I'm actually quite surprised that anyone is advocating the non-hybrid PQ key exchange for real applications. If it isn't some sort of gimmick to allow NSA to break these, it's sure showing a huge amount of confidence in relatively recently developed mechanisms.
It feels kind of like saying "oh, now that we can detect viruses in sewage, hospitals should stop bothering to report possible epidemic outbreaks, because that's redundant with the sewage monitoring capability". (Except worse, because it involves some people who may secretly be pursuing goals that are the opposite of everyone else's.)
Edit: DJB said in that 2022 post
> Publicly, NSA justifies this by
>
> . pointing to a fringe case where a careless effort to add an extra security layer damaged security, and
> . expressing "confidence in the NIST PQC process".
> I'm actually quite surprised that anyone is advocating the non-hybrid PQ key exchange for real applications.
Why is that so surprising? Adopting new cryptography by running it in a hybrid mode with the cryptography it's replacing is generally not standard practice and multi-algorithm schemes are pretty niche at best (TrueCrypt/VeraCrypt are the only non-PQ cases that come to mind, although I'm sure there are others). Now you could certainly argue that PQ algorithms are untested and risky in a way that was not true of any other new algorithm and thus a hybrid scheme makes the most sense, but it's not such an obviously correct argument that anyone arguing otherwise must be either stupid or malicious.
This is quite concerning, and respect to DJB for fighting against it. However, I have to wonder...who would this actually compromise that matters to NSA?
* Targets with sufficient technical understanding would use hybrids anyway.
* Average users and unsophisticated targets can already be monitored through PRISM which makes cryptography moot.
There is so much here to debate about. A) Never trust the cyber feds. B) The NSA is not the place anyone thinks, it’s a Wild West in the most bizarre of places, trust me from experience. C) Cryptology concerns more of than security and exchanging messages or packets, sometimes you don’t even know what kind of thing (living) can and has been decrypted. D) The NSA plays very, very, very dirty. It is like a digital CIA, they are in everything (i.e. cyber spies in various roles at tech/telecom/manufacturer company xyz). E) NEVER LISTEN TO THE DAMN NSA / DRIVEN BY A CULTURE OF EXPLOITATION
I used to be such a fan of this guy. But he's turned into Ed Zitron, the same long rambling rants, except about cryptography, and except that he knows what he's talking about, and he knows that you have to know literally nothing at all about the field he's commenting on to associated Dual EC with anything happening in PQ. And if you know anything about the field, trying to compare MLKEM with SIKE is the same deal. It's really sad.
Dual EC wasn't a shockingly clever, CS-boundary-pushing hack (and NSA has apparently deployed at least one of those in the last 20 years). It was an RNG (not a key agreement protocol) based on asymmetric public key cryptography, a system where you could look at it and just ask "where's the private key?" There wasn't a ton of academic research trying to pick apart flaws in Dual EC because why would there be? Who would ever use it?
(It turns out: a big chunk of the industry, which all ran on ultra-closed source code and was much less cryptographically literate that most people thought. I was loudly wrong about this at the time!)
MLKEM is a standard realization of CRYSTALS-Kyber, an algorithm submitted to the NIST PQ contest by a team of some of the biggest names in academic PQ cryptography, including Peter Schwabe, a prior collaborator of Bernstein. Nobody is looking at MLKEM and wondering "huh, where's the private key?".
MLKEM is based on cryptographic ideas that go back to the 1990s, and were intensively studied in the 2000s. It's not oddball weird cryptography. It is to the lineage of lattice cryptography roughly what Ed25519 was to elliptic curve cryptography at the time of Ed25519's adoption.
Utterly unlike SIKE, which isn't a lattice algorithm at all, but rather a supersingular isogeny algorithm, a cryptographic primitive based on an entirely new problem class, and an extremely abstruse one at that. The field had been studying lattice cryptography intensively for decades by the time MLKEM came to pass. That's not remotely true of isogeny cryptography. Isogenies were taken seriously not because of confidence in the hardness of isogenies, but because of ergonomics: they were a drop-in replacement for Diffie Hellman in a way MLKEM isn't.
These are all things Bernstein is counting on you not knowing when you read this piece.
Thanks, I'll use Bernstein's recommendations. His article is not rambling: Mailing list discussions are just tedious to recap.
I wonder what your strategy here is. Muddying the waters and depict Bernstein as a renegade? You have made too many big-state and big-money apologist posts for that to work.
The SIKE comparison is not particularly inconsistent since Bernstein has been banging the drum that structured lattices may not be as secure as thought for years now.
Currently the best attacks on NTRU, Kyber, etc, are essentially the same generic attacks that work for something like Frodo, which works on unstructured lattices. And while the resistance of unstructured attacks is pretty well studied at this point, it is not unreasonable to suspect that the algebraic structure in the more efficient lattice schemes can lead to more efficient attacks. How efficient? Who knows.
Bernstein wasn't the only objector. There were 7 objectors and 20 proponents.
Dual EC isn't the only comparison he's making. He's also making a comparison to DES, which had an obvious weakness: 53 bit limitation, similar to the obvious weakness of non-hybrid. In neither case is there a secret backdoor. At the time of DES, the NSA publicly said they used it, to make others confident in it. Similarly, the NSA is saying "we do not anticipate supporting hybrid in NSS", which will make people confident in non-hybrid. But in the background, NSA actually uses something more secure (using 2 layers of encryption themselves).
ML-KEM and SIKE were both candidates in the PQ competition which ML-KEM won. SIKE was considered such a strong contender that it was used in production TLS experiments at scale by Google and Cloudflare. (I guess you didn’t read past the second paragraph?)
You find it offensive now to compare ML-KEM and SIKE because SIKE was so thoroughly broken and demonstrated to be worse than pre-quantum crypto. But ML-KEM may already be broken this thoroughly by NSA and friends, and they’re keeping it secret because shipping bad crypto to billions of people enables SIGINT. The idea that your professional crypto acquaintances might be on the NSA’s payroll clearly disturbs you enough that you dismiss it out of hand.
Bernstein is proposing more transparency because that is what was promised after the Dual-EC debacle. Do you disagree with Bernstein because he advocates for transparency (which could prevent bad crypto shipping), or because of his rhetorical style?
I skimmed the article, but it doesn't make too much sense. It says:
>Surveillance agency NSA and its partner GCHQ are trying to have standards-development organizations endorse weakening ECC+PQ down to just PQ.
The NSA spends about half of its resources attempting to hack the FBI and erase its evidence against them in the matter of keeping my wife and me from communicating. The other half of the staff are busy commenting online about how unfair this is, and attempting to get justice.
There are no NSA resources left for actions like the one I quoted. I don't think NSA is involved in it.
According to the New York Times in 2013, based on Snowden documents, the NSA allocates $250 million every year for the actions you quoted. They call it the “SIGINT Enabling Project”.
It sounds like there is probably some ongoing drama here, but aside from that: this post has convinced me that standards this important need to be decided on by organizations that aren't a government.
I wonder who else could reasonably host a standardization process?
Maybe the Linux Foundation?
All the cryptography talent seems to be working on ZK proofs at the moment in the Ethereum ecosysetem; I think if Vitalik organized a contest like NIST people would pay attention.
The most important thing is to incentivize attackers to break the cryptography on dummy examples instead of in the wild.
Ideally: before the algorithm is standardized.
The Ethereum folks are well setup to offer bounties for this.
If a cryptographer can make FU money through responsible disclosure, then there is less incentive to sell the exploit to dishonest parties.
The same applies to the raving push to replace RSA with ECC. A long trusted algorithm suddenly became ill-trusted, too complex to implement right, too slow, too unfashionable, and the influx of these accusations was too synchronized and templated to look like something organic.
Maybe an stunnel for CurveCP, or something like PQConnect
History has shown djb is usually right
He has been far more productive at writing software and developing cryptography that has avoided security vulnerabilities than any of the IETF WG members. The best part about his software IMHO is that it is small with low resource requirements and can primarily serve ordinary individual computer users, as opposed to large, complex, steep learning curve software primarily serving corporations like the ones that publish RFCs and send people to IETF meetings
Anyone reading this comment is probably using djb's cryptography in TLS. His contributions to today's internet are substantial
It really says a lot about "IETF" and other Silicon Valley pseudo-governance that a talented and trustworthy author, who has remained an academic when so many have sold out, gets treated like a nuisance
24 comments
[ 3.2 ms ] story [ 47.2 ms ] threadhttps://blog.cr.yp.to/20220805-nsa.html
I'm actually quite surprised that anyone is advocating the non-hybrid PQ key exchange for real applications. If it isn't some sort of gimmick to allow NSA to break these, it's sure showing a huge amount of confidence in relatively recently developed mechanisms.
It feels kind of like saying "oh, now that we can detect viruses in sewage, hospitals should stop bothering to report possible epidemic outbreaks, because that's redundant with the sewage monitoring capability". (Except worse, because it involves some people who may secretly be pursuing goals that are the opposite of everyone else's.)
Edit: DJB said in that 2022 post
Why is that so surprising? Adopting new cryptography by running it in a hybrid mode with the cryptography it's replacing is generally not standard practice and multi-algorithm schemes are pretty niche at best (TrueCrypt/VeraCrypt are the only non-PQ cases that come to mind, although I'm sure there are others). Now you could certainly argue that PQ algorithms are untested and risky in a way that was not true of any other new algorithm and thus a hybrid scheme makes the most sense, but it's not such an obviously correct argument that anyone arguing otherwise must be either stupid or malicious.
* Targets with sufficient technical understanding would use hybrids anyway.
* Average users and unsophisticated targets can already be monitored through PRISM which makes cryptography moot.
So...what's their actual end game here?
Dual EC wasn't a shockingly clever, CS-boundary-pushing hack (and NSA has apparently deployed at least one of those in the last 20 years). It was an RNG (not a key agreement protocol) based on asymmetric public key cryptography, a system where you could look at it and just ask "where's the private key?" There wasn't a ton of academic research trying to pick apart flaws in Dual EC because why would there be? Who would ever use it?
(It turns out: a big chunk of the industry, which all ran on ultra-closed source code and was much less cryptographically literate that most people thought. I was loudly wrong about this at the time!)
MLKEM is a standard realization of CRYSTALS-Kyber, an algorithm submitted to the NIST PQ contest by a team of some of the biggest names in academic PQ cryptography, including Peter Schwabe, a prior collaborator of Bernstein. Nobody is looking at MLKEM and wondering "huh, where's the private key?".
MLKEM is based on cryptographic ideas that go back to the 1990s, and were intensively studied in the 2000s. It's not oddball weird cryptography. It is to the lineage of lattice cryptography roughly what Ed25519 was to elliptic curve cryptography at the time of Ed25519's adoption.
Utterly unlike SIKE, which isn't a lattice algorithm at all, but rather a supersingular isogeny algorithm, a cryptographic primitive based on an entirely new problem class, and an extremely abstruse one at that. The field had been studying lattice cryptography intensively for decades by the time MLKEM came to pass. That's not remotely true of isogeny cryptography. Isogenies were taken seriously not because of confidence in the hardness of isogenies, but because of ergonomics: they were a drop-in replacement for Diffie Hellman in a way MLKEM isn't.
These are all things Bernstein is counting on you not knowing when you read this piece.
I wonder what your strategy here is. Muddying the waters and depict Bernstein as a renegade? You have made too many big-state and big-money apologist posts for that to work.
Currently the best attacks on NTRU, Kyber, etc, are essentially the same generic attacks that work for something like Frodo, which works on unstructured lattices. And while the resistance of unstructured attacks is pretty well studied at this point, it is not unreasonable to suspect that the algebraic structure in the more efficient lattice schemes can lead to more efficient attacks. How efficient? Who knows.
Dual EC isn't the only comparison he's making. He's also making a comparison to DES, which had an obvious weakness: 53 bit limitation, similar to the obvious weakness of non-hybrid. In neither case is there a secret backdoor. At the time of DES, the NSA publicly said they used it, to make others confident in it. Similarly, the NSA is saying "we do not anticipate supporting hybrid in NSS", which will make people confident in non-hybrid. But in the background, NSA actually uses something more secure (using 2 layers of encryption themselves).
You find it offensive now to compare ML-KEM and SIKE because SIKE was so thoroughly broken and demonstrated to be worse than pre-quantum crypto. But ML-KEM may already be broken this thoroughly by NSA and friends, and they’re keeping it secret because shipping bad crypto to billions of people enables SIGINT. The idea that your professional crypto acquaintances might be on the NSA’s payroll clearly disturbs you enough that you dismiss it out of hand.
Bernstein is proposing more transparency because that is what was promised after the Dual-EC debacle. Do you disagree with Bernstein because he advocates for transparency (which could prevent bad crypto shipping), or because of his rhetorical style?
>Surveillance agency NSA and its partner GCHQ are trying to have standards-development organizations endorse weakening ECC+PQ down to just PQ.
The NSA spends about half of its resources attempting to hack the FBI and erase its evidence against them in the matter of keeping my wife and me from communicating. The other half of the staff are busy commenting online about how unfair this is, and attempting to get justice.
There are no NSA resources left for actions like the one I quoted. I don't think NSA is involved in it.
They are not running out of resources.
I wonder who else could reasonably host a standardization process? Maybe the Linux Foundation? All the cryptography talent seems to be working on ZK proofs at the moment in the Ethereum ecosysetem; I think if Vitalik organized a contest like NIST people would pay attention.
The most important thing is to incentivize attackers to break the cryptography on dummy examples instead of in the wild. Ideally: before the algorithm is standardized. The Ethereum folks are well setup to offer bounties for this. If a cryptographer can make FU money through responsible disclosure, then there is less incentive to sell the exploit to dishonest parties.
https://mailarchive.ietf.org/arch/msg/tls/RK1HQB7Y-WFBxQaAve...
Trust the process!
This implies that what is actually being offered is Security Through Ignorance.
Is this encryption sound? Maybe, who knows! Let's wait and find out!
Maybe an stunnel for CurveCP, or something like PQConnect
History has shown djb is usually right
He has been far more productive at writing software and developing cryptography that has avoided security vulnerabilities than any of the IETF WG members. The best part about his software IMHO is that it is small with low resource requirements and can primarily serve ordinary individual computer users, as opposed to large, complex, steep learning curve software primarily serving corporations like the ones that publish RFCs and send people to IETF meetings
Anyone reading this comment is probably using djb's cryptography in TLS. His contributions to today's internet are substantial
It really says a lot about "IETF" and other Silicon Valley pseudo-governance that a talented and trustworthy author, who has remained an academic when so many have sold out, gets treated like a nuisance