Cryptologist DJB Criticizes Push to Finalize Non-Hybrid Security for Post-Quantum Cryptography

In October cryptologist/CS professor Daniel J. Bernstein alleged that America's National SecurityAgency (and its UK counterpart GCHQ) were attempting to influence NIST to adopt weaker post-quantum cryptographystandards without a "hybrid" approach that would've also included pre-quantum ECC. Bernstein is of the opinion that "Given howmany post-quantum proposals have been broken and the continuing flood of side-channel attacks, any competent engineering evaluation will conclude thatthe best way to deploy post-quantum [PQ] encryption for TLS, and for the Internet more broadly, is as double encryption: post-quantum cryptography on top of ECC." Buthe says he's seen it playing out differently:By 2013, NSA had a quarter-billion-dollar-a-yearbudget to "covertly influence and/or overtly leverage"systems to "make the systems in question exploitable"; inparticular, to "influence policies, standards and specificationfor commercial public key technologies". NSA is quietlyusing stronger cryptography for the data it cares about, butmeanwhile is spending money to promote a market for weakenedcryptography, the same way that it successfully created decades ofsecurity failures by building up the market for, e.g., 40-bitRC4 and 512-bitRSA and Dual EC. I looked concretely at what was happening in IETF'sTLS working group, compared to the consensusrequirements for standards-development organizations. I reviewedhow a call for "adoption" of an NSA-driven specification produced a variety of objections that weren'thandled properly. ("Adoption" is a preliminary step before IETF standardization....) On 5 November 2025, the chairs issued "last call" for objections to publication of the document. The deadline for input is "2025-11-26", this coming Wednesday. Bernstein also shares concerns about how the Internet Engineering Task Force is handling the discussion, and argues that the document is even "out of scope" for theIETF TLS working groupThis document doesn't serve any of the official goals in the TLS working group charter. Most importantly, this document is directly contrary to the "improve security" goal, so it would violate the charter even if it contributed to another goal... Half of the PQ proposals submitted to NIST in 2017 have been broken already... often with attacks having sufficiently low cost to demonstrate onreadily available computer equipment. Further PQ software has been broken by implementation issues such as side-channel attacks. He's also concerned about how that discussion is being handled:On 17 October 2025, they posted a "Notice of Moderation for Postings by D. J. Bernstein" saying that they would "moderate the postings of D. J. Bernstein for 30 days due to disruptive behavior effective immediately" and specifically that my postings "will be held for moderation and after confirmation by the TLS Chairs of being on topic and not disruptive, will be released to the list"... I didn't send anything to the IETF TLS mailing list for 30 days after that. Yesterday [November 22nd] I finished writing up my new objection and sent that in. And, gee, after more than 24 hours it still hasn't appeared... Presumably the chairs "forgot" to flip the censorship button off after 30 days. Thanks to alanw (Slashdot reader #1,822) for spotting the blog posts.

Read more of this story at Slashdot.