Back Original

NSA and IETF: Fairness


Older (Access-J): 2026.07.04: Bugs happen: The easy way to compare solo PQ to ECC+PQ. #pqcrypto #bugs #vulnerabilities #hybrids

Table of contents (Access-I for index page)
2026.07.06: NSA and IETF, part 8: Fairness. #pqcrypto #hybrids #nsa #ietf #riskmanagement
2026.07.04: Bugs happen: The easy way to compare solo PQ to ECC+PQ. #pqcrypto #bugs #vulnerabilities #hybrids
2026.07.02: A standard by any other name: How IETF evades responsibility for its actions. #standards #doublespeak
2026.06.30: Understanding lattice risks: Many differences between marketing and reality. #lattices #software #looseness #modules #asymptotics #worstcase
2026.06.19: EuroQCI feedback: A simple idea for improving Europe's investments in data security. #qkd #quantumcrypto #euroqci #pqcrypto
2026.04.05: NSA and IETF, part 7: Counting votes. #pqcrypto #hybrids #nsa #ietf #voting
2026.02.21: NSA and IETF, part 6: The structure of the debate. #pqcrypto #hybrids #nsa #ietf #chart
2026.02.19: NSA and IETF, part 5: One battle after another. #pqcrypto #hybrids #nsa #ietf #lastcall
2025.11.23: NSA and IETF, part 4: An example of censored dissent. #pqcrypto #hybrids #nsa #ietf #scope
2025.11.23: NSA and IETF, part 3: Dodging the issues at hand. #pqcrypto #hybrids #nsa #ietf #dodging
2025.11.23: NSA and IETF, part 2: Corruption continues. #pqcrypto #hybrids #nsa #ietf #corruption
2025.10.05: MODPOD: The collapse of IETF's protections for dissent. #ietf #objections #censorship #hybrids
2025.10.04: NSA and IETF: Can an attacker simply purchase standardization of weakened cryptography? #pqcrypto #hybrids #nsa #ietf #antitrust
2025.09.30: Surreptitious surveillance: On the importance of not being seen. #marketing #stealth #nsa
2025.04.23: McEliece standardization: Looking at what's happening, and analyzing rationales. #nist #iso #deployment #performance #security
2025.01.18: As expensive as a plane flight: Looking at some claims that quantum computers won't work. #quantum #energy #variables #errors #rsa #secrecy
2024.10.28: The sins of the 90s: Questioning a puzzling claim about mass surveillance. #attackers #governments #corporations #surveillance #cryptowars
2024.08.03: Clang vs. Clang: You're making Clang angry. You wouldn't like Clang when it's angry. #compilers #optimization #bugs #timing #security #codescans
2024.06.12: Bibliography keys: It's as easy as [1], [2], [3]. #bibliographies #citations #bibtex #votemanipulation #paperwriting
2024.01.02: Double encryption: Analyzing the NSA/GCHQ arguments against hybrids. #nsa #quantification #risks #complexity #costs
2023.11.25: Another way to botch the security analysis of Kyber-512: Responding to a recent blog post. #nist #uncertainty #errorbars #quantification
2023.10.23: Reducing "gate" counts for Kyber-512: Two algorithm analyses, from first principles, contradicting NIST's calculation. #xor #popcount #gates #memory #clumping
2023.10.03: The inability to count correctly: Debunking NIST's calculation of the Kyber-512 security level. #nist #addition #multiplication #ntru #kyber #fiasco
2023.06.09: Turbo Boost: How to perpetuate security problems. #overclocking #performancehype #power #timing #hertzbleed #riskmanagement #environment
2022.08.05: NSA, NIST, and post-quantum cryptography: Announcing my second lawsuit against the U.S. government. #nsa #nist #des #dsa #dualec #sigintenablingproject #nistpqc #foia
2022.01.29: Plagiarism as a patent amplifier: Understanding the delayed rollout of post-quantum cryptography. #pqcrypto #patents #ntru #lpr #ding #peikert #newhope
2020.12.06: Optimizing for the wrong metric, part 1: Microsoft Word: Review of "An Efficiency Comparison of Document Preparation Systems Used in Academic Research and Development" by Knauff and Nejasmic. #latex #word #efficiency #metrics
2019.10.24: Why EdDSA held up better than ECDSA against Minerva: Cryptosystem designers successfully predicting, and protecting against, implementation failures. #ecdsa #eddsa #hnp #lwe #bleichenbacher #bkw
2019.04.30: An introduction to vectorization: Understanding one of the most important changes in the high-speed-software ecosystem. #vectorization #sse #avx #avx512 #antivectors
2017.11.05: Reconstructing ROCA: A case study of how quickly an attack can be developed from a limited disclosure. #infineon #roca #rsa
2017.10.17: Quantum algorithms to find collisions: Analysis of several algorithms for the collision problem, and for the related multi-target preimage problem. #collision #preimage #pqcrypto
2017.07.23: Fast-key-erasure random-number generators: An effort to clean up several messes simultaneously. #rng #forwardsecrecy #urandom #cascade #hmac #rekeying #proofs
2017.07.19: Benchmarking post-quantum cryptography: News regarding the SUPERCOP benchmarking system, and more recommendations to NIST. #benchmarking #supercop #nist #pqcrypto
2016.10.30: Some challenges in post-quantum standardization: My comments to NIST on the first draft of their call for submissions. #standardization #nist #pqcrypto
2016.06.07: The death of due process: A few notes on technology-fueled normalization of lynch mobs targeting both the accuser and the accused. #ethics #crime #punishment
2016.05.16: Security fraud in Europe's "Quantum Manifesto": How quantum cryptographers are stealing a quarter of a billion Euros from the European Commission. #qkd #quantumcrypto #quantummanifesto
2016.03.15: Thomas Jefferson and Apple versus the FBI: Can the government censor how-to books? What if some of the readers are criminals? What if the books can be understood by a computer? An introduction to freedom of speech for software publishers. #censorship #firstamendment #instructions #software #encryption
2015.11.20: Break a dozen secret keys, get a million more for free: Batch attacks are often much more cost-effective than single-target attacks. #batching #economics #keysizes #aes #ecc #rsa #dh #logjam
2015.03.14: The death of optimizing compilers: Abstract of my tutorial at ETAPS 2015. #etaps #compilers #cpuevolution #hotspots #optimization #domainspecific #returnofthejedi
2015.02.18: Follow-You Printing: How Equitrac's marketing department misrepresents and interferes with your work. #equitrac #followyouprinting #dilbert #officespaceprinter
2014.06.02: The Saber cluster: How we built a cluster capable of computing 3000000000000000000000 multiplications per year for just 50000 EUR. #nvidia #linux #howto
2014.05.17: Some small suggestions for the Intel instruction set: Low-cost changes to CPU architecture would make cryptography much safer and much faster. #constanttimecommitment #vmul53 #vcarry #pipelinedocumentation
2014.04.11: NIST's cryptographic standardization process: The first step towards improvement is to admit previous failures. #standardization #nist #des #dsa #dualec #nsa
2014.03.23: How to design an elliptic-curve signature system: There are many choices of elliptic-curve signature systems. The standard choice, ECDSA, is reasonable if you don't care about simplicity, speed, and security. #signatures #ecc #elgamal #schnorr #ecdsa #eddsa #ed25519
2014.02.13: A subfield-logarithm attack against ideal lattices: Computational algebraic number theory tackles lattice-based cryptography.
2014.02.05: Entropy Attacks! The conventional wisdom says that hash outputs can't be controlled; the conventional wisdom is simply wrong.

2026.07.06: NSA and IETF, part 8: Fairness. #pqcrypto #hybrids #nsa #ietf #riskmanagement

Secret NSA documents showed that NSA pushed DES in the 1970s to "drive out competitors" while knowing that DES was "weak enough" to break; meanwhile NSA publicly claimed that it would use DES. NSA used export-law exceptions in the 1990s to entrench RC4 and RSA-512, causing security problems for decades. NSA in the 2000s sabotaged RNG standards and paid companies to deploy those. NSA by the 2010s had a quarter-billion-dollar-a-year budget to "covertly influence and/or overtly leverage" standards and other systems to make them "exploitable" while "the consumer and other adversaries" think that "the systems' security remains intact".

The current vote in the IETF TLS WG, labeled in IETF doublespeak as a "last call", is regarding an overtly NSA-driven push for an IETF RFC on solo ML-KEM in TLS. Issuing an RFC means issuing IETF endorsement of solo ML-KEM in TLS. Presumably the next step after RFCs on solo ML-KEM and solo ML-DSA in TLS is that NSA will keep spending money to encourage broader deployment of solo ML-KEM and solo ML-DSA. This will be an inexcusable security disaster because of the predictable influx of ML-KEM software bugs and ML-DSA software bugs, never mind the risk of security flaws in the specifications.

IETF rules say that participation is "open to all". This vote on solo ML-KEM says it "ends 2026-07-08". I don't know whether this means that on the 8th you'll still be able to file your vote, nor do I know which time zone they're talking about, but clearly the end is nigh.

IETF also says that all "official work" of a WG is carried out on the WG's mailing list. For this particular vote, opposition messages have appeared on the mailing list from more and more people (60 so far). Proponents are trying every argument they can think of to stop that number from growing—to make you hesitate to speak up. For example:

I've done quite a few updates of my chart of arguments and counterarguments, most recently on 25 June 2026. Proponents keep making flawed arguments, ignoring every important objection, and ignoring an IETF rule saying that disagreements "must be resolved by a process of open review and discussion". Proponents seem to understand that solo PQ can't survive the mandated consensus-building process, so they've replaced that with a political voting process, and they're blatantly packing the vote. For example, we've seen positive votes from

etc. [20260706 edit: added Lear.]

But maybe you've heard proponents claiming that, no, it's the other way around: that opponents are making flawed arguments, ignoring every important objection to those, and packing the vote.

Maybe you end up unsure which side is right in evaluating the merits of the spec. Is it reasonable to risk incorrectly casting a vote against this spec? Is it reasonable to risk incorrectly casting a vote for this spec? If you're not sure, isn't it better to stay silent?

Well, no, because risk analysis includes looking not just at what can go wrong and at how likely it is to go wrong but also at the consequences. The consequences in this case are radically different, in part because of a basic pro-endorsement bias that's built into IETF's procedures and in part because the impact of one type of error is vastly less severe than the impact of the other type. Let me explain.

There's no IETF rule limiting the number of "last calls" that a document can go through. This particular document has already had three "last calls": one in November 2025, one in February 2026, and the current one starting in June 2026.

If after a "last call" the WG chairs declare "rough consensus" on issuing an RFC, that's it. The WG is done with the document. The document is rubber-stamped by a small committee called IESG and then published as an RFC claiming "consensus of the IETF community", without the word "rough" and without any acknowledgment of dissent.

IESG goes through the motions of asking for community input, but even if the input is overwhelmingly negative there are no rules forcing IESG to reject the document. The majority of IESG consists of defense contractors (plus one NSA lifer, Deb Cooley), so it's not as if IESG is going to reject an NSA-driven document. Technically, there are various types of appeals possible, but those are handled by IESG and a similarly biased committee called IAB, not by a neutral tribunal.

If, on the other hand, the WG chairs don't declare "rough consensus" on issuing an RFC, then there's nothing in the rules stopping them from trying again. That's why we're already on the third "last call" for ietf-tls-mlkem.

See how unfair this is? See how it's biased towards the companies that want to push a draft forward and that can afford to flood IETF with participants?

IETF says the following rule is "fundamental": "IETF participants use their best engineering judgment to find the best solution for the whole Internet, not just the best solution for any particular network, technology, vendor, or user." It also says that disagreements "must be resolved by a process of open review and discussion", as I noted above. Obviously that isn't at all what's happening here. Instead of seeing people working together to engineer the best solution for the whole Internet, you're seeing a voting process with disagreements that still haven't been resolved. That's a familiar situation in politics but it's not how IETF is supposed to work.

With this in mind, let's think again about the risks when you're not sure which vote is right:

If you click on statements from proponents and opponents then you again and again see this giant difference in impact. Opponents are typically talking about the damage that PQ screwups do to security for the general public. Meanwhile a typical proponent rationale says that it will be convenient to simplify ECC+PQ down to solo PQ "if and when quantum computers start really doing their thing and people lose their attachment to quantum-vulnerable cryptography"; um, ok, how exactly does this make it problematic to delay this document?

The most extreme-sounding statement from a proponent is a claim that having to deal with ECC+ML-KEM would "consume literal years of my life". Surely this "years" claim isn't meant to be taken seriously—surely he doesn't mean to declare that he's grossly incompetent at his job—but the bigger picture is that security people do invest effort in trying to protect many more people; that's the whole point.

Isn't it obvious how important the public interest is in avoiding security failures? Shouldn't this interest be fairly represented in IETF?

Let me go back to the procedural point about the pro-endorsement bias built into IETF procedures. It's easy to check that, yes, this really is the third "last call" for ietf-tls-mlkem. Look at the "last call": it claims that "significant developments" had addressed "the concerns raised in the last WGLC", and on this basis it concludes that a "third consensus call is warranted".

I went through my list of the 22 people who had filed objections during the previous "last call" for ietf-tls-mlkem:

Eight of us (and many more people) are already on record objecting again in this "last call". The real function of the third "last call" is to impose redundant work—which doesn't matter for companies such as Cisco that can afford to send 100 people to every IETF meeting, but matters much more for those of us representing the public interest.

The same message from the chairs claimed that if there isn't "rough consensus" then "we will stop discussing the draft and not progress it". This claim is a marketing trick, not something that can be enforced against the chairs or other document proponents under IETF rules.

I noted in my previous blog post that the chairs had promised in February 2025 to call for TLS adoption of ECC+PQ signatures but then never followed through. Of course I hope that drawing attention to this misbehavior will deter future misbehavior by the chairs, but nothing in IETF rules stops the chairs from saying that circumstances changed and that this wasn't a commitment. Similarly, if the third "last call" for solo ML-KEM fails then nothing in IETF rules stops the chairs from issuing a fourth "last call". Again, this is not symmetric between yes and no: if the third "last call" passes then it's final and you'll never have another chance to cast a vote on ietf-tls-mlkem.

Of course, if you're casting a negative vote on the basis of the fact that there are unresolved objections, then there's a clear risk that proponents will just wait and then call another vote while still not addressing the objections. But won't this evasion help you see what the right vote is? Also, think again about the impact of errors: if opponents are right, if what we're talking about here is sabotaging security for millions of users, then every delay in this sabotage is a big win.


Version: This is version 2026.07.06 of the 20260706-fairness.html web page.