Bernstein's Blog

Posted Dec 9, 2025 19:55 UTC (Tue) by chris_se (subscriber, #99706)
In reply to: Bernstein's Blog by brunowolff
Parent article: Disagreements over post-quantum encryption for TLS

> > I cannot fathom the reasoning why anyone would want to standardize a pure PQC algorithm at this point in time.
>
> You mean, other than the obvious one, that the NSA is trying to weaken encryption, like we know they have done more than once (DES, Dual EC, IPSEC) in the past?

Ok, let me rephrase this: s/anyone/anyone with an honest interest in widely available strong cryptography/ ;-)

That said, I don't think things are quite as clear-cut in this situation (in contrast to the egregious Dual EC DRBG case [*]), the following scenarios are possible in my opinion:

1. The NSA wants the new standard to be weak and can already break the specific PQC algorithm described here.
2. The NSA wants the new standard to be weak and believes it will be able to break the specific PQC algorithm described here very soon. (They found a weakness that they think with further development will allow them to break it, but can't do it just yet.)
3. The NSA wants the new standard to be weak and is gambling on the fact that the specific PQC algorithm will be broken in the near future (but could be completely wrong).
4. The NSA has some other interest in forcing this to be standardized (e.g. because they already specified this in a secret contract and have given a contractor a lot of money and want to ensure this becomes a standard) but don't want to explicitly weaken the new standard.
5. The NSA does not want to weaken the new standard, but some middle manager with a huge ego is forcing the other employees to do this, not for any technical reason, but because they decided this at some point and now want to ram this through.

If you think (1) or (2) are likely true then that specific PQC algorithm should be avoided regardless of whether a pure or a hybrid application is used. Personally I think either (3), (4) or (5) is the case, and I find either one of them quite plausible.

[*] The Dual EC DRBG case was unique because it gave the NSA the possibility to insert a back door into the algorithm without making the algorithm intrinsically insecure if you DIDN'T know the secret parameters used to create the back door. For the NSA there was no downside to this - nobody else would be able to break this, but they would. I don't think this applies in the case of the PQC algorithms that were standardized, because after the Dual EC DRBG fiasco people in crypto competitions have been very wary of specific magic numbers and I don't believe the current standardized PQC algorithms allow for such a type of back door. And while the NSA wants to be able to break all crypto themselves, they also have a vested interest in preventing other people from breaking it, which is why e.g. the DES situation was not as clear-cut as the Dual EC DRBG case, in that they did strengthen DES against specific attacks (while limiting key sizes to make brute force easier, because back then they did have an edge on compute power, which I don't believe they have anymore).

to post comments

Bernstein's Blog

Posted Dec 9, 2025 21:55 UTC (Tue) by ballombe (subscriber, #9523) [Link] (1 responses)

You forget the more likely:

6. The NSA wants the new standard to require major change in sensitive code paths so that they can exploit bugs in the implementation independently of the strength of PQC.

Bernstein's Blog

Posted Dec 9, 2025 23:17 UTC (Tue) by dvdeug (subscriber, #10998) [Link]

Which strikes me as unlikely. The NSA probably has the best cryptoanalysis in the world. It has computer resources only a large government could devote to cracking encryption. Does the NSA think it is worth making encryption vulnerable to Joe Schmoe with a brain and a hundred-dollar laptop (and the Russian mob and North Korea) just so they can crack in?