A growing controversy is erupting within the cybersecurity community as prominent cryptologist and computer science professor Daniel J. Bernstein alleges the U.S. National Security Agency (NSA) is actively working to influence the standardization of post-quantum cryptography (PQ). The core of the concern centers around a push to eliminate “hybrid” encryption systems – those combining traditional, pre-quantum cryptography with emerging PQ methods – in favor of PQ alone. This move, critics argue, could significantly weaken overall security as the field of post-quantum cryptography matures.
Bernstein emphasizes that a hybrid approach is currently considered best practice. Since 2016, numerous proposed post-quantum algorithms have been found to have vulnerabilities, highlighting the need for a robust fallback mechanism. Removing the pre-quantum layer, he contends, introduces unacceptable risk.
The NSA’s Influence and the Military Budget
According to Bernstein, the NSA and its UK counterpart, the Government Communications Headquarters (GCHQ), are actively promoting the adoption of PQ-only systems. He suggests this isn’t simply a matter of differing technical opinions, but a deliberate effort to shape the cryptographic landscape. “The problem in a nutshell,” Bernstein states, “is that the NSA and GCHQ are trying to have standards-development organizations endorse weakening ECC+PQ down to just PQ.”
A key element of this alleged influence lies in the substantial U.S. military budget. Increasingly, cryptographic components required for military applications must receive NSA approval. In June 2024, NSA’s William Layton publicly stated the agency “does not anticipate supporting hybrid in national security systems.” This directive, critics fear, will cascade through the commercial sector, effectively dictating industry standards.
The situation is further complicated by reports of commercial entities adapting to the perceived shift. A Cisco employee reportedly noted that a significant customer was only willing to purchase non-hybrid cryptography, leading the company to implement it despite potential security concerns. This illustrates how the NSA’s influence can indirectly “shape the worldwide commercial cryptography marketplace” by controlling procurement decisions.
Bernstein posits a scenario where the NSA publicly mandates single-layer encryption for military use while simultaneously maintaining a separate, double-encrypted system for its own sensitive data. This would allow the agency to control the market while still protecting its own interests. What are the ethical implications of an agency potentially prioritizing control over widespread security?
Concerns Over IETF Decision-Making
The concerns extend beyond budgetary influence to the processes of standards organizations like the Internet Engineering Task Force (IETF). Bernstein has raised serious questions about the IETF’s handling of drafts specifying post-quantum encryption mechanisms for TLS – the security layer underpinning HTTPS and other protocols. Specifically, he challenges the IETF’s claim of achieving “consensus” on a non-hybrid encryption draft.
While the draft received 20 statements of support (with 2 conditional), it also garnered 7 unequivocal objections, including one from Bernstein himself. The IETF often cites “rough consensus” or “broad consensus” as its decision-making standard. However, Bernstein argues that 7 opposers out of a total of 29 participants (approximately 24.13%) does not meet the legal definition of “general agreement.” He has formally filed a complaint regarding this claim and published a detailed analysis of the IETF’s decision-making process.
“It’s already bad that the IETF TLS working group adopted non-hybrid post-quantum encryption without official answers to the objections that were raised,” Bernstein writes. “It’s much worse if the objections can’t be raised in the first place.” This raises fundamental questions about transparency and inclusivity in the development of critical security standards. Could a lack of open debate ultimately compromise the security of the internet?
Understanding Post-Quantum Cryptography
Post-quantum cryptography (PQ) refers to cryptographic algorithms that are believed to be secure against attacks from both classical computers and future quantum computers. Current public-key cryptography, such as RSA and ECC, is vulnerable to attacks by sufficiently powerful quantum computers running Shor’s algorithm. The development of PQ algorithms is therefore crucial to maintaining data security in the coming years.
Hybrid cryptography, as Bernstein advocates, combines the strengths of both pre-quantum and post-quantum algorithms. This approach provides a layered defense, ensuring that even if a PQ algorithm is compromised, the pre-quantum layer still offers protection. This is particularly important during the transition period as PQ algorithms are rigorously tested and refined.
The National Institute of Standards and Technology (NIST) is currently leading the effort to standardize PQ algorithms. The agency has been evaluating various candidates for several years, with the goal of selecting a set of algorithms that will form the basis of future cryptographic standards. NIST’s selection process is a critical step in ensuring the security of digital infrastructure.
Further reading on the topic can be found at Quantum Computing Stack Exchange, a valuable resource for understanding the complexities of post-quantum cryptography.
Frequently Asked Questions About Post-Quantum Cryptography
What is post-quantum cryptography and why is it important?
Post-quantum cryptography is a new branch of cryptography designed to resist attacks from quantum computers. It’s important because current encryption methods are vulnerable to these attacks, potentially compromising sensitive data in the future.
What are the risks of adopting PQ-only cryptography?
Adopting PQ-only cryptography carries the risk of relying on algorithms that haven’t been thoroughly vetted and may contain undiscovered vulnerabilities. A hybrid approach provides a crucial backup layer.
How does the NSA influence cryptographic standards?
The NSA exerts influence through its control over the military budget and its role in approving cryptographic components for government use. This can indirectly shape commercial standards.
What is “consensus” in the context of IETF standards?
The IETF aims for “rough consensus” or “broad consensus” when adopting standards. However, the definition of consensus is debated, and Bernstein argues that a significant minority opposition should prevent a claim of consensus.
What is hybrid cryptography and why is it preferred by some experts?
Hybrid cryptography combines traditional pre-quantum encryption with post-quantum algorithms, offering a layered security approach. Experts like Bernstein prefer it as a safeguard against potential vulnerabilities in new PQ algorithms.
The allegations raised by Bernstein are serious and warrant careful scrutiny. The future of digital security depends on robust, transparent, and inclusive cryptographic standards. As quantum computing technology advances, the stakes are only getting higher.
Share this article to raise awareness about these critical issues and join the conversation in the comments below.
Discover more from Archyworldys
Subscribe to get the latest posts sent to your email.
