NSA and IETF: Can an attacker purchase standardization of weakened cryptography?

Original Article ↗ Hacker News Discussion ↗

Context: PQC and the IETF Dispute

  • Discussion centers on whether TLS should standardize non‑hybrid post‑quantum key exchange (PQC only) versus hybrid (PQC + classical ECC).
  • A detailed appeal arguing against non‑hybrid adoption was filed and then formally rejected on procedural grounds by the IETF’s leadership. The blog post publicizing the complaint came after that rejection, without highlighting it, which some find “odd” but others see as irrelevant to the technical issues.

Process vs. Engineering Concerns

  • One side argues the complaint is primarily about process: rules weren’t followed, the wrong appeal path was used, and technical disputes should go through specific channels.
  • Others counter that dismissing on procedure while ignoring documented security and complexity concerns is a bureaucratic “cop‑out” and signals that process is being used to override engineering.
  • The use of an email autoresponder that mentions a potential fee is cited as justification for ADs not engaging; critics call this a flimsy excuse.

Security Arguments for Hybrids

  • Pro‑hybrid commenters stress:
    • PQC (e.g., lattice-based schemes like Kyber/ML‑KEM) is newer and less “battle‑tested” than ECC.
    • At least one NIST finalist (SIKE) was completely broken late in the process; lattice parameters have been repeatedly weakened by better attacks.
    • Removing ECC creates a single point of failure and enables downgrade attacks if weaker, non‑hybrid codepoints exist.
    • German and French agencies explicitly recommend hybrid schemes because PQC is “not yet trusted to the same extent” as classical crypto.
  • Hybrids are framed as “seatbelts and airbags”: modest extra cost for large risk reduction against unknown attacks.

Arguments Against Hybrids / In Defense of Non‑Hybrid

  • Others note that multi‑algorithm hybrids are historically niche and not standard practice when rolling out new classical algorithms.
  • They argue Kyber/ML‑KEM is based on well‑studied lattice problems, developed by leading researchers, and more akin to “Ed25519 vs P‑256” than to exotic schemes like SIKE.
  • Hybrids add protocol and implementation complexity, potential new bugs, and performance overhead; many experts reportedly judge the marginal security gain not worth these costs.

NSA, Historical Backdoors, and Suspicion

  • Many see strong parallels to DES key‑size reduction and Dual EC DRBG, where NSA-influenced choices weakened security; some recall documented payments to vendors to deploy flawed algorithms.
  • The current push for non‑hybrid PQC, combined with public NSA statements opposing hybrids, is viewed by critics as a plausible attempt to widen the SIGINT “net,” even if only part of the ecosystem adopts it.
  • Others insist the Dual‑EC analogy is misleading: Dual‑EC had a visible backdoor mechanism and little technical justification, whereas ML‑KEM is mainstream lattice cryptography.

Community Dynamics and Personal Attacks

  • The thread contains heated accusations that defenders of the IETF decision “sound like” NSA propagandists; others strongly object and call for assuming good faith.
  • There is mention of potential bans from IETF lists for code-of-conduct violations and speculation about personal and interpersonal grudges affecting technical debates.
  • Some participants are uncomfortable with long, polemical blog posts they see as targeted at a lay audience, using insinuations about NSA influence rather than engaging fully with counterarguments.

Trust, Governance, and Alternatives

  • Several commenters argue that security standards this critical should not be controlled by US government–linked bodies and suggest alternatives (e.g., Linux Foundation, crypto communities with strong bug-bounty incentives).
  • Others point out that NSA has long shaped NIST standards and that, in practice, much cryptographic vetting already occurs under that shadow.
  • A subset expresses generalized distrust of the NSA (“never trust the cyber feds”) and of formal standards bodies, preferring small, simpler, independently designed crypto systems and de facto standards over large, bureaucratic RFC processes.