John Mattsson writes:
> We would not be prepared for PQC if it was not for the NSA.

Um, what?

The PQCrypto conferences started in 2006. The PQCRYPTO grant application
was filed in 2014---that's the project that produced the specifications
and software for Classic McEliece, Dilithium, FrodoKEM, Kyber, NewHope,
NTRU-HRSS, NTRU Prime, SABER, SPHINCS+, and more, with help from various
collaborators but definitely not from NSA. Integration plans were well
underway before NSA's first post-quantum appearance, which was

    
https://web.archive.org/web/20150815072948/https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml

in 2015 saying that NSA "recognizes that there will be a move, in the
not distant future, to a quantum resistant algorithm suite".

Notice the passive "recognizes" wording. NSA then changed this in

    
https://web.archive.org/web/20150831131731/https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml

to saying that NSA "will initiate a transition to quantum resistant
algorithms in the not too distant future". This "initiate" language
deceived many people, but looking at the original language (first link
above) shows NSA admitting that this transition was going to happen
anyway. The summary of this at the end of the year from

    https://pqcrypto.eu.org/slides/32c3.pdf

was "NSA comes late to the party and botches its grand entrance".

Google's big experiment with NewHope, starting in July 2016, worked well
and didn't rely on NSA's nonexistent contributions. This was supposed to
ramp up: Google said it was excited to begin preparing for quantum
computers "to help ensure our users' data will remain secure long into
the future", and said it would hopefully replace NewHope with something
better within two years. It's important to realize why this failed: Ding
stood up at a conference saying he had a patent, and he wrote to Google
asking for money. See https://blog.cr.yp.to/20220129-plagiarism.html for
further information about what happened.

NTRU Prime already had a paper submitted in March 2016 with sizes easily
competitive with NewHope, plus initial software speeds that were fast
enough to be fine for typical applications. The NTRU patent was due to
expire in 2017. In short, we were already taking multiple paths to
deployment. This is something else that didn't rely on NSA's nonexistent
contributions. OpenSSH added NTRU Prime options in April 2019, matching
earlier work from TinySSH, and eventually made NTRU Prime the default.
Google deployed NTRU-HRSS.

So how exactly did NSA supposedly contribute to PQC?

Sure, it's now easy to find companies citing NSA's announcements as a
rationale to do some unspecified thing. When I pick random examples and
look at what those companies are actually doing, what I see is the
companies delaying deployment. Here's how I summarized this in a talk to
the Federal Reserve TechLab: "We'll form a committee to devise an action
plan to inventory current usage of cryptography to support future
assessment of the steps needed to build a best-practices playbook for
meeting the performance challenges of upgrading to post-quantum
cryptography, with a target date after I retire."

In May 2022, the White House---

    
https://www.whitehouse.gov/briefing-room/statements-releases/2022/05/04/national-security-memorandum-on-promoting-united-states-leadership-in-quantum-computing-while-mitigating-risks-to-vulnerable-cryptographic-systems/

---ordered NIST, within 90 days of issuing a PQ standard, to "release a
proposed timeline for the deprecation of quantum-vulnerable cryptography
in standards, with the goal of moving the maximum number of systems off
quantum-vulnerable cryptography within a decade of the publication of
the initial set of standards". NIST took until 2024 to get a standard
issued, and then, 90 days later, issued a timeline basically saying that
everyone is free to delay the upgrade until 2035. Somehow I don't think
it's a coincidence that this matches NSA's announced 2035 date.

This matters for TLS WG planning because there's a clear risk of quantum
attacks being carried out before 2035. I have ten years of public bets,
at even odds, of a public RSA-2048 break by 2032; public technology
development continues to be on track for that, with the last few years
nicely visualized in graphs such as

    https://sam-jaques.appspot.com/quantum_landscape_2023

from Sam Jaques. Also, my median estimate (obviously with many
uncertainties) is that attackers are 3 years ahead of the public. We
should not be fooled by the unjustified 2035 date, and we should not be
assigning any authority to NSA regarding this matter.

> D. J. Bernstein wrote:
> > More recently, NSA's Dickie George is on video claiming that NSA
> > generated the Dual EC points randomly and that Dual EC is secure.
> Do you have a link to the video?

Yes, https://blog.cr.yp.to/20220805-nsa.html (search for "Dickie")
includes full quotes, a note of the two ranges of times where the video
discusses Dual EC, and a link to the video for verification.

> I don’t know why you (and the IETF) are so obsessed with NSA, there
> are very good reasons to take recommendations from SIGINT with a grain
> of salt and force them to provide thorough motivation, but there are
> _many_ SIGINT agencies globally.

There are definitely many other attackers, but the main argument that
has been stated for non-hybrid PQ is a claim specifically about NSA,
namely a claim that NSA won't authorize purchases of hybrid PQ. For
companies making decisions on purely financial grounds, the weight of
this rationale comes from sources such as

    
https://web.archive.org/web/20221022163808/https://www.jcs.mil/Portals/36/Documents/Library/Instructions/CJCSI%206510.02F.pdf?ver=qUEnOsWpGPcGGMFTb4yYVA%3D%3D

indicating that NSA controls the cryptographic part of the U.S. military
budget. That's already a lot of money even if no other buyers adopt the
same policy.

Some of the counterarguments aren't specific to NSA: (1) the claim comes
from undisclosed evidence---for transparency we should see and evaluate
the evidence; (2) the claim is disputed---the dispute should be resolved
before action is taken on the basis of the claim; (3) pursuit of money
isn't a valid argument for standardization in the first place---we
should be using our engineering judgment to find the best solution for
the whole Internet.

Some of the counterarguments are specific to NSA: (4) putting nonzero
weight upon requests from NSA, whether the requests are direct or via
intermediaries, would promote repetitions of the sabotage that prompted
BCP 188; (5) _if_ we're trusting NSA's supposed expertise instead of
making our own decisions, then surely we should pay attention to NSA in

    
https://web.archive.org/web/20220524232250/https://www.nsa.gov/Portals/75/documents/resources/everyone/csfc/threat-prevention.pdf

asking for two cryptographic layers "to mitigate the ability of an
adversary to exploit a single cryptographic implementation".

---D. J. Bernstein

_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org

Reply via email to