John Mattsson writes: > We would not be prepared for PQC if it was not for the NSA.
Um, what? The PQCrypto conferences started in 2006. The PQCRYPTO grant application was filed in 2014---that's the project that produced the specifications and software for Classic McEliece, Dilithium, FrodoKEM, Kyber, NewHope, NTRU-HRSS, NTRU Prime, SABER, SPHINCS+, and more, with help from various collaborators but definitely not from NSA. Integration plans were well underway before NSA's first post-quantum appearance, which was https://web.archive.org/web/20150815072948/https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml in 2015 saying that NSA "recognizes that there will be a move, in the not distant future, to a quantum resistant algorithm suite". Notice the passive "recognizes" wording. NSA then changed this in https://web.archive.org/web/20150831131731/https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml to saying that NSA "will initiate a transition to quantum resistant algorithms in the not too distant future". This "initiate" language deceived many people, but looking at the original language (first link above) shows NSA admitting that this transition was going to happen anyway. The summary of this at the end of the year from https://pqcrypto.eu.org/slides/32c3.pdf was "NSA comes late to the party and botches its grand entrance". Google's big experiment with NewHope, starting in July 2016, worked well and didn't rely on NSA's nonexistent contributions. This was supposed to ramp up: Google said it was excited to begin preparing for quantum computers "to help ensure our users' data will remain secure long into the future", and said it would hopefully replace NewHope with something better within two years. It's important to realize why this failed: Ding stood up at a conference saying he had a patent, and he wrote to Google asking for money. See https://blog.cr.yp.to/20220129-plagiarism.html for further information about what happened. NTRU Prime already had a paper submitted in March 2016 with sizes easily competitive with NewHope, plus initial software speeds that were fast enough to be fine for typical applications. The NTRU patent was due to expire in 2017. In short, we were already taking multiple paths to deployment. This is something else that didn't rely on NSA's nonexistent contributions. OpenSSH added NTRU Prime options in April 2019, matching earlier work from TinySSH, and eventually made NTRU Prime the default. Google deployed NTRU-HRSS. So how exactly did NSA supposedly contribute to PQC? Sure, it's now easy to find companies citing NSA's announcements as a rationale to do some unspecified thing. When I pick random examples and look at what those companies are actually doing, what I see is the companies delaying deployment. Here's how I summarized this in a talk to the Federal Reserve TechLab: "We'll form a committee to devise an action plan to inventory current usage of cryptography to support future assessment of the steps needed to build a best-practices playbook for meeting the performance challenges of upgrading to post-quantum cryptography, with a target date after I retire." In May 2022, the White House--- https://www.whitehouse.gov/briefing-room/statements-releases/2022/05/04/national-security-memorandum-on-promoting-united-states-leadership-in-quantum-computing-while-mitigating-risks-to-vulnerable-cryptographic-systems/ ---ordered NIST, within 90 days of issuing a PQ standard, to "release a proposed timeline for the deprecation of quantum-vulnerable cryptography in standards, with the goal of moving the maximum number of systems off quantum-vulnerable cryptography within a decade of the publication of the initial set of standards". NIST took until 2024 to get a standard issued, and then, 90 days later, issued a timeline basically saying that everyone is free to delay the upgrade until 2035. Somehow I don't think it's a coincidence that this matches NSA's announced 2035 date. This matters for TLS WG planning because there's a clear risk of quantum attacks being carried out before 2035. I have ten years of public bets, at even odds, of a public RSA-2048 break by 2032; public technology development continues to be on track for that, with the last few years nicely visualized in graphs such as https://sam-jaques.appspot.com/quantum_landscape_2023 from Sam Jaques. Also, my median estimate (obviously with many uncertainties) is that attackers are 3 years ahead of the public. We should not be fooled by the unjustified 2035 date, and we should not be assigning any authority to NSA regarding this matter. > D. J. Bernstein wrote: > > More recently, NSA's Dickie George is on video claiming that NSA > > generated the Dual EC points randomly and that Dual EC is secure. > Do you have a link to the video? Yes, https://blog.cr.yp.to/20220805-nsa.html (search for "Dickie") includes full quotes, a note of the two ranges of times where the video discusses Dual EC, and a link to the video for verification. > I donât know why you (and the IETF) are so obsessed with NSA, there > are very good reasons to take recommendations from SIGINT with a grain > of salt and force them to provide thorough motivation, but there are > _many_ SIGINT agencies globally. There are definitely many other attackers, but the main argument that has been stated for non-hybrid PQ is a claim specifically about NSA, namely a claim that NSA won't authorize purchases of hybrid PQ. For companies making decisions on purely financial grounds, the weight of this rationale comes from sources such as https://web.archive.org/web/20221022163808/https://www.jcs.mil/Portals/36/Documents/Library/Instructions/CJCSI%206510.02F.pdf?ver=qUEnOsWpGPcGGMFTb4yYVA%3D%3D indicating that NSA controls the cryptographic part of the U.S. military budget. That's already a lot of money even if no other buyers adopt the same policy. Some of the counterarguments aren't specific to NSA: (1) the claim comes from undisclosed evidence---for transparency we should see and evaluate the evidence; (2) the claim is disputed---the dispute should be resolved before action is taken on the basis of the claim; (3) pursuit of money isn't a valid argument for standardization in the first place---we should be using our engineering judgment to find the best solution for the whole Internet. Some of the counterarguments are specific to NSA: (4) putting nonzero weight upon requests from NSA, whether the requests are direct or via intermediaries, would promote repetitions of the sabotage that prompted BCP 188; (5) _if_ we're trusting NSA's supposed expertise instead of making our own decisions, then surely we should pay attention to NSA in https://web.archive.org/web/20220524232250/https://www.nsa.gov/Portals/75/documents/resources/everyone/csfc/threat-prevention.pdf asking for two cryptographic layers "to mitigate the ability of an adversary to exploit a single cryptographic implementation". ---D. J. Bernstein
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org