I don’t think the spy agency would use nsa.gov address to manipulate the technology trajectory.

this is literally what happened with previous NSA meddling though? Both DUAL_EC_DRBG and DES were done "officially" by the NSA.

Additionally, the main authors behind ML-KEM are all european. The design of ML-KEM is "very boring", in the sense that it's essentially the scheme that most (lattice) cryptographers would have suggested. There were 2 other NIST PQC schemes that went very far (New Hope and Saber) that were essentially the same scheme (there were minor technical differences, but it's really not that big).

DJB did not criticize anything about ML-KEM.

The TFA has nothing to do with ML-KEM, but only about how to transition from the current algorithms to post-quantum algorithms.

For now, it is completely unknown how secure ML-KEM really is, because it is too new. For many complex cryptographic algorithms a decade or even a few decades have been required until someone discovered how to break them. The predecessor of ML-KEM, SIKE, has already been broken. Perhaps nobody will break ML-KEM, or perhaps it will be broken in a couple of years.

The only risk-free strategy is to use both ML-KEM and the current key exchange algorithm. This adds a negligible cost, because ML-KEM is much more expensive.

Therefore I agree with DJB about this, because I never bet that the worst case will not happen. Any good design must work fine even when the worst happens.

DJB wrote this article after asking people to brigadge the current TLS-WG's attempt to get rough consensus on a current draft RFC for pure ML-KEM. This is clearly part of this tirade for that.

ML-KEM is not new. It's hardness is based on MLWE. LWE (a slightly harder problem) has been around for 20 years. Attacks against it stablized to be 2^{cn} time maybe 15 years ago. The value of c has been stable for nearly 10 years.

MLWE is mildly different, but still from > 1 decade ago. The only improved attacks are ~8x faster (and they are relatively naive). It has been a very popular cryptanalytic target since it was suggested (LWE has been dominating cryptography for the last >10 years).

It does not add negligible cost in all settings. In hardware, a hybrid scheme requires an implementation of SHA2 and SHA3. This is expensive.

Any good design must not do fine when even the worst happens. When we did the AES competition, we did not combine AES with DES (or 3DES) in case AES was weak.

This is beside the point though. Most cryptographers would still recommend the hybrid over pure ML-KEM. This RFC (for pure MLKEM) is marked "recommended to implement = N". It is purely for settings where the implementors independently want to use pure ML-KEM for some reason. In these settings, they should implement it against some standard, so it is interoperable.

> Most cryptographers would still recommend the hybrid over pure ML-KEM. This RFC (for pure MLKEM) is marked "recommended to implement = N". It is purely for settings where the implementors independently want to use pure ML-KEM for some reason.

That's exactly how it was with Dual_EC_DRBG.

E.g. https://www.schneier.com/essays/archives/2007/11/did_nsa_put...

   I don’t understand why the NSA was so insistent about including Dual_EC_DRBG in the standard. It makes no sense as a trap door: It’s public, and rather obvious. It makes no sense from an engineering perspective: It’s too slow for anyone to willingly use it. And it makes no sense from a backwards-compatibility perspective: Swapping one random-number generator for another is easy.
  
  My recommendation, if you’re in need of a random-number generator, is not to use Dual_EC_DRBG under any circumstances.
So most cryptographers _recommended_ staying the hell away from Dual_EC_DRBG. But hey, harmless, no one serious about security would actually use it right?

Except as we know now, after the standardization NSA was able to persuade/bribe vendors to implement it.

RSA is still a viable cryptography vendor, after accepting money to backdoor their product for paying customers. The standardization gave them a fig leaf of plausible deniability. Honest mistake, could happen to anyone, right? If they had needed to implement a "non-standard" backdoor, or if it had been officially struck from the standard, it would have been a lot harder to row away from.

there has been no hint of a backdoor in ML-KEM. In fact, it (and every lattice-based scheme) has been made less efficient on purpose to rule out the only possible backdoor (the ephemeral "a" part in LWE-type samples could be fixed/standardized to something. There are plausibly some mild savings associated with this. Every "real" LWE-type scheme since the New Hope scheme, deployed in Chrome a decade ago, has chosen not to do this out of an abundance of caution).

For DUAL_EC_DRBG, the mechanism that could yield a backdoor was known pre-standardization. To get the backdoor RSA had to specifically use government chosen parameters.

These are not new concerns. If even a candidate backdoor had appeared in ML-KEM (similarly to how DUAL_EC_DRBG was), it would be a very different story. But nobody has ever even suggested something might be off!

So no, it's not exactly the same as DUAL_EC_DRBG. Different things are in fact different. Note that there are similarities to DUAL_EC_DRBG in contemporary cryptography. Russia has a block cipher Kuznyechik that has some very fishy structure in its S-box. We don't know how such structure is exploitable, but I would bet money that it is. Despite not being able to see an attack, we can see that things seem off in a concrete way. Nobody has *ever* suggested that for ML-KEM.

> there has been no hint of a backdoor in ML-KEM

Wanting to standardize it's use without the secondary layer of protection provided by existing algorithms over the objections of a well known cryptographer counts as a hint to me.

In the same way that paying RSA to make Dual-EC DRBG the default RNG in it's security products when it was newer and more expensive than alternatives was a hint.

those are not remotely the same things though? You're also (formally) wrong about DUAL_EC_DRBG for two reasons

1. the payment to RSA (in 2004) was secret. So it could not have been a public indication of a problem, as it was not discovered until nearly a decade after it happened (in 2013, when it became public)

2. the problematic part of DUAL_EC_DRBG (the "hint of a backdoor") I was mentioning was known pre-2004.

blind paranoia is not a rational approach to cryptography. I say this as someone who prefers hybrid schemes! I just don't think it is sensible to attempt to "ban" the usage of pure ML-KEM by not standardizing it. It won't work! It'll just increase the risk of non-interoperable implementations.

1: We were all aware of the default change before we became aware of the payment. But the payment is old news today. And the default change was fishy before the payment was discovered. Discovery of the payment confirmed the earlier suspicion. You're arguing a detail like a lawyer while missing the message entirely. Perhaps intentionally.

2: And? You're missing a second part to this statement. Did you intend it to support some conclusion?

> blind paranoia

Characterizing criticism this way, instead of listening, internalizing, and adjusting your position is exactly why DJB's references to previous NSA interference stick. Y'all don't just have technical differences, you're going for character assassination. DJB has been consistent and explicit about the technical nature of his objections. I find his prose on the matter clear and well reasoned.

Your arguments seem disjointed, unorganized, specious, and lacking, in comparison, and less credible for the way you respond.

> I just don't think it is sensible to attempt to "ban" the usage of pure ML-KEM by not standardizing it. It won't work! It'll just increase the risk of non-interoperable implementations.

I think it's entirely reasonable to dissuade people from building non-hybrid systems during a transition period, and refusing to standardize them is an entirely reasonable way to signal that people shouldn't build or trust such systems during such a time, even stronger than a recommended_to_implement = N. No one has attempted to "ban" anything, so that's another gross mischaracterization.

[deleted]

2006's NSA is not 2026's NSA

The NSA isn't DJB's oppositiom here. It's the majority of the international community of cryptography experts.

Your claim does not match the reality, because at the previous IETF meeting most have voted like DJB.

I cannot see how any true "expert" would have the courage to claim that in a cryptography standard it is admissible to accept risks that cannot be quantified.

For the variant supported by DJB there are no risks, while for the variant supported by NSA nobody can estimate the risks.

It is as simple as this, so it is weird that there are people arguing about a decision that should have been non-controversial.

all cryptographic risks cannot be quantified. Every cryptographer knows this. It is consistent with everything we know that oneway functions do not exist, and cryptography as a field is limited to things like Merkle Puzzles/things that are secure under physical assumptions (e.g. the wiretap channel).

The variant DJB suggests there are explicit risks. For example

1. both ECC and ML-KEM can be broken (obviously)

2. additional code complexity could increase the LoC of teh crypto implementation, making it more plausible there are implementation bugs

regardless, this is a red herring. Nearly all cryptographers still support hybrids!!! The current RFC is *not* about "use pure ML-KEM". It is instead about "if you're going to use pure ML-kem (and we explicitly recommend not doing so), here is how to do it in a standardized way".

The people arguing about this decision don't even know what the decision being made is in the first place.

> It is instead about "if you're going to use pure ML-kem (and we explicitly recommend not doing so), here is how to do it in a standardized way".

This makes the push for the standard far more suspicious. Why is it so important for this to be a standard if it is explicitly not recommended to implement at the time of standardization? The typical benefits of a standard would be to avoid disparate implementations, which seems fine for something that isn't recommended to implement.

On the other hand, lots of folks from the NSA coming out (covertly, in this hypothetical context) in support of a weak standard with dubious arguments is... the NSA's modus operandi. Additionally, the fact that the standard is being proposed so US government contractors can checks notes meet the NSA's recommendations(!!) is another reason to suspect the NSA's involvement (it seems weird I even have to write that). Especially given the "not recommended to implement" part of it; something (CNSA2) tells me that this "not recommended" will be widely disregarded in favor of "but it's a standard" to the point that an explicitly-known-to-be-weaker implementation becomes one of the, if not the, most deployed implementation in practice. Which is also the NSA's MO.

Edit:

Now that I think about it, recommendations like CNSA2 also support the NSA's spying capabilities. A single standard (or small set of standards) is easier to crack and exploit than many bespoke implementations. Granted, that's a bit of a weak argument since many bespoke implementations are likely to have their own vulnerabilities. The reason the NSA might still prefer standards be used is that a bespoke implementation will more likely have a bespoke exploit, meaning they can't use already-developed exploits and will have to spend time making one.

> Why is it so important for this to be a standard if it is explicitly not recommended to implement at the time of standardization?

This isn't a standard.

It's not on the standards track! Words mean things!

But to answer your question: some industries need an RFC. FIPS 203 also doesn't specify how to use ML-KEM in TLS.

Think phone companies.

it is easy to point to ghosts in the corner. Random fearmongering is not a technical argument though. There have been no technical arguments to justify the random fearmongering. Pointing to prior behavior in a way that is inconsistent with the current situation is especially annoying fearmongering.

The “technical arguments” are documented here: https://blog.cr.yp.to/20260221-structure.html

And those technical arguments are quite thorough, covering both the pro and the contra arguments.

That document is nonsense? The current RFC is not to say

> use pure ML-KEM > hybrid ML-KEM.

the current document is instead to say

> If you are in a setting where you REALLY want to use pure ML-KEM (though we explicitly recommend you do not do it), this is the standard you would implement against.

It is also technically inaccurate. The whole argument hinges on it being negligible cost in all environments to do hybrids. This is explicitly false. See this message on the TLS-WG on explicitly this point

https://mailarchive.ietf.org/arch/msg/tls/_9i3uIVDQ3pDRswpm9...

A large list of pros/cons detailing a question that isn't being debated that is technically inaccurate is what I would expect from an LLM, not from a competent cryptographer. I am unsurprised to see it from DJB given his behavior in the last decade regarding PQC.

> the current document is instead to say

>> If you are in a setting where you REALLY want to use pure ML-KEM (though we explicitly recommend you do not do it), this is the standard you would implement against.

Ah! This corroborates a point I made in another comment:

> Especially given the "not recommended to implement" part of it; something (CNSA2) tells me that this "not recommended" will be widely disregarded in favor of "but it's a standard" to the point that an explicitly-known-to-be-weaker implementation becomes one of the, if not the, most deployed implementation in practice. Which is also the NSA's MO.

https://news.ycombinator.com/item?id=48773930

The "setting where you REALLY want to use pure ML-KEM" is when you are are a US government contractor and therefore required by your contract to follow the NSA's recommendations (CNSA2). Given the discussion, it seems a bit dishonest not to mention that part, no?

Of course, but is there any actual evidence that these accounts are NSA related? Or is it an assumption because they are supporting the proposal (which would be very circular logic)

There's a history and a 'pattern or practice' of behavior between NSA (sometimes using other TLAs or plausibly deniable intermediaries) and standards bodies and regulatory agencies.

Demonstrating a 'pattern or practice' is the legal standard one has to meet to bust qualified immunity and shift the burden of doubt on to authorities, so I'd say it goes a fair amount past 'reasonable suspicion', which in a court is itself enough to issue search warrants.