some magical fairy that produces non-trivial attacks. They, like any other organization, need to develop talent. In the past they have been able to do this (they, through the CCR, hired Don Coppersmith in 2005. A VERY notable cryptanalyst at the time). I am unaware of any lattice cryptanalysts who have "gone dark" in a way similar to how Coppersmith did in ~2005.

Note that we also have theoretical reasons to be more confident in the hardness of ML-KEM. The reasons are technical (and worse than the practical reasons we have, namely people have iterated on attacks and the attacks stopped getting appreciably better). But it is (curiously) the hardness assumption we perhaps have the best (theoretical) justification for why it is hard.

Using RSA as a hedge would be incredibly stupid. Index calculus attacks were significantly improved in the 2010s, at least for small characteristic finite field DH. These improvements have only tangentially hit RSA. I've heard a integer factorization record holder directly say there's no real barrier to similar improvements hitting factoring. It hasn't been done, so it isn't "easy". But also people wouldn't be surprised if it was done. The record for binary characteristic finite field DH is ~30k bits (by an academic team. governments could throw more money at it of course).

tptacek a day ago | parent | prev [-]

You would trust McEliece more than Kyber because...

grayhatter a day ago | parent [-]

Because NIST chose it, after non-public input from the NSA. But if I am honest, NIST recommending it at all is enough to suspect it of being compromised. I say that as an American, and my non-american friends equally don't trust NIST on crypto topics.

The real problem I have is best described as I haven't read a single coherent argument responding to and rejecting the real concerns raised by the individual who after nist betrayed the internet with by recommending a compromised standard at the encouragement of the NSA. Is the person who wrote the crypto library everyone uses.

DJB puts his money (time) where his mouth is. I would critique his attachment to his own ego. But I'm in the group of people who haven't contributed enough yet to foss to get to throw stones. So I'll defer to people who can match his contributions. Until that happens, DJB's reputation is cares passionately about crypto and it's community, vs an US government group with a reputation for trying to sabotage crypto systems after passing secrets with the NSA, who refuses to provide details about their most recent secret messages.

I do find some of the arguments and refutations from the mailing lists compelling. But not all the them, and nothing directly from NIST. Equally some of DJB's appear to weaken his points. But like I said, I plan to trust the reputation each party has earned.

NIST has a history of behaving inappropriately, and unethically around it's cryptography recommendations. But the people currently in charge would rather pretend they're above it and not literally directly responsible for the organization with a well earned reputation. If you're given a 2nd chance after your partner catches you cheating, it's a reasonable requirement that you account for every second of your time, until you restore the reputation you destroyed.

tptacek 20 hours ago | parent | next [-]

This argument is entirely non-falsifiable. You could use the same logic no matter what algorithm won the PQC competition. You can even use Vizzini logic to argue against against algorithms the NIST competition didn't pick.

grayhatter 11 hours ago | parent [-]

I'm not making a falsifiable argument. I'm stating that given their history, and current behavior I don't trust NIST and I don't think anyone else should either. They are keeping secrets around a new crypto system, the last time they did that it was to hide a known-broken crypto system.

The controversy over the PQC is the topic at hand. If they'd selected a cipher that didn't carry the objections of someone who's reputation I trust more than NIST. Then I'd trust NIST's decision, by proxy.

tptacek 10 hours ago | parent [-]

Again: it's not their cryptosystem. They didn't design it. They had no hand in its design, or in any of the research that led up to it. They proctored a competition in which everyone involved was unsurprised by the outcome. A pretty big chunk of every academic cryptographer in the world participated, and if you had put the whole thing to a vote, 60% chance you'd have still gotten Kyber and like I don't know 35% chance you'd have gotten SABER.

That's what's so crazymaking about this. People who actually pay attention to cryptography know all this, so much so that Bernstein sounds deranged to many of them. But he's counting on you not knowing any of it. Which is to say: he's preying on your ignorance. It's a bad scene.

grayhatter 9 hours ago | parent [-]

I know the backstory. I know there's no real evidence or proof against Kyber's real security, only questions. I've also read the full email threads that I was able to find. Nearly everyone looks like a shithead. I'm sure they're fine people in real life, but there are so many emails that are covered with contempt for the person they're replying to. Trustworthy people don't act like that. > But he's counting on you not knowing any of it. Which is to say: he's preying on your ignorance. It's a bad scene.

I know all of that, I also know I'm years away from the maths to understand the crypto and decide for myself. So, I'm forced to have an opinion because friends and employers will expect me to have one; like them, I'm also forced to operate on trust. Help me with this one? Because my problem is, the only person in the whole scene with ethos is djb. Not a single person in the stack has their name on *anything* that would allow me to trust them given their previous behavior.

So who's the non-deranged person that can put their ego aside, long enough to go point by point down the "deranged man"'s "psychotic rant". Where something everyone who's paying attention can point to and say, djb has stopped taking his crazy pills, here's what reality looks like. Because I went looking for it when I first heard about it, his blog has been linked to from HN many times. But no one has linked to a single other person. I agree with you, the arguments he's making are barely convincing. But one one side, I have a well respected cryptographer (who might want to consider or respond to the accusations he's becoming a bit eccentric) saying hey, y'all are fucking it up. Directly to the people who actively did something ethically inexcusable. Who not only appear to following the exact same pattern as last time, but no one is willing to put their name and time on the line?

What am I supposed to do? Get on board because NIST recommended it already, and there's the RFC for it, so why bother fighting? Just trust the current or next US administration won't do something I object to... like trying to back door crypto... again... I know you'd never actually make that recommendation... well I hope at least. But really; what would you expect me, someone who still trust djb even though his eccentric writing is desperate for an editor, and also, someone who actively believes the people in charge of NIST are ethically questionable. What should I do? where's the evidence that would convince me to switch from believing the guy working to improve foss crypto, to the org with a history of delivering backdoor'd crypto.

tptacek 8 hours ago | parent [-]

You're making my point for me. Nobody in the whole world is asking for you to take NIST's word for anything.

The problem here is that literally the only information you have to work with is Daniel Bernstein, a notorious standards crank. The names of the cryptographers vouching for Kyber don't mean anything to you. Peter Schwabe? Leo Ducas? Chris Peikert? You're not a cryptographer, who could reasonably expect you to know who those people are?

And Bernstein knows it, and plays it to the hilt.

But I already pointed this out. You keep bringing it back to NIST, but I keep telling you: if you simply let a panel of PQC contestants with credible affiliations vote on it, you'd have gotten the same outcome. So we're really just going around in circles here.

grayhatter 7 hours ago | parent [-]

My problem is with NIST, your problem is with DJB. Neither of us really want to defend either, (I assume, maybe you do want to defend one of them?) We just disagree which one is more likely to make the world worse.

I'm not taken in by the crazyness on either side, and while if pressed, it's obvious which side I would pick. I'm not so much picking a side, so much as complaining again, how we're letting a group with an earned reputation for being untrustworthy keep secrets about crypto. I hate the whole thing, but that's how little trust I have left in other people. The crazy guy is the on the side I hate less... but what to do?

edit:

> You're making my point for me. Nobody in the whole world is asking for you to take NIST's word for anything.

Literally everyone standardizing on Kyber is asking me to trust NIST, et al, and pay the additional overhead for setting up a TLS connection. I guess you could frame it as they're not asking, because I'm not being physically forced to interact with them... but then I try really hard not to engage with bad faith bait, when I'm able to resist.

tptacek 7 hours ago | parent [-]

No, nobody is asking you to trust NIST.

mswphd 20 hours ago | parent | prev | next [-]

if you blindly distrust the NSA, you should stop using x25519 immediately. It uses SHA2, which was solely developed by the NSA.

If DJB blindly distrusts the NSA, he would also recommend against SHA2. But he doesn't, and instead wants to mix a scheme developed by European academics with one built by the NSA. If you go by blind distrust, this should be extremely concerning.

Of course, I'm not suggesting you use blind distrust, and only pointing out that none of the blind distrust discourse makes any sense. We all trust SHA2, which was an explicit NSA product. Kyber had no NSA input. why is Kyber the NSA-suspect scheme?

some_furry a day ago | parent | prev [-]

> But if I am honest, NIST recommending it at all is enough to suspect it of being compromised.

NIST isn't the NSA and doesn't have the NSA's goals in mind. They are briefed by NSA on some matters, sure, but they're not the same organization.

NSA has a dual mission: Both SIGINT and COMINT. While the SIGINT folks might rub their hands and laugh evilly at the prospect of backdooring the PQ KEM that the Internet wants to move towards, this plot makes no sense at several levels.

The NSA has, through CNSA 2.0, committed to moving the entire federal government onto ML-KEM for top secret communications. The COMINT guys would shit themselves in rage if it turned out to be backdoored, even if there was enough hubris that the backdoor was NOBUS.

If you can't trust the people, you should always seek to understand their incentives if you want to predict their behavior.

My interpretation of the CNSA 2.0 move was that the NSA believes 1) that ML-KEM is actually the good stuff, and 2) the Suite B transition failed so spectacularly that they want to signal confidence in ML-KEM by recommending it without hybridization. Since pretty much everything they do is top secret, they probably can't comment further.

leonidasrup 21 hours ago | parent | next [-]

In the past NSA has weakened encryption standards, for example NSA madified DES standard. The NSA pushed backdoored design of Dual_EC_DRBG was standardized in NIST SP 800-90A.

"Weaknesses in the cryptographic security of the algorithm were known and publicly criticised well before the algorithm became part of a formal standard endorsed by the ANSI, ISO, and formerly by the National Institute of Standards and Technology (NIST). One of the weaknesses publicly identified was the potential of the algorithm to harbour a cryptographic backdoor advantageous to those who know about it—the United States government's National Security Agency (NSA)—and no one else. In 2013, The New York Times reported that documents in their possession but never released to the public "appear to confirm" that the backdoor was real, and had been deliberately inserted by the NSA as part of its Bullrun decryption program."

https://en.wikipedia.org/wiki/Dual_EC_DRBG

"NSA worked closely with IBM to strengthen the algorithm against all except brute-force attacks and to strengthen substitution tables, called S-boxes. Conversely, NSA tried to convince IBM to reduce the length of the key from 64 to 48 bits. Ultimately they compromised on a 56-bit key"

https://en.wikipedia.org/wiki/Data_Encryption_Standard

The NSA published algorithms are not used for the important US secrets. For these system the classified algorithms of NSA Suite A are used.

https://en.wikipedia.org/wiki/NSA_Suite_A_Cryptography

NSA Suite A was probably used for Space Shuttle comunication. NASA scrambled to recover classified communications gear after the Challenger shuttle disaster in 1986.

https://www.globalsecurity.org/org/news/2003/030206-comsec-s...

some_furry 20 hours ago | parent [-]

> In the past NSA has weakened encryption standards, for example NSA madified DES standard.

They made DES more secure against differential cryptanalysis (a method that was classified at the time DES was being designed). Sure, the whole "make the keys 56-bit instead of 64-bit" is a weakening, but differential cryptanalysis would have broken the entire fucking cipher if they didn't prevent it by selecting a secure S-box.

> The NSA pushed backdoored design of Dual_EC_DRBG was standardized in NIST SP 800-90A.

Correct, which another threat actor used in a backdoor by replacing the public key.

I'm not arguing that NIST isn't vulnerable to NSA influence. I'm arguing that they are not the same entity and do not have the same goals or incentives.

I'm not an NSA defender. https://furry.engineer/@soatok/116854899284071513

grayhatter 21 hours ago | parent | prev [-]

You're argument is that I shouldn't think of NIST as a patsy for the NSA, is because the NSA can't possibly be recommending a compromised cipher, because if they were, that would mean this US government org is horribly defective and dysfunctional, where one side didn't know what the other was doing?

Incentives are basically all I consider when trying to establish true motive. But you're not required to consider motive when there's a history or pattern. Even if "It's the way we've always done it", wasn't a much, much stronger motive than thought/reason is for any human. It's both logical and desired to treat something as the most dangerous until proven otherwise.

I used to be a nurse. I remember when working in the ED, I was taught that every single woman on childbearing age who comes into the ED with abdominal pain is an extopic pregnancy until proven otherwise. If you ask a woman if it's possible she could be pregnant, regardless of the truth, many will claim it's impossible. If you blindly trust them, and delay treatment, you could needlessly kill your patient, or leave them infertile. Why would someone lie and risk that? Or how dare your medical team make assumptions like that? Well the alternative is worse, the reality should be easy to prove.

NIST has a history of recommending broken ciphers. That's not a mistake a professional would ever make. So thinking about incentives, I'm going to treat it like it was intentional. Here the group with a history for fucking up, isn't being transparent. I would love it if NIST would say enough to make DJB happy or at least stop pretending like they deserve any trust anymore.

Until then, I don't find "they're probably behaving like rational actors" compelling enough to trust them with keeping secrets from somebody who I actually do trust.

some_furry 20 hours ago | parent [-]

> You're argument is that I shouldn't think of NIST as a patsy for the NSA,

Incorrect. My argument is that they aren't the same entity.

The thing you said is a whole different argument. "I like waffles" "So you hate pancakes" is happening.

> Incentives are basically all I consider when trying to establish true motive. But you're not required to consider motive when there's a history or pattern.

Yes you are. You need to consider both factors. Why render yourself willfully ignorant? That's not how you arrive at truth.

philodeon 18 hours ago | parent | next [-]

> Incorrect. My argument is that they aren't the same entity.

Your mind is going to be blown when you learn about proxy organizations and cut-outs.

some_furry 17 hours ago | parent [-]

NIST does a lot of things that have nothing to do with computer security!

Would you indict NIST MEP https://www.nist.gov/mep/about-nist-mep as being an NSA project without evidence?

philodeon 17 hours ago | parent [-]

The Godfather Part 2 demonstrated overwhelmingly that a good part of Vito Corleone’s ill-gotten gains went to strengthening his community. The Italians in his neighborhood adored him.

some_furry 17 hours ago | parent [-]

What does a work of fiction have to do with whether two distinct government entities are the same thing or not?

That's beyond moving goalposts. Just take the L, dude.

philodeon 17 hours ago | parent [-]

I was making the point that if you have subverted the NIST to do your bidding in what appears to be a neutral way, obviously you’re going to have some feel-good projects in your portfolio. Otherwise, the folks that the Soviets called “useful idiots” wouldn’t have anything to point to to exonerate them.

some_furry 16 hours ago | parent [-]

You're all over the place except where the discussion was actually taking place.

philodeon 16 hours ago | parent [-]

Ok, let me be clear: the NIST is a proxy organization for the NSA. The declassified internal history of the NSA makes it clear that they were subverting the NIST back when they were still called the National Bureau of Standards.

Just because NIST engages in some wholesome activities doesn’t mean that their core purpose isn’t to do the bidding of the NSA.

grayhatter 7 hours ago | parent [-]

> Just because NIST engages in some wholesome activities doesn’t mean that their core purpose isn’t to do the bidding of the NSA.

Their core purpose is to recommend standards that everyone can use, and anyone who wants to work with the US government is expected to follow. They have to pick standards for everything, but can't have experts in everything on staff, so are required to defer to other experts willing to help. The NSA took advantage of them. I find the idea that NIST wants to be a lackey to the NSA, stupid. It's ignorance and incompetence that lead NIST to getting duped by the NSA. The problem is, not getting dupe is literally, their *only* job.

It's like hiring a firefighter to protect you and then they set your house on fire; it doesn't matter so much why you don't have a house anymore... you just sure a hell are never letting him near anything important every again.

You're allowed to treat gross incompetence as equivalent to intentional malice, without needing to make something up about how it was intentional.

grayhatter 11 hours ago | parent | prev [-]

> Incorrect. My argument is that they aren't the same entity.

Did I claim they were the same?

> The thing you said is a whole different argument. "I like waffles" "So you hate pancakes" is happening.

uh.... you started it? What are we even doing? I'm not above this kinda comment, but I kinda assumed you were? I'd be interested if you have a take I haven't considered; but not if we're just going to try to make straw man of the other.

> Yes you are. [required to consider motive]. Why render yourself willfully ignorant? That's not how you arrive at truth.

I'm not looking for a pure truth. I'm just looking for a heuristic that's just functional enough to keep me, and my data safe. I don't even want to make a perfect is the enemy of good argument. I'm just pointing out, where my line is. I lack the maths knowledge, practical experience, fucks left to give, and spoons remaining for the things I want to spend my time one. Evaluating every bit of information I could possibly gather, and witholding and judgement is a cute idea, but I've got better things to do. NIST has in tandem with the NSA, lied, and shipped a broken crypto system. Let's pretend I don't consider that to be permanently disqualifying, resign, stand up a completely new group from scratch, black tag/non-salvageable. They've burned the default good will everyone starts with, and then peed on it for good measure. Now they're hiding information AGAIN?!

Nah, I could waste my time trying to find the objective truth. Or I could give NIST the finger, and say, make the person with the remaining good will and trust and fucks left to spend on NIST happy. Only then come back to me. Until then, I refuse, and for the same reason I refuse to review LLM PRs; I'm trying to do things, and [they] are trying to DoS my brain.

Ideally, you'd stop helping [the them], or answer the remaining objections line by line, and publicly? Then I'd have someone else with enough good will that I can trust. Because NIST is doing the opposite if they want my confidence.

dhx a day ago | parent | prev [-]

To extend on this good point--

DJB is not just a mathematician looking over theoretical equations. He's also an expert in the real world _implementation_ of cryptography where most security failures can be expected to occur.

For some mathematician's brilliant cryptography scheme, how easy would it be for implementers to develop constant time / constant power computer algorithms to avoid side channel leakage? Have these computer algorithms been developed, are they easy to implement securely or are implementers going to continually mess it up?

See [1] and [2] for answers. Summary: Technology is not ready.

[1] https://dl.acm.org/doi/10.1145/3569420

[2] https://dl.acm.org/doi/10.1145/3779208.3785290

tptacek a day ago | parent [-]

He's a cryptographer. You're describing cryptographers. You get that other cryptographers designed Kyber/MLKEM, and still more implemented it, right? There are cryptographers besides Daniel J. Bernstein.

eqvinox a day ago | parent | next [-]

I do think it's fair to make an argument that DJB's expertise in practical cryptography (both in e.g. engineering against side channel attacks as well as in publishing his own libraries) gives him a reality-minded perspective/attitude.

That said, personally speaking, his behavior as a software publisher (packaging & whatnot) is something I'd call… let's go with "subpar" and leave it at that. So while I do believe it's a fair argument, I'm not accepting it, because from my perspective he isn't putting in the necessary work to really understand software publishing.

adrian_b 20 hours ago | parent | next [-]

Bernstein as a "software publisher" cannot really be compared with anyone else, because what can be considered as great flaws in comparison with others are compensated by equally great advantages.

He has published a very large quantity of open-source software, but after publication he never bothered with any kind of maintenance, which is understandable, because he went on doing other work.

On the other hand, unlike almost any other software packages, those published by him almost did not need any maintenance. The only required changes, after decades since they were written, have been caused by external changes, e.g. the continuous evolution and instability of the Linux APIs and the replacement of various IETF RFCs.

I am still using several software packages written by DJB, which have been run continuously 24/7 for more than a quarter of century, on many servers, without ever causing any kind of problems or incidents, unlike a lot of much more notorious software packages, which had various bugs despite permanent maintenance.

tptacek a day ago | parent | prev [-]

The problem here is that for too many people, Bernstein is one of two living cryptographers with name recognition.

eqvinox a day ago | parent [-]

Ah I see what you were trying to say. It read to me (with "He's a cryptographer. You're describing cryptographers.") like you were dismissing that knowledge about implementing and shipping cryptographic libraries is a relevant expertise (or that every cryptographer would have that, which they absolutely don't.) But, yeah, he's one among a whole bunch of experts in some of these fields and certainly shouldn't be given special weight just due to his name recognition.

tptacek a day ago | parent [-]

Even the side channel stuff in particular --- Bernstein was certainly a popularizer of it, but that's been mainstream in cryptography research since the mid-2000s (and, obviously, it's Paul Kocher's claim to immortality).

One very big problem I have with Bernstein's recent activism is the way he writes to an audience you can just very clearly tell he thinks little of. He's assuming everybody who pays attention to this stuff has paid basically no attention at all to any cryptography he himself didn't write about. It's a bad argument, but that's not my big issue; my big issue is that he's making fools of his supporters. Not OK.

g-b-r a day ago | parent | prev | next [-]

"two timing leaks, KyberSlash1 and KyberSlash2, in every official reference Kyber implementation from 2017 through late 2023"

Cryptographers can be good, bad, be more or less knowledgeable about applied cryptography, and possibly have agendas.

tptacek a day ago | parent [-]

Huh, seen through that light, it's much clearer why we should all have ECC in our cryptosystems, because nothing has ever gone wrong with an ECC implementation.

g-b-r a day ago | parent | next [-]

We do all have ECC in our cryptosystems right now, and given how long it's been there, we can rely on its security much more than something new.

tptacek a day ago | parent [-]

So clearly when I go look back at the archives of Bernstein discussing 25519, I'm going to see him advocating for FFDH/25519 cascades, right?

(If my subtext wasn't clear, by the way: the implementation history of ECC is godawful.)

g-b-r a day ago | parent [-]

Was FFDH considered safe?

> the implementation history of ECC is godawful

You do know that new cryptographic code can be godawful, then?

dhx a day ago | parent | prev [-]

This reads to me as an argument of "If you thought ECDSA was bad, wait until you see MLKEM?"

ECDSA history is repeating itself again when you consider how poorly the proposed MLKEM RFC deals with side channel resistance:

From draft-ietf-tls-mlkem-8:[1]

"Implementers are encouraged to use implementations resistant to side-channel attacks, especially those that can be applied by remote attackers."

From NIST SP 800-227:[2]

"Cryptographic modules for KEMs should be designed with appropriate countermeasures against side-channel attacks. This includes protecting against timing attacks with constant-time implementations and protecting memory from leakage. Universal guidelines are unlikely to be helpful as exposure to side-channel attacks varies significantly with the desired application, and countermeasures are often costly."

MLKEM is more complex and has more chances of stuff-ups in implementation than ECDSA did. A single sentence of encouragement is all that is on offer from this MLKEM RFC. It doesn't even have the lightweight "Security Considerations" section which RFC8032 for EdDSA provided.[3]

As a point of reference for how hard it is to implement side channel resistant MLKEM see [4] (formal verification) and [5] (errors in formal verification). The MLKEM RFC doesn't offer a "Security Considerations" section to explain how difficult it is to implement side channel resistant MLKEM (perhaps it's easy :S), and if it were hard to implement, to recommend use of EdDSA+MLKEM for cryptography implemented on devices an attacker may be able to physically access, or when used on public networks as a workaround given that side channel resistant EdDSA would be easier to implement.

[1] https://datatracker.ietf.org/doc/draft-ietf-tls-mlkem/

[2] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.S...

[3] https://www.rfc-editor.org/info/rfc8032/#section-8.1

[4] https://github.com/pq-code-package/mlkem-native/tree/main/pr...

[5] https://eprint.iacr.org/2026/192

edit: added reference 5

eqvinox a day ago | parent [-]

> A single sentence of encouragement is all that is on offer from this MLKEM RFC.

The draft only specifies the MLKEM binding into TLS; it'd be out of scope for it to go into detail on implementation considerations for MLKEM. Those would belong in or adjacent to FIPS 203 (the actual MLKEM specification).

> It doesn't even have the lightweight "Security Considerations" section which RFC8032 for EdDSA provided.[3]

It's actually RFC8032 that this criticism would apply to, since it is actually specifying EdDSA, not just referencing it externally.

dhx a day ago | parent [-]

The draft considers FIPS 203 to be normative. Therefore FIPS 203 forms part of this draft. You can't implement this draft without first implementing FIPS 203.

FIPS 203 doesn't care about side channel resistance, per my other comment at [1]. And this draft doesn't do anything to tighten the constraints on how FIPS 203 should be implemented to provide side channel resistance.

[1] https://news.ycombinator.com/item?id=48811887

dhx a day ago | parent | prev | next [-]

Not all cryptographers (and cryptography standards) care about real world implementation, or have the same use cases in mind for their cryptography algorithms and protocols. Almost every cryptography standard in common use treats side channel resistance as an optional after-thought for implementers. This might be fine for some users, for example, the US government, because they generally don't implement cryptography on systems an attacker would have physical access to, and don't use cryptography protocols on public networks. For these users, having maximum performance at the expense of side channel resistance might be the best trade-off to make.

For most users however, side channel resistance is a very important property that shouldn't be considered an optional after-thought. If standards bodies made it mandatory to consider side channel resistance when standardising cryptography schemes, the choice of what scheme(s) to standardise could look quite different, and thus general use of cryptography would have improved security by default. If some types of users don't care about side channel resistance, then great, make use of non-side-channel-resistant cryptography optional for them to use. Don't standardise it the other way around.

For example:

FIPS 186-5 sB.1 states: "Other (constant time) algorithms that produce an equivalent result may be used."[1]

NIST SP 800-186 sE.4 states: "If one is concerned about side-channel leakage, one should compute the inverse using a constant-time algorithm."[2]

RFC 8032 s8.1 states: "Note that the example implementations in this document do not attempt to be side-channel silent."[3]

A better standard may, for example, _require_ [4] be implemented in order for an implementation to claim conformance with the standard. Not as an optional after-thought. If there are users wanting to trade off side channel resistance for performance gains, then write a new standard to that effect and remove the requirement to implement [4].

A better standardisation process may, for example, only accept candidate algorithms _if_ they are side channel resistant. This opens up the standard to as many use cases as possible. No cutting corners to pretend performance is better for one implementation because it trades off side channel resistance for performance, and no pretending side channel sensitive use cases don't exist.

[1] https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf

[2] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.S...

[3] https://www.rfc-editor.org/info/rfc8032/#section-8.1

[4] https://en.wikipedia.org/wiki/Elliptic_curve_point_multiplic...

tosti a day ago | parent | prev [-]

I, for one, wouldn't care if Kanye West or his aunt or her neigbours dog came up with a good encryption algo. If it's good, it's good no matter who wrote it. Appeals to authority or the lack thereof draws attention away from the technical debate.

throw_a_grenade a day ago | parent [-]

Unfortunately, that's not how modern crypto works. Many mathematical problems on which algorithm rests their security are not proven to be unsolvable, but instead they're believed to be hard to solve. So here are the questions, who believes what is hard, and hard for whom.

Somehow I wouldn't trust my data on mathematical problems, for which the recommendation is that they would challenge Kayne West.

rasengan a day ago | parent | prev | next [-]

I certainly find it fascinating that the majority of those in favor come from signal intelligence agencies, while the majority of those against are PhD cryptographers.

I was happy to see the lead of Europe’s PQC team also voted with the cryptographers.

g-b-r a day ago | parent | prev | next [-]

> nothing that's happening here has really anything to do with NSA

How can you say that???

It seems to be literally only for their claim to need it that pure MLKEM is being requested..!

A summary at https://blog.cr.yp.to/20251004-weakened.html, or just see e.g. https://keymaterial.net/2025/11/27/ml-kem-mythbusting for an opposite voice stating the same...

nullc a day ago | parent | prev | next [-]

I might have expected you'd be once bitten twice shy after having once taking an aggressive position that DUAL-EC would never have backdoored anyone in practice...

The optionality of MLKEM by itself is of a similar shape to standardizing a lame DRBG that 'obviously' no one would use and anyone who would use would use the appendix parameter generation scheme that would have rendered it secure (although still slow). The reality of it was that once it was standardized NSA was able to secretly compel its use.

On one hand MLKEM by itself seems like a better choice than DUAL-EC, on the other hand that fact should make it much easier for a powerful attacker to cause a target to use it if you do have an attack that exploits this fact.

MLKEM was selected out of myriad other options through a NIST process which was directly influenced by NSA (including in manners that NIST failed to disclose and actively mislead the group about). I think this makes the commentary regarding NSA highly relevant. While it seems less like that NSA already knows of a total break in MLKEM (and indeed their influence could have been in a strengthening direction...) it's possible that their influence was motivated by things like that ease of undetectably compromising specific implementations through techniques like dopant adulteration or specialized side channel weaknesses.

If your plan it to tamper with chip mfgr or hit them with a very well aimed e-beam (e.g. to cause ion migration) after the fact then having a non-hybrid scheme is pretty obviously going to make your life much easier... Or perhaps they've taken a route similar to the one they took with Crypto AG-- this time positioning themselves as a fabless silicon vendor to sell MLKEM RTL to a market that doesn't have an implementation but already has many robust ECC implementations to choose from.

...and that's without getting into the unknown possibility of a cryptoanalytic breakthrough.

I don't think it's even safe to say that NSA would only consider NOBUS backdoors-- I don't think any of us can know how inadvisably arrogant the relevant decision makers may be and what they might consider NOBUS. Given how DUAL_EC went in Netscreen's products I think it's reasonable to argument that there is no such thing as a NOBUS backdoor when push comes to shove. Capping DES's key size is candidate example of a very much non-NOBUS weakness that NSA felt comfortable with, as one needed a particularly amount of strength to exploit it which they believed that only they had. Today, of course, a child's video game device can crack DES as a direct product of that part of their influence.

Not a great track record when fear of "store and decrypt later" attacks is much of what motivates the use of PQ key agreement today.

The consistent aggression five-eyes affiliated cryptographic-intelligence groups have had for hybrid schemes is truly difficult to comprehend-- given that practically everyone else considers them obviously prudent in all cases where the resource costs permit -- and I think this justifies the utmost concern and caution. And in terms of caution hybrid schemes are table stakes.

A major theme of DJB's cryptographic security advocacy is that cryptographic security is often as much about what you don't offer as it is what you do. A completently engineered security product is misuse resistant and it's not completely clear to me that a standard which offers the choice of a non-hybrid mlkem qualifies as misuse resistant.

That said, there are plenty of drafts that are in no way misuse resistant. :)

tptacek 19 hours ago | parent [-]

None of this makes any sense once you understand that NSA had no hand in designing MLKEM, or in shaping the LWE research that led to it. NSA designed Dual-EC. MLKEM won an open competition; its entrants are among the most reputable cryptographers in the world.

mswphd 17 hours ago | parent | next [-]

it's worth clarifying that its entrants were all qualified, and 2 other essentially identical schemes, namely New Hope and Saber, made it very deep into the NIST competition.

All 3 (roughly) took the approach of

1. take the obvious best design, and

2. tweak various internal design knobs you have access to, and

3. that's pretty much it.

So they differ in the internal design knobs they chose. But the fact that 3 independent teams all created something substantially similar to ML-KEM should be an indication of how much harder it would be for the NSA to be behind it.

nullc 17 hours ago | parent | prev [-]

Post selection is also design. Evolution by natural (or artificial, for that matter) selection works by post-selection.

I'm happy to agree that it affords much less degrees of freedom than original design, but the irrelevance argument depends on no influence rather than a lack of absolute influence.

tptacek 16 hours ago | parent [-]

I'd call this an instance of the genetic fallacy, but it's even less tethered to reason than that.

chr15m a day ago | parent | prev [-]

[flagged]

acdha a day ago | parent [-]

You’re being rude, which wouldn’t be good even if you weren’t wrong on all three counts. This is not contriving positively.

(Consider the difference between extensive peer-review and “appeal to authority”, not to mention the IETF’s dual role encouraging research along with mainstream deployments)

chr15m a day ago | parent [-]

I have edited my post to remove the rude acronym. Thank you for your feedback.

I do not think the response addresses the claims made, and uses logical fallacies in place of a well reasoned response.

> a team of highly-regarded European academic cryptographers

This is absolutely an appeal to authority.

acdha 15 hours ago | parent [-]

They didn’t get MLKEM deployed by saying “I’m a professor of computer science at $UNI, do it!” but by working within the community for many years and going through an elaborate review and standardization process with extensive peer review and public comment. That’s not infallible but it’s misleading to talk about it as if it’s the same as the U.S. federal government (a real capital-A authority) mandating it.

This matters because academic reputation is so important in the field: none of these people can force even their own universities to adopt something and if you say they pushed something through covertly you’re making a really serious claim about a core professional trait which reflects not only on them but also many of their colleagues who reviewed and supported that proposal, and that should have evidence that this was bulled through rather than simply asserting it.

chr15m an hour ago | parent [-]

Correct. The argument is not about the deployment or the technical quality of MLKEM. Pretending it is, is an appeal to authority, and is moving the goal posts from the actual argument.