“The problem in a nutshell. Surveillance agency NSA and its [UK counterpart] GCHQ are trying to have standards-development organizations endorse weakening [pre-quantum] ECC+PQ down to just PQ.”
Part of this is that NSA and GCHQ have been endlessly repeating arguments that this weakening is a good thing… I’m instead looking at how easy it is for NSA to simply spend money to corrupt the standardization process… The massive U.S. military budget now publicly requires cryptographic “components” to have NSA approval… In June 2024, NSA’s William Layton wrote that “we do not anticipate supporting hybrid in national security systems”…
[Later a Cisco employee wrote of selling non-hybrid cryptography to a significant customer, “that’s what they’re willing to buy. Hence, Cisco will implement it”.]
What do you do with your control over the U.S. military budget? That’s another opportunity to “shape the worldwide commercial cryptography marketplace”. You can tell people that you won’t authorize purchasing double encryption. You can even follow through on having the military publicly purchase single encryption. Meanwhile you quietly spend a negligible amount of money on an independent encryption layer to protect the data that you care about, so you’re actually using double encryption.
We fight wars to live in peace, we grow sheep to eat lamb chops, and we keep trust to gain reputation to then spend it. That quote about stones.
Still very good to see someone as famous as Bernstein say this.
But yes, it’s weird, TLS allows whatever the software on two sides of the negotiation allow and support. GOST, something Chinese, something you’ve made yourself. Anything.
Except if there’s somehow a vulnerability in TLS hidden in the open, but, eh, that’s a bit too conspiracy-minded for a post not discussing TLS itself.