Daniel J. Bernstein
@djb@mastodon.cr.yp.to
mastodon
4.4.5
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
0
Followers
0
Following
Joined November 16, 2022
Microblog (including tweet archive):
Blog:
Posts
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
1d ago
@letoams @huitema @pedromj @paulehoffman @rsalz The basic dividing line is very simple: I endorse various _good_ things. I oppose endorsement of various _bad_ things.
I'm not the one here issuing a confusing mixture of (1) acknowledging "strong consensus that pure PQ should not be recommended at this time", (2) claiming that it's good to issue RFCs on "pure" (non-hybrid) PQ, and (3) claiming that such RFCs wouldn't be endorsement despite prominently claiming "consensus of the IETF community".
View full thread on mastodon.cr.yp.to
1
2
1
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
1d ago
Why add a PQ layer? To try to reduce the damage caused by quantum computers. Why also keep the existing (low-cost) ECC layer? To try to reduce the damage from further PQ security failures. For some reason this suddenly seems difficult for U.S. military contractors to understand.
22
0
11
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
3d ago
@huitema @pedromj @paulehoffman @rsalz Now you're just making things up. https://blog.cr.yp.to/20251004-weakened.html gives concrete examples, such as SIKE and KyberSlash, to illustrate the PQ security risks. https://cr.yp.to/papers.html#qrcsp gives many more examples. Instead of responding to _any_ of these examples, you grossly mischaracterize what I'm saying as "that risk is very high because the promotion efforts are orchestrated by the government". Of course, you don't give a URL.
View full thread on mastodon.cr.yp.to
0
0
0
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
3d ago
@huitema @pedromj @paulehoffman @rsalz The core issue is endorsement. It isn't about having a stable reference; having a stable reference doesn't need an RFC. It isn't about interoperability; interoperability doesn't need an RFC. The "control" argument is circular; https://archive.cr.yp.to/2026-04-10/05:38:16/1w0wAgKE9fiKZKunAg8qCyVyWYZ4j-aHgW-0aFDzgcw/https/mailarchive.ietf.org/arch/msg/tls/LqG-gHxgRvVPebE3m28D8VT7dN4/ spells this out in baby steps.
View full thread on mastodon.cr.yp.to
0
1
0
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
3d ago
@huitema @pedromj @paulehoffman @rsalz All WG-issued RFCs state that they represent "the consensus of the IETF community". The important effect of issuing an RFC, as opposed to a spec just sitting around somewhere, is IETF endorsement. This matters because endorsement often triggers usage.
What happened for the non-hybrid-ML-KEM-in-TLS spec is a bunch of people (the majority of people who spoke up!) objecting to an RFC, most importantly because usage would violate common-sense security rules.
View full thread on mastodon.cr.yp.to
0
0
0
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
3d ago
@huitema @pedromj @paulehoffman @rsalz The burden is the other way from what you're describing. The WG can't issue non-consensual RFCs. Conflicts must be resolved by a process of open review and discussion; if they aren't resolved then issuing an RFC would violate IETF rules for how WGs operate. It's not merely that the authors have to add a warning if there's consensus on a warning. There's no default entitlement for documents to sail through.
View full thread on mastodon.cr.yp.to
0
0
0
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
3d ago
@huitema @pedromj @paulehoffman @rsalz You're confused. The normal way to deploy post-quantum KEMs is _already_ as a second layer _on top_ of ECC. See the long list of examples at the top of https://blog.cr.yp.to/20251004-weakened.html What NSA has been trying to do is pay for IETF endorsement of a weaker alternative that removes ECC.
View full thread on mastodon.cr.yp.to
0
1
0
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
3d ago
@huitema @pedromj @paulehoffman @rsalz The previous "last call" for objections to the _non-hybrid_ ML-KEM spec produced objections from 22 people and support from 21 people. Names, quotes, links: https://blog.cr.yp.to/20260405-votes.html This is obviously very far from the "consensus of the IETF community" that every WG-issued RFC claims to have. Are you really claiming that IETF will issue this as an RFC? Why do you claim this?
View full thread on mastodon.cr.yp.to
0
0
0
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
3d ago
@huitema @paulehoffman @rsalz Let's try an example. Google and Cloudflare used CECPQ2b = ECC+SIKE for tens of millions of user connections, instead of the usual ECC. That wasn't _removing_ ECC in favor of SIKE; it was _supplementing_ ECC with SIKE. This is why the break of SIKE still left those connections with the usual security of ECC. If they had instead incompetently _removed_ ECC and replaced that with SIKE, the SIKE attack would have immediately broken all of those connections.
View full thread on mastodon.cr.yp.to
0
0
0
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
4d ago
@huitema@social.secret-wg.org @paulehoffman@infosec.exchange @rsalz@ioc.exchange It's important to distinguish the non-controversial part (rolling out a PQ layer) from the controversial part (_removing_ the existing ECC layer rather than _supplementing_ the existing ECC layer). Saying that the objection is to "promoting an unproven algorithm" misunderstands what's actually at issue. Same for lumping both parts together into a combined "approach" and saying the objection is to that.
View full thread on mastodon.cr.yp.to
1
1
0
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
4d ago
@letoams @huitema @paulehoffman @rsalz ML-KEM-768 has 1184-byte public keys and 1088-byte ciphertexts. Bleeding-edge ML-DSA-44 has 1312-byte public keys and 2420-byte signatures. It ends up sounding pretty damn stupid to complain about the extra cost of also continuing to send 32-byte ECC keys and 32-byte ECC ciphertexts.
View full thread on mastodon.cr.yp.to
1
1
0
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
4d ago
@letoams @huitema @paulehoffman @rsalz I do understand that your attempted analogy somehow involves decisions between gas vehicles, electric vehicles, and hybrids. But those have major cost differences, whereas the cost of PQ (which is dominated by communication cost for typical PQ choices) is so close to the cost of ECC+PQ that we've been seeing comic levels of failure to find _any_ application that can't afford to keep the ECC part.
View full thread on mastodon.cr.yp.to
1
1
0
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
4d ago
@letoams @huitema @paulehoffman @rsalz Requiring seatbelts in cars reduces the damage to humans from car crashes. Requiring ECC along with PQ reduces the damage to the users from PQ security failures.
Saying that people are trying to prevent PQ failures doesn't break this analogy. People are also trying to prevent car crashes.
I'm unable to decipher your attempt to draw another analogy: e.g., I can't figure out whether "perhaps EV technology will fail" is sticking to the topic of _safety_.
View full thread on mastodon.cr.yp.to
0
1
0
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
4d ago
@huitema@social.secret-wg.org @paulehoffman@infosec.exchange @rsalz@ioc.exchange I've been tracking the arguments and counterarguments (see https://blog.cr.yp.to/20260221-structure.html for a chart) and I don't see where you're getting this "promoting" idea from. Both sides of the debate want to roll out PQ to try to stop quantum attacks. The difference is that one side says you're allowed to replace ECC with _just_ PQ, whereas the other side is requiring ECC+PQ (at negligible extra cost) to reduce the damage caused by more failures of PQ security.
View full thread on mastodon.cr.yp.to
0
1
0
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
4d ago
@huitema@social.secret-wg.org @paulehoffman@infosec.exchange @rsalz@ioc.exchange We require seatbelts in cars to reduce the number and severity of injuries in the event of a crash. The problem with allowing seatbelts to be skipped is something we explain to 6-year-olds. No, we don't allow cars to be sold with warnings in place of seatbelts. And, no, we don't allow the seatbelt rules to be corrupted by funding from the National Morgue Association.
View full thread on mastodon.cr.yp.to
0
2
0
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
4d ago
@rsalz Example of a quote from an NSA employee on an IETF mailing list in 2025: "As the CNSA 2.0 profiles should make clear, we are looking for products that support /standalone/ ML-DSA-87 and /standalone/ ML-KEM-1024. If there is one vendor that produces one product that complies, then that is the product that goes on the compliance list and is approved for use. Our interactions with vendors suggests that this won't be a problem in most cases." See https://blog.cr.yp.to/20251004-weakened.html#tls for further quotes.
View full thread on mastodon.cr.yp.to
0
0
0
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
5d ago
@KoosPol @kbr @edwintorok @filippo There's actually already terminology that's more accessible and less confusing: "double encryption" and "double signatures" are safer than "single encryption" and "single signatures". People tend to say "hybrid is safer than non-hybrid" since that's more concise, or "ECC+PQ is safer than PQ" since the usual situation is that we're adding a PQ layer (trying to protect against quantum attacks) and keeping an existing ECC layer (to limit damage from PQ failures).
View full thread on mastodon.cr.yp.to
0
0
0
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
5d ago
@huitema@social.secret-wg.org @paulehoffman@infosec.exchange @rsalz@ioc.exchange Using ECC+PQ instead of non-hybrid PQ is a straightforward, low-cost, broadly recommended, broadly deployed technical step to limit the damage from PQ security failures (such as the SIKE break and KyberSlash). The problem at hand is non-technical, namely NSA pressuring various companies such as Cisco to support non-hybrid PQ. See https://blog.cr.yp.to/20251004-weakened.html#tls for quotes from employees of NSA and Cisco admitting this.
View full thread on mastodon.cr.yp.to
2
1
0
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
5d ago
@paulehoffman@infosec.exchange @rsalz@ioc.exchange Paul, great to see you showing up here!
We're currently discussing Rich's delusion that NSA doesn't attack IETF. On that topic, can you please state for the record how much NSA paid you for your promotion of TLS randomness extensions in IETF (https://web.archive.org/web/20260331174508/https://sockpuppet.org/blog/2015/08/04/is-extended-random-malicious/) Or are you denying that this happened?
Also, do you dispute https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/checkoway saying that Dual EC becomes thousands of times cheaper to attack whenever those randomness extensions are deployed?
View full thread on mastodon.cr.yp.to
3
1
1
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
5d ago
@rsalz @darkuncle Okay, so you're not disputing the authenticity of https://www.reuters.com/article/us-usa-security-rsa-idUSBRE9BJ1C220131220/ regarding NSA paying the RSA company to roll out Dual EC.
Now let's look at an IETF part of the Dual EC story. Are you disputing the accuracy of, e.g., https://web.archive.org/web/20251229182801/https://blog.cryptographyengineering.com/2017/12/19/the-strange-story-of-extended-random/ and https://web.archive.org/web/20260331174508/https://sockpuppet.org/blog/2015/08/04/is-extended-random-malicious/ saying NSA paid your colleagues Paul Hoffman and Eric Rescorla to coauthor with NSA a series of IETF drafts on "Extended Random" etc.? The payment is again overt leverage towards the consultants.
View full thread on mastodon.cr.yp.to
1
1
1
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
5d ago
@rsalz @darkuncle NSA has a huge budget to "covertly influence and/or overtly leverage" cryptographic designs: https://www.eff.org/files/2014/04/09/20130905-guard-sigint_enabling.pdf NSA _paying_ the RSA company to put Dual EC into RSA's BSafe library (https://www.reuters.com/article/us-usa-security-rsa-idUSBRE9BJ1C220131220/) is an example of overt leverage towards the RSA company, and of covert influence for the public not knowing about this. Same for NSA _paying_ companies to put non-hybrids into products. Do you dispute these examples of covert influence and/or overt leverage? If so, why?
View full thread on mastodon.cr.yp.to
3
1
1
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
5d ago
@jzb @rsalz @darkuncle Side note re "crypto expert": The issue here is basic security risk management. For example, Google and Cloudflare tried ECC+SIKE (CECPQ2b: https://web.archive.org/web/20260411125124/https://blog.cloudflare.com/the-tls-post-quantum-experiment/) for tens of millions of user connections, and then SIKE was publicly broken years later. The only reason this didn't immediately expose all those user connections to attackers is that the connections were still encrypted with ECC.
View full thread on mastodon.cr.yp.to
4
1
2
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
5d ago
@rsalz Your response to the NSA budget document was "that does not mean that the NSA is corrupting the IETF". This _sounds_ to me like you're saying: well, yeah, NSA has a huge budget to attack standards and specs, but imagining that they're specifically attacking IETF is "crazy conspiracy thinking". I tried asking whether this is what you meant; you said no. Um, okay, then what exactly _are_ you claiming is "crazy conspiracy thinking"? (Edit: corrected quote "theory" -> "thinking".)
View full thread on mastodon.cr.yp.to
0
0
0
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
5d ago
@rsalz You aren't challenging the authenticity of https://www.eff.org/files/2014/04/09/20130905-guard-sigint_enabling.pdf on NSA's massive budget to "covertly influence and/or overtly leverage" cryptography including "standards and specification for commercial public key technologies" to make all of this "exploitable". But, when there's an effort to protect IETF against such sabotage, you claim that "this thread is crazy conspiracy thinking". I ask you to say what exactly you're claiming is a conspiracy theory, and you seem unable to answer.
View full thread on mastodon.cr.yp.to
0
1
0
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
Apr 11, 2026
@purpleidea https://blog.cr.yp.to/20251004-weakened.html is one introduction to what's going on, but I don't think so much context is necessary to see that these particular chair actions are problematic. Part of the job of a standards-development organization is to keep track of objections.
View full thread on mastodon.cr.yp.to
1
0
0
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
Apr 11, 2026
@rsalz @darkuncle You wrote "this whole thread is crazy conspiracy thinking" but I'm unable to figure out what you're disputing, i.e., what specifically you're claiming is a conspiracy theory. You _don't_ seem to be questioning the authenticity of https://www.eff.org/files/2014/04/09/20130905-guard-sigint_enabling.pdf an internal NSA document on NSA's massive budget to weaken "standards and specification for commercial public key technologies" etc. so as to make those "exploitable". What, then, _are_ you disputing?
View full thread on mastodon.cr.yp.to
1
1
1
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
Apr 11, 2026
@rsalz@ioc.exchange @darkuncle@infosec.exchange Let me see if I understand. You're agreeing that NSA has a large budget to sabotage "standards and specification for commercial public key technologies" etc., but you presume that this doesn't include IETF, since the document doesn't _specifically_ name IETF? Also, just checking: by the same logic, you presume that this doesn't include ISO? NIST? IEEE? When we recommend proactive steps to protect SDOs against sabotage, you accuse us of being crazy conspiracy theorists?
View full thread on mastodon.cr.yp.to
4
2
0
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
Apr 10, 2026
@rsalz@ioc.exchange @darkuncle@infosec.exchange You think https://www.eff.org/files/2014/04/09/20130905-guard-sigint_enabling.pdf is a conspiracy theory?
View full thread on mastodon.cr.yp.to
1
2
0
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
Apr 10, 2026
@argv_minus_one@mastodon.sdf.org I have an introductory chart https://blog.cr.yp.to/20260221-structure.html showing the arguments and counterarguments.
Most common argument from proponents: NSA is asking for non-hybrids, ergo support non-hybrids. This argument works for (1) companies chasing NSA money, (2) companies that take any excuse for extra options as a barrier to entry for competitors, and (3) people who think that "NSA Cybersecurity" isn't a conduit for https://www.eff.org/files/2014/04/09/20130905-guard-sigint_enabling.pdf but rather an independent pro-security agency.
View full thread on mastodon.cr.yp.to
9
3
6
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
Apr 10, 2026
The IETF TLS chairs have now issued a "last call" for objections to non-hybrid signatures in TLS. Do they admit that their previous "last call" re non-hybrid KEMs ended up with a _majority_ in opposition, and that many opposition statements obviously also apply to signatures? No.
View on mastodon.cr.yp.to
7
7
6
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
Apr 06, 2026
@NohatCoder Well, it's nice to see people being honest that they're chasing money at the expense of security! Sometimes people have even admitted that it's NSA money. NSA is also on record pressuring vendors to support non-hybrids.
Unfortunately, the money sometimes also pressures people into fantasizing technological motivations (e.g., claiming that the spec helps high-frequency trading) and then not responding to objections. Neutral chairs would have said "Let's resolve this".
View full thread on mastodon.cr.yp.to
1
0
0
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
Apr 05, 2026
@equinox Consensus is required, certainly, but it's also impressive to see this spec not even managing to achieve majority support. A year ago the "security area director" was putting up postings claiming support for this spec from (1) everybody but me, (2) the "vast majority", and (3) the "overwhelming majority". The chairs today aren't claiming consensus but still haven't admitted how much opposition there is; they're acting as if there were merely some editorial objections.
View full thread on mastodon.cr.yp.to
1
2
0
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
Apr 05, 2026
New blog post "NSA and IETF, part 7: Counting votes." https://blog.cr.yp.to/20260405-votes.html Turns out to be 22 votes against, 21 votes for: not even a majority in favor, never mind consensus. IETF management is throwing the votes away, insisting on a replay, and trying to silence opponents.
9
5
10
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
Feb 21, 2026
Another new blog post in my NSA-and-IETF series: "The structure of the debate." https://blog.cr.yp.to/20260221-structure.html This is intended to be an accessible starting point for catching up on what's going on: it's a chart tracking the claimed pros and cons of the NSA-driven proposal on the table.
4
1
2
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
Feb 19, 2026
https://eprint.iacr.org/2026/279 claims to chop another few bits out of the Kyber/ML-KEM security level. If the idea works then (given the attack structure) I think that it should straightforwardly combine with the larger security loss from the October paper https://eprint.iacr.org/2025/1910.
7
0
5
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
Feb 19, 2026
New blog post "NSA and IETF, part 5: One battle after another": https://blog.cr.yp.to/20260219-obaa.html Security objections successfully blocked the 2025 push for non-hybrids, but the chairs have now issued another "last call" and will treat anyone who doesn't object by 27 Feb as approving.
7
0
9
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
Daniel J. Bernstein
@djb@mastodon.cr.yp.to
Designing cryptography (deployed now: X25519, Ed25519, ChaCha20, sntrup, Classic McEliece) to proactively reduce risks. Coined phrase "post-quantum" in 2003.
mastodon.cr.yp.to
@djb@mastodon.cr.yp.to
·
Jul 17, 2025
@benlockwood We can fix this inconsistency by taking away the public money for the scientists, right?
View full thread on mastodon.cr.yp.to
0
0
0