Cryptologist DJB Alleges NSA is Pushing an End to Backup Algorithms for Post-Quantum Cryptography
Cryptologist DJB Alleges NSA is Pushing an End to Backup Algorithms for Post-Quantum Cryptography
Cryptologist DJB Alleges NSA is Pushing an End to Backup Algorithms for Post-Quantum Cryptography - Slashdot
"The problem in a nutshell. Surveillance agency NSA and its [UK counterpart] GCHQ are trying to have standards-development organizations endorse weakening [pre-quantum] ECC+PQ down to just PQ."
Part of this is that NSA and GCHQ have been endlessly repeating arguments that this weakening is a good thing... I'm instead looking at how easy it is for NSA to simply spend money to corrupt the standardization process.... The massive U.S. military budget now publicly requires cryptographic "components" to have NSA approval... In June 2024, NSA's William Layton wrote that "we do not anticipate supporting hybrid in national security systems"...
[Later a Cisco employee wrote of selling non-hybrid cryptography to a significant customer, "that's what they're willing to buy. Hence, Cisco will implement it".]
What do you do with your control over the U.S. military budget? That's another opportunity to "shape the worldwide commercial cryptography marketplace". You can tell people that you won't authorize purchasing double encryption. You can even follow through on having the military publicly purchase single encryption. Meanwhile you quietly spend a negligible amount of money on an independent encryption layer to protect the data that you care about, so you're actually using double encryption.
Nobody gives a shit about NIST if they lose the 1 thing that make them useful : their credibility.
If some credible doubt is shed on them ... then NIST is just an acronym with no power.
That being said IMHO a pragmatic heuristic is spotting "Do what I say, not what I do" and thus if NSA relies on PQ, or hybrid, or something well you can deduce from that they assume whatever solution they do NOT use if then not safe in a useful lifespan (which might be totally different from your threat model).
Edit : did tinker with https://openquantumsafe.org/about/ in particular https://github.com/open-quantum-safe so if you have an opinion on that I'd be curious.
Doubt it, given tha NIST has no credibility among researches, only in the general public that ignore their shenanigans:
NIST doesn't need credibility, it simply needs to pass along NSA's aproval stamp for $next_algorithm, so $next_algorithm becomes a widely used standar.
Eh, I doubt that is how it works. We do not have quantum computers yet, so how we prove security in quantum settings is by specifying the adversary to have specified quantum capabilities, in addition to classical capabilities. Hence, broken under traditional attack means broken under quantum attack.
You can say that new post-quantum schemes are less verified compared to established classical schemes, but that does not mean classical is necessarily more secure.