“The problem in a nutshell. Surveillance agency NSA and its [UK counterpart] GCHQ are trying to have standards-development organizations endorse weakening [pre-quantum] ECC+PQ down to just PQ.”
Part of this is that NSA and GCHQ have been endlessly repeating arguments that this weakening is a good thing… I’m instead looking at how easy it is for NSA to simply spend money to corrupt the standardization process… The massive U.S. military budget now publicly requires cryptographic “components” to have NSA approval… In June 2024, NSA’s William Layton wrote that “we do not anticipate supporting hybrid in national security systems”…
[Later a Cisco employee wrote of selling non-hybrid cryptography to a significant customer, “that’s what they’re willing to buy. Hence, Cisco will implement it”.]
What do you do with your control over the U.S. military budget? That’s another opportunity to “shape the worldwide commercial cryptography marketplace”. You can tell people that you won’t authorize purchasing double encryption. You can even follow through on having the military publicly purchase single encryption. Meanwhile you quietly spend a negligible amount of money on an independent encryption layer to protect the data that you care about, so you’re actually using double encryption.
- Nobody gives a shit about NIST if they lose the 1 thing that make them useful : their credibility. - If some credible doubt is shed on them … then NIST is just an acronym with no power. - That being said IMHO a pragmatic heuristic is spotting “Do what I say, not what I do” and thus if NSA relies on PQ, or hybrid, or something well you can deduce from that they assume whatever solution they do NOT use if then not safe in a useful lifespan (which might be totally different from your threat model). - Edit : did tinker with https://openquantumsafe.org/about/ in particular https://github.com/open-quantum-safe so if you have an opinion on that I’d be curious. - If some credible doubt is shed on them … then NIST is just an acronym with no power. - Doubt it, given tha NIST has no credibility among researches, only in the general public that ignore their shenanigans: - 
NIST already aproved NSA backdoors. 
- 
NIST has extensive record of colaborating with NSA, including following their orders. 
- 
NIST is pushing for unsecure post-quantum algorithms, that may be secure against quantum computers, but weak against normal, modern computers. 
 - NIST doesn’t need credibility, it simply needs to pass along NSA’s aproval stamp for $next_algorithm, so $next_algorithm becomes a widely used standar. - Pushing for insecure post-quantum algorithms, that may be secure against quantum computers - Eh, I doubt that is how it works. We do not have quantum computers yet, so how we prove security in quantum settings is by specifying the adversary to have specified quantum capabilities, in addition to classical capabilities. Hence, broken under traditional attack means broken under quantum attack. - You can say that new post-quantum schemes are less verified compared to established classical schemes, but that does not mean classical is necessarily more secure. - I think we both agree on the same thing, I comunicated it badly. The better approach is to apply a post-quantun algorithm on top of a classical one, so you are safe against both types of computers. The advantage of this approach is that you need to crack both algorithms at the same time. - NIST seems to prefers a hybrid approach, where a single algorithm is supposedly safe against both classical and quantum computers, leaving you with a single point of failure. - You can always encrypt the payload twice if you want. But really what are you arguing? That every time you encrypt something, you should encrypt it serially with all known encryption algorithms “just in case?” Hell why not do it again just to make sure? - A key component of encryption is efficiency. Most cryptographic processes are going to be occurring billions of times across billions of transactions and involving billions of systems. It’s worthwhile for robust encryption algorithms to be efficient and avoid unnecessary calculations unless those calculations demonstrate some advantage. For example PBKDF2, where the multiple rounds of identical encryption convey a demonstrable increase in time to decrypt via brute-force mechanisms. If the standard is 4096 which it was in 2005, you coming along and saying, but why isn’t it 4097? The CIA is using >4096, therefore that means that 4096 is insecure! Isn’t really understanding why 4096 was chosen to begin with. Additionally no one is stopping you from using one million iterations with key1 and then doing another million rounds with key2. - That’s not what I’m trying to say. I’m not saying apply 1000 classical algos on top of 1000 quantum algos. I’m saying that post-quantum needs to be an extra layer, not a replacement. - This is explained further in the first few sentences of the third link I posted: https://blog.cr.yp.to/20251004-weakened.html. Note the author is an expert in the topic: https://en.wikipedia.org/wiki/Daniel_J._Bernstein - Well I haven’t see the arguement for why Quantum resistent encryption would somehow be weaker to traditional cryptographic techniques. I understand that early “quantum encryption” alogrithms were flawed, and it’ll probably be a long time before we get the DES of Quantum Encryption. But all that means is that we don’t have vetted “strong” quantum encryption techniques yet, and should stick with traditional encryption since quantum encryption isn’t worth it yet. If Quantum encryption becomes worthwhile, we shouldn’t have “traditional encryption”, because it will be obsolete. - If the first cylinder lock was easily bypassed compared to my old reliable wafer lock, then why should I use the cylinder lock at all? Now that cylinder locks are better then wafer locks why should I use a tumbler lock at all? There is no added security by using a wafer lock. - Quantum computers represent a complete paradigmatic. Modern quantum computers beat classical ones on some problems, while still not being able to factor some 2 digit numbers. - A single algorithm would be probable arrive some day, but why risk it right now? The Signal protocol adopted Post-Quantum some years ago. They going for a hybrid, not well tested over several years against classical computers, algorithm, would have been a security disaster. 
 
 
 
 
 
 
- 
 
- I was wondering what djb was up to lately. Glad to see he is still poking bears. 


