NSA and IETF: Fairness

(cr.yp.to)

51 points | by WatchDog 3 hours ago

8 comments

  • tptacek 55 minutes ago
    The two most important things to understand about this kerfuffle:

    (1) MLKEM wasn't designed by NSA, but rather by a team of highly-regarded European academic cryptographers, including Bernstein's former collaborator Peter Schwabe; their submission, Kyber, was selected in an open competition in which Bernstein himself submitted a closely-related algorithm (and then contested the result, suing NIST for documents to clarify the selection.)

    (2) The RFC at issue documents the possibility of running TLS with pure MLKEM rather than in a hybrid configuration with ECDH. Hybrid TLS is already the mainstream, documented, standardized method for using PQC in a TLS connection. Bernstein is canvassing opposition to any documentation of the possibility of pure MLKEM in TLS.

    Every time Bernstein talks about NSA's sordid history, remember: nothing that's happening here has really anything to do with NSA. It would make more sense for Bernstein to be canvassing against SHA2, which NSA actually did design. But he can't do that, because normal people know enough about cryptography to understand how crazy a claim that is. Unfortunately, we can't yet say that about lattice cryptography, despite it being approximately as well-studied as ECC.

    • ekr____ 45 minutes ago
      > (2) The RFC at issue documents the possibility of running TLS with pure MLKEM rather than in a hybrid configuration with ECDH. Hybrid TLS is already the mainstream, documented, standardized method for using PQC in a TLS connection. Bernstein is canvassing opposition to any documentation of the possibility of pure MLKEM in TLS.

      Two more pieces of context here: 1. The IETF allows code point registrations based purely on the existence of a specification, and the pure ML-KEM code points have already been assigned (https://www.iana.org/assignments/tls-parameters/tls-paramete...). The question at hand is whether the IETF will publish an RFC documenting the ML-KEM cipher suites [edited to make clear that ML-KEM is documented already].

      2. It is also possible to publish an RFC via what's called "Independent Submission" (https://www.rfc-editor.org/authors/rfc-independent-submissio...), which is not subject to the IETF Consensus process. This is, for instance, how the GOST RFC (https://datatracker.ietf.org/doc/rfc9367/) was published. If the IETF opts not to publish this draft, the authors can still submit it to the Independent Submissions Editor.

      • throw0101d 31 minutes ago
        > https://www.iana.org/assignments/tls-parameters/tls-paramete...

        Further the draft that this is all about does not make a recommendation for its use. The currently IETF-recommended TLS algorithms are: X25519MLKEM768, x448, x25519, secp384r1, secp256r1.

        As noted by someone on the IETF list [1] there are already ML-KEM-only implementations in various libraries, so if we want interoperability then it's best to have a standard document. No one is forcing anyone to use this algorithm, and it's not even 'officially' recommended (per above).

        [1] https://mailarchive.ietf.org/arch/msg/tls/SXo4iVmp0ng_vi57ce...

      • eqvinox 34 minutes ago
        > The question at hand is whether the IETF will publish an RFC documenting the ML-KEM.

        The IETF document only documents how and where to put the MLKEM values into TLS. MLKEM itself is specified in FIPS203 and it just references that for the actual cryptographic details. The IETF document is in fact quite short:

        https://www.ietf.org/archive/id/draft-ietf-tls-mlkem-08.html

        (This doesn't mean the document is a stub or pointless or something like that, you do need a "what goes where".)

        • ekr____ 31 minutes ago
          You're right. Bad writing on my part. Edited to make it clear.
      • wbl 37 minutes ago
        The ISE has said they aren't progressing crypto drafts anymore.
    • teravor 8 minutes ago

          > Unfortunately, we can't yet say that about lattice cryptography, despite it being approximately as well-studied as ECC.
      
      this is an absurd claim, lattices may be as well studied as elliptic curves, but not the cryptography.
  • avidiax 1 hour ago
    This post was pretty technical. Let's explain a couple of terms:

    ML-KEM -- Module-Lattice-Based Key-Encapsulation Mechanism

    ML-DSA -- Module-Lattice-Based Digital Signature Algorithm

    solo PQ -- Using post-quantum crypto on its own

    ECC+PQ -- Using post-quantum crypto as a layer on top of traditional elliptical curve cryptography (ECC)

    So what's at stake here, is that the PQ crypto is not proven yet, and had recent implementation vulnerabilities (Kyberslash 1 & 2).

    In the NSA's defense, combining cryptosystems also creates attack surfaces, timing problems, additional complexity, etc. Perhaps they know something we don't. They have sometimes acted to strengthen public cryptography, as with the DES S-boxes and differential cryptanalysis. Of course, they also weakened the key-space...

  • JumpCrisscross 1 hour ago
    > Secret NSA documents showed that NSA pushed DES in the 1970s to "drive out competitors" while knowing that DES was "weak enough" to break; meanwhile NSA publicly claimed that it would use DES

    Is this true? The NSA pushed for weaker cryptography it could break versus stronger cryptography our adversaries couldn't?

    • tptacek 58 minutes ago
      It's complicated. The federal government pushed for a smaller DES key size, but also fixed the DES s-boxes to resist differential cryptanalysis.
  • jauntywundrkind 16 minutes ago
    Is there anything different about this DJB mailing list brigading than the other brigading he's done?

    Four days ago: https://news.ycombinator.com/item?id=48760490

  • iririririr 12 minutes ago
    if i were the nsa, I'd have spent all my research money on attacking ecc+pq, because 1. no self respecting security engineer would deploy bare pq (see cloudflare), 2. no phd research team would attack the combination (well, not before until it's too late) because that's harder than a phd requires (they will target solo pq or solo ecc). 3. it's much easier to "sell". q.e.d. this article.
  • anonym29 1 hour ago
    Highly recommended reading for effectively understanding the behavior patterns of bad-faith participants in such exchanges: https://www.scribd.com/document/345154863/Guide-to-Forum-Spi...

    If the link goes down, the content is available in many other places across the web under the title "The Gentleman's Guide To Forum Spies (spooks, feds, etc.)"

  • eqvinox 1 hour ago
    DJB keeps calling the IETF consensus process "voting". That's detrimental to his own case; when there is a vote, the vote can be manipulated. It makes much more sense to argue there is no consensus, which should be quite obvious at this point, and which can be argued even in a "60:40" situation regardless of direction. It also avoids alienating "true IETF believers".

    Apart from that, the crux of this is the codepoint allocation in the named group registry. [https://www.iana.org/assignments/tls-parameters/tls-paramete...] The requirement for that allocation (with "recommended=N" - which is what this draft has) is "Specification Required", not "IETF consensus". "Specification" for IANA registries doesn't mean IETF documents, it means:

      […] must be documented in a permanent and readily
      available public specification, in sufficient detail so that
      interoperability between independent implementations is possible.
    
    [https://datatracker.ietf.org/doc/html/rfc8126#section-4.6]

    As such I don't understand why the authors are so intent at ramming this through the IETF process when they could just put the same document whereever. The process has been sufficiently and publicly fraught enough to destroy any "reputation" that might (or might not) come associated with it being published as IETF RFC.

    [ed.: referenced wrong registry, it's named groups, not cipher suites. Makes no difference, same registration procedure.]

    FTR, the only [preliminary] entry with recommended=Y for PQ crypto is:

      4588  X25519MLKEM768  Combining X25519 ECDH with ML-KEM-768  https://datatracker.ietf.org/doc/html/draft-ietf-tls-ecdhe-mlkem-05
    
    [ed.2: this is getting a funky spread of up & down votes, any of the downvoters mind commenting why they're downvoting?]
    • ekr____ 38 minutes ago
      Adding a little color here... There are already code points registered for pure ML-KEM on the basis of the draft.

      The hybrid code point you reference is "preliminary" in the sense that when the RFC for hybrid ECC/ML-KEM is published (it's already been approved, https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/), it will replace the reference in the registry. However, it will have the same code point and the same semantics. If, for some reason, the IETF were to change the semantics, a new code point would have to be assigned for interop reasons.

      • eqvinox 20 minutes ago
        Actually… what would even be the result of the pure MLKEM document getting dropped by the IETF? I guess the entries would temporarily be marked deprecated or something, until another reference is made available somewhere, describing the same behavior? I'm not sure what procedural blockers this might run into but my general sense is that the IETF & IANA wouldn't "block off" the already allocated codepoints from being specified elsewhere (or allocate new duplicate codepoints) so long as the behavior is identical.
        • ekr____ 12 minutes ago
          Good question.

          If the document is dropped by the IETF, nothing at all would happen. It's already a valid code point registration, and indeed the authors could have just published the document, registered the code points, and stopped (see: https://datatracker.ietf.org/doc/draft-barnes-tls-this-could...).

          If the authors decided to later pick up the document somewhere else, then they could probably get the reference changed to whatever that was, as long as the semantics were identical.

          • eqvinox 5 minutes ago
            Thanks for the link to that amazing document!
      • eqvinox 32 minutes ago
        > […] "preliminary" in the sense that when the RFC for hybrid ECC/ML-KEM is published […]

        Yes, sorry, I was just covering against people nitpicking on the document status :)

    • ButlerianJihad 21 minutes ago
      Sadly, a similar myth/fallacy persists about the Wikipedia consensus process (at least the English project and others deriving policy from it.)

      Participants in disputes and RFCs literally call their comments “!vote” in true hacker notation, to repeatedly and clearly emphasize that “vote count” is never a factor in the process of establishing consensus.

      (Elections are, however, regularly held, and votes counted, for positions such as Administrator, and the ArbCom seats, but that’s for people, not article content.)

      • eqvinox 8 minutes ago
        From the way DJB talks about IETF processes, it's quite clear to me though that he has little trust/belief in the IETF consensus process. I thought he said as much somewhere but can't find that right now. (It's particularly obvious in https://blog.cr.yp.to/20260405-votes.html)

        Which is why I'm noting the alienation of "IETF believers", which I should maybe clarify I count myself as. The IETF is a lot of people doing a lot of good work. It does include a bunch of questionable actors, anything from ignorant, incompetent, ulterior motives, to outright malicious. But all in all it has brought us the internet as it exists today and I can't help feeling a little, well, alienated by DJB's writs.

      • LastTrain 11 minutes ago
        There is a small and noisy contingent here that never fails to get bent about community driven projects accusing them of bias and insinuating that there is some kind of shadowy cabal running things and it would be hilarious if the reasons for it weren’t so transparent. Also those people are 100 percent MAGA
  • lprimeisafk 1 hour ago
    Disappointed that there is not more discussion about this as this looks to be a slow march to the government getting its way with a technology that will affect so many.