> You're argument is that I shouldn't think of NIST as a patsy for the NSA,
Incorrect. My argument is that they aren't the same entity.
The thing you said is a whole different argument. "I like waffles" "So you hate pancakes" is happening.
> Incentives are basically all I consider when trying to establish true motive. But you're not required to consider motive when there's a history or pattern.
Yes you are. You need to consider both factors. Why render yourself willfully ignorant? That's not how you arrive at truth.
> In the past NSA has weakened encryption standards, for example NSA madified DES standard.
They made DES more secure against differential cryptanalysis (a method that was classified at the time DES was being designed). Sure, the whole "make the keys 56-bit instead of 64-bit" is a weakening, but differential cryptanalysis would have broken the entire fucking cipher if they didn't prevent it by selecting a secure S-box.
> The NSA pushed backdoored design of Dual_EC_DRBG was standardized in NIST SP 800-90A.
Correct, which another threat actor used in a backdoor by replacing the public key.
I'm not arguing that NIST isn't vulnerable to NSA influence. I'm arguing that they are not the same entity and do not have the same goals or incentives.
> But if I am honest, NIST recommending it at all is enough to suspect it of being compromised.
NIST isn't the NSA and doesn't have the NSA's goals in mind. They are briefed by NSA on some matters, sure, but they're not the same organization.
NSA has a dual mission: Both SIGINT and COMINT. While the SIGINT folks might rub their hands and laugh evilly at the prospect of backdooring the PQ KEM that the Internet wants to move towards, this plot makes no sense at several levels.
The NSA has, through CNSA 2.0, committed to moving the entire federal government onto ML-KEM for top secret communications. The COMINT guys would shit themselves in rage if it turned out to be backdoored, even if there was enough hubris that the backdoor was NOBUS.
If you can't trust the people, you should always seek to understand their incentives if you want to predict their behavior.
My interpretation of the CNSA 2.0 move was that the NSA believes 1) that ML-KEM is actually the good stuff, and 2) the Suite B transition failed so spectacularly that they want to signal confidence in ML-KEM by recommending it without hybridization. Since pretty much everything they do is top secret, they probably can't comment further.
Let me distill this down to its most basic structure to make sure I'm understanding you.
Supoose we're trying to decide between two services for a long term group chat.
Service A, on the server-side, sees all messages, in plaintext, sent to/from all participants--including other servers. It can log it indefinitely. It sees the whole social graph. Some servers have no k-anonymity (self-hosted, single user), some have thousands of users. They're all over the world, including in jurisdictions the NSA's TAO can operate.
Service B can only see IP addresses and ciphertext. There's only one real 'server", but it has millions of users and the encryption is widely reputed by experts. Its servers happen to be hosted on American cloud providers.
By firmly disagreeing with the linked post, you are saying you prefer Service A on the matter of privacy, only because of the jurisdiction.
> Soatok seems unable to acknowledge that centralisation is a real (privacy, security, reliability, political, …) concern here, nor to see value in the decentralised (federated/P2P) alternative protocols implementing the same double-ratched/PFS crypto primitives.
I genuinely do not understand where this impression is coming fron. The only thing I've ever written about this topic acknowledges that centralization has risks, but a perfectly decentralized system that doesn't properly encrypt data end-to-end is bad for user privacy.
The cryptography needs to be excellent. "But decentralization" doesn't cut it.
Maybe it's because I'm a bad writer, but I've heard from at least a half dozen people in recent years that they think I'm too pro-Signal when my actual stance wasn't "Signal is good" but rather "all these so-called alternatives suck ass when it comes to cryptography implementations".
Signal pisses me off in a lot of ways.
If someone joins a group chat and posts horrific content, the admins cannot clean it up. This extremely basic functionality doesn't meet the most basic bar for group moderation and safety tools. This means a troll posting a high-frequency flashing GIF to a group chat full of epileptic people is going to cause real harm. This means someone joining a chat and posting unsolicited CSAM will legally imperil everyone present and the admins are powerless to intervene at all. They seem really indifferent on fixing this.
I would love for an alternative app to materialize that provided the same level of cryptographic excellence as Signal but without the enormous ego of their marketing teams or evangelists, which actually put a microgram of care into user experience and community safety. None of the alternatives people raise meet the bar, and I find it extremely disingenuous when people insist their privacy (which is a second-order property from their cryptographic implementations) is somehow "better than Signal". So when people do this, I tend to 0day their favored apps.
What does it matter that my public arguments are tactical? Hybrid gets us to PQ faster, which makes progress on plugging up the HNDL risk.
> Your wording ("Once Q-Day happens") strongly suggests Q-Day will happen, like, it’s so certain you don’t even need to state it explicitly, you can just assume it will.
The literal opening section is talking about recent changes in direction from large Internet providers about quantum computing risks.
The rest of the article is predicated on "these companies' risk assessment turns out to be correct".
> It’s pretty clear from there that you think ECDH is now technically useless, and the only real justification for hybrid schemes (as opposed to pure PQ), is to reassure the people still unsure about the likes of ML-KEM. Sure you still do recommend going hybrid, but from what I can tell, you would have preferred a world where we go pure PQ right away.
You are extrapolating from the subsidiary clause of an if statement whose truth value I do not claim to know.
> And so would I to be honest (if ECC is a bust): one algorithm is simpler and faster than two.
> you made the argument that we should abandon ECC by not doing hybrid,
Where did I ever make that argument? In both TFA and my previous blog post, I've made it abundantly clear that I'm pro-hybrid.
My argument is simply:
1. The claimed benefits of ECDH hybridization evaporate immediately the moment Q-Day happens. No one disputes this.
2. Harvest Now, Decrypt Later (HNDL) is the primary threat we face today during the uncertain times where we don't know if Q-Day will ever happen.
Advocating for PQ+ECC hybrids over PQ is fine. But fear-mongering about PQ in this threat model is self-defeating: Once Q-Day happens, your only source of security is PQ anyway, so if we're going to do hybrids with today's threat model in mind, PQ+PQ is the way you really want to go (and PQ+PQ+EC if you really want EC). The blog post you're commenting on says this explicitly.
I'm not anti-hybrid. I'm anti "this is an NSA ploy" bullshit. And the IETF mailing list thread I'm mentioning is stuffed with this kind of irritating conspiracy theory rhetoric. I even link to, and quote, two examples of this.
> there is also the likelihood that Q-Day never arrives, either because something we don't know prevents the construction of sufficiently large quantum computers (eg. quantum gravity)
That is possible, but given the recent 2029 timelines from large Internet providers, I think it's prudent to prepare for Q-Day even if it never arrives.
> or because the entire field was a scam.
The field is like... a magnet for scams, sure. But it, itself, isn't one.
And, like, the Quantum Village at DEFCON has really failed to establish credibility in my eyes.
A NOBUS backdoor in an asymmetric primitive that looks like "X% of all keys is weak" would not explain "let's move the entire fucking federal governnent to this algorithm including implementations sourced by the private sector that don't do our secret sauxe".
Dual_EC_DRBG is the shape of backdoor that would need to apply here: even if you knew the structure of it, you would need an additional private number to attack it. Recall the Juniper vulnerability where another threat actor simply replaced the EC public key used by Juniper's Dual_EC implementation.
NOBUS without some mathematical assurance that, even should an adversary discover the same break through, they cannot decrypt the same traffic would be too risky when you consider the NSA's self interest and dual mission.
None of the NSA (or even ex-NSA) people I know have participated in this discussion at all. I imagine they're preoccupied with the current administratiom's stupid decisioms disrupting their work.
I'm a furry blogger that sometimes covers technology topics (security, cryptography, etc.)
My links:
- Fediverse: @[email protected]
- BlueSky: https://bsky.app/profile/soatok.bsky.social
- Blog: https://soatok.blog
- Github: https://github.com/soatok