Bernstein's Blog

Posted Dec 15, 2025 14:39 UTC (Mon) by paulj (subscriber, #341)
In reply to: Bernstein's Blog by farnz
Parent article: Disagreements over post-quantum encryption for TLS

I think experience already shows this approach is impossible.

to post comments

Bernstein's Blog

Posted Dec 15, 2025 15:08 UTC (Mon) by farnz (subscriber, #17727) [Link]

Indeed, but it's what the NSA is required to do - prevent non-US entities from communicating with encryption the NSA can break, while ensuring that US entities have access to encryption that cannot be broken at all, not even by the NSA, but only when communicating with other US entities.

This is an impossible task, and the NSA trying to do it is why it ends up completely untrustworthy - since you never know whether you're dealing with someone who's focused on the "non-US entities cannot communicate without us breaking their encryption", or whether you're dealing with someone who's focusing on "US entities must have access to unbreakable encryption".

And you'd still have that problem if the NSA was a single person - how do you know whether they're focusing on "non-US entities must not have encryption we cannot break" or "US entities must have encryption no-one can break"?