NSA and IETF: Can an attacker simply purchase standardization of weakened cryptography?

31 points by noisytoot

Foxboron

Some context for people that are just now reading up on this. But the blog post is written by Daniel Bernstein (djb), of ed25519 fame and other cryptography standards, he has had a beef with the IETF around Kyber and the standardization around ML-KEM for 2 years now.

There is a 133 email thread in the post-quantum crypto email list where he make several claims about the security of Kyber, and subsequent email from other cryptographers pointing out how he is wrong.

https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/W2VOzy0wz_E/m/efW8VoJ6BAAJ

Simplified, there are two positions:

ML-KEM is a new standard and we do not know if it can be broken before post-quantum computers become a thing. Lets ensure security by using something we know is secure, X25519. This gives us the hybrid ML-KEM+X25519 scheme that is currently being implemented by projects.
ML-KEM is not known to be weaker then other modern cryptography standards, so lets avoid the complexity of using a hybrid scheme and only rely on ML-KEM.

Only djb seems to argue that standardizing a non-hybrid scheme is a secret plot by NSA?

I'm sure there are cryptographers on lobste.rs that can elaborate a bit more on this. But I don't think taking the djb blog post at face value is a good idea.

FiloSottile

Well, I am a cryptography engineer, and I am so exhausted by Bernstein's bad faith arguing, that I have had his emails blocked for months now. So do many of my colleagues. You'll not find much discussion of his spiels because we've all had enough and need to get actual work done. Actually, I challenge you to find a cryptography engineer (who ships production cryptography) who takes Bernstein seriously. It's not even just cryptographers, here's the author of the XML specification, just yesterday.

He is constantly making whatever argument furthers his own designs in the specific venue and occasion, shamelessly flipping around and making opposite arguments in other venues if it suits him. Any ten words we write, he responds with ten pages. And then he goes and writes misleading blog posts that ride his reputation and the anti-reputation of the spoooooky NSA to pander to non-experts. When his endless repetitive technical arguments don't land, he resorts to concern trolling and procedural objections (or legal threats). He's single-handedly slowing down adoption of post-quantum cryptography.

Why? I don't know. One answer, the likely one, is that he's just a declining scientist that has not made anything relevant for more than 10 years, and wants to slow down the deployment of designs that are bound to replace his own. It would be sad if it weren't so corrosive. Another answer, if you are conspiratorially minded and want to believe in such stuff, is documented by the CIA.
- Student
  
  Ok but what about the core objection: pairing a well known cipher with a newer one provides more security? This seems like a very reasonable position.
  - FiloSottile
    
    Yes, hybrid key exchange is the main thing that is being specified by the IETF and deployed.
    
    In fact, the only reason I heard colleagues consider pure PQ is because the IETF has been so slow at finalizing the hybrid specs, and Bernstein has been a big part of that slowness. He just opposed on the mailing list the Last Call of the hybrid spec.
- gasche
  
  (Not a cryptography expert!)
  
  ML-KEM is not known to be weaker then other modern cryptography standards, so lets avoid the complexity of using a hybrid scheme and only rely on ML-KEM.
  
  This is a weird formulation: of course when new crypto algorithms appear they are "not known to be weaker", and it can take a long time to understand how strong (or weak) they are. But usually people argue that one should be careful with new algorithms that have not been battle-tested (they are not yet known to be strong), rather than arguing as here that we should be confident in them (they are not yet known to be weak).
  
  As a non-expert, I find the argument rather convincing that combining pre-quantum with post-quantum encryption is going to be more robust than using only less-well-known post-quantum schemes. The argument for "avoiding the complexity" seems more difficult to buy: what exactly are the complexity costs in reusing existing implementations, and how do they compare to the stronger safety guarantees?
  
  (Also, isn't the NSA known for having actively worked to weaken cryptography standards in the past? You make it sound like this is an unreasonable suspicion to have, but it does seem reasonable if it is known to have already happened, right?)
  - Foxboron
    
    But usually people argue that one should be careful with new algorithms that have not been battle-tested (they are not yet known to be strong), rather than arguing as here that we should be confident in them (they are not yet known to be weak).
    
    That is covered by the first position. I'm trying to explain in general terms the different positions people are having to this, not explain all the details of all the arguments.
- dataangel
  
  Why would we standardize a non-hybrid scheme? A hybrid scheme using known classical crypto makes sure you get something and the non-hybrid scheme could actually guarantee neither quantum nor classical security! DJB's position sounds completely sane, especially given the actual history of subversion!
  - pgeorgi
    
    Standards become standards when somebody who wants them puts in the effort.
    
    The problem with djb is that the only arguments he can come up with for something he personally doesn't like is "they're nefarious," and he'll fight things out to the bitter end like that, collateral damage be damned.
    
    So why would anybody be interested in non-hybrid PQ enough to start the process of standardizing? Some random ideas I just made up on the spot:
    
    "Build Your Own Hybrid", for example by taking two physical distinct crypto devices by different vendors and chaining them. That way, even if some failure (default extra admin password, ...) makes its way in, you'd have to get through two vendors' systems to bypass the crypto.
    
    "Build Your Own Hybrid, pt. 2" - there are a few non-public ciphers out there, and having the PQ-only part standardized would make it easier to pair them with PQ, without the extra baggage of carrying two classical ciphers around.
    
    "Build Your Own Hybrid, pt. 3" - why not PQ_1(PQ_2(classical(data)))?
    
    Raising table stakes. It's easy to chill out on the cushion hybrid provides because "classical crypto makes sure you get something". Indeed... Until that ceases to be true, when everything unravels immediately. With PQ-only somewhere in practical use, that might increase the interest in actually attacking the PQ side of things, learning more about it faster.
    
    But djb is fully aboard the conspiracy train and it gets tiring. An actual-cryptographer (I'm not) colleague of mine from over a decade ago was worn out by these antics even then. Guess more folks are losing patience.
    
    dataangel
    
    How is it a "conspiracy" when a public and certified history of subverting a standards body exists? You're talking the way people did before the leaks.
    
    People will overwhelmingly use the defaults, anyone intent on subverting cryptography standards know this.
  - riking
    
    Yup, this is a very concerning set of procedural violations at the IETF. There has been a consistent non-response to the accusation of secret discussions happening - not a denial.