Comment by phasmantistes

4 days ago

This is not an unbiased article about the situation unfolding on the TLS Working Group mailing list; this is a call to action to join one specific side of the argument that has been ongoing for over a year now. It's an appeal to authority, an attempt to garner support for one side of the debate simply because DJB says so, as part of his effort to flood the zone with messages in opposition.

This tactic is explicitly called out in RFC 7282, and named as a "degenerate", "pathological", and "dysfunctional" state for the working group to be in. Shame on DJB for attempting to drive the working group into terminal dysfunction.

Is that what he's trying to do? I am no cryptographer, but when I read his post, his arguments about ECC+PQ make intuitive sense.

I'm out of fresh tin-foil hats as well, but it would not surprise me in the least if any government was actively engaged in weakening security and privacy protections.

Literally look at what they are all doing in almost every sphere. The current political zeitgeist is all about automated surveillance everywhere. The motivations are worn on their sleeves.

  • the NSA has a history of weakening cryptography in a very specific way, known as "NOBUS"

    https://en.wikipedia.org/wiki/NOBUS

    DES key-size weakening is consistent with NOBUS (given the computational dominance of the US at the time). DUAL_EC_DRBG is consistent with NOBUS. DES S-box strengthening (vs linear/differential cryptanalysis, I forget which) is also consistent with NOBUS.

    There have been *no* proposed mechanism that would allow NSA to have a NOBUS-style attack against ML-KEM.

    Separately, this RFC (pure ML-KEM) is marked "recommended to implement = N". It is highly likely all browsers etc will use hybrids. In certain areas (say hardware) it is not free to use a hybrid. You all of a sudden need both a SHA2 and SHA3 implementation, for example. Some organizations that view the threat of quantum computers as more credible may also not want to drag around the ECC component (which is known to be broken, once a CRQC appears. Google and the US government have publicly stated concerns this may occur within the next ~5 years after recent QC breakthroughs).

    • Clearly, NOBUS can work at multiple levels. DJB previously posted about DES (besides it being weak enough): NSA wanted DES to "drive out competitors", to "reduce the field that NSA had to be concerned about".

      Simply reducing the complexity of the standard to "pure ML-KEM" could already be considered enough "NOBUS" to be workable, such that the focus of attacks can be only on it (and bonus NOBUS if weaknesses are already known).

      Sure, it's not completely free, but the hardware and implementation points seem relatively minor. Once CRQC exists the capacity will certainly not be unlimited, so there will surely still be use for encryption using ECC and "dragging it around" is not so bad.

Your comment being top of thread, and you seemingly being conversant in the details of the issue, would be exceptionally well-placed to make an argument on the merits of the subject matter. Character portraits are sometimes useful, but technical detail is often conclusive.

What's the steelman of djb's position and why does it fail scrutiny? To the uninitiated, it sounds like his preference for the hybrid classical/BQP scene is prudent given the marginal computational burden.

But I'm guessing, it would be better if an expert weighed in with details.

> garner support for one side of the debate simply because DJB says so

DJB saying so sounds good enough for me, considering the alternative. Dual_EC_DRBG anyone?

Do you dispute his claims? And what about his argument that the NSA is doing the same thing?

  • The person making the claim bears the burden of proving it. Merely failing to agree doesn't shift the burden of pros to the questioner.

    • What? It's not being described a theorem (the technical term for a mathematical proposition for which there is a proof). It's an experienced cryptographer saying that a certain operation should be more conservatively designed than it is. He makes arguments that fall short of proof but are the best we can hope for, given the current state of knowledge.

      As for the NSA, yes, he documents what is happening pretty well, though it's done through above board channels rather than envelopes full of cash. He quotes an NSA person as saying hybrid protocols are unlikely to receive approval for use in government systems. That is, "if you want the government to buy your stuff ($$$$$), it better not implement hybrid". Similar to Dual_EC_DRBG.

  • None of the NSA (or even ex-NSA) people I know have participated in this discussion at all. I imagine they're preoccupied with the current administratiom's stupid decisioms disrupting their work.

This (also not unbiased) comment doesn't provide any substantive arguments other than a character attack on DJB. You'd also be hard-pressed to find an appeal to authority in this article. Lastly, I'm pretty sure the comment I'm replying to is at least partially LLM-generated.

Ironically, it's the incredibly weak pro-standardization arguments that appear to be the most convincing evidence that the proposed standard is actually an instance of NSA meddling.

Rather shame on you for supporting the NSA here for dumbing down the next standard.

But call me surprised that Filippo Valsorda and Rich Salz supported the NSA here.

djb has always been as outlandishly activist and combative as he is intelligent and competent.

Anyone who attributes public motives or activity or blame to "the NSA" automatically gets dropped into the "conspiracy theorist" bin, as far as I'm concerned.

  • DJB is the same person who created qmail, the mail transfer agent which was ridiculously secure because of a series of over-the-top design decisions; for example, each file in the mail queue was named after the inode it was stored in, meaning you couldn't copy your mail queue to another server if your original one was having issues (unless you cloned the whole filesystem). Also, all configuration was done at compile time, including what UIDs and GIDs to run as, meaning it was very difficult to build it once and re-use it on multiple systems unless you were very careful to make them identical, which is fine because you weren't allowed to distribute compiled binaries.

    He maintained that it was the most secure option available, which was technically true until the technology around mail transfer started improving with things like SPF records. qmail didn't support them and wouldn't support them, patches weren't accepted, and the only way to use things like SPF (to reduce spam) was through unofficial community patches that could never be upstreamed.

    qmail was far better than sendmail at the tiume, and honestly it probably still is to a large degree, but, like forcing users to change their password every week, it was a case of security being so tight that users had to break it in order to make the system functional.

    All this to say that, while DJB is undoubtedly insightful and intelligent, I'm wary of any of his claims of 'this isn't secure enough' because of his past history of making things so secure as to be inflexibly unmanagable.

  • Funny thing about conspiracy "theory" is that a lot of the time the theory turns out to be true. In my view, the impulse to dismiss any suggestion of clandestine group activity (except if it's China's government, or Russia's, or Iran's, or...) as a "theory" is most likely the result of a psychological operation.

    The Dale Gribbles of the world are not a particularly common character to meet in real life but that's the image evoked by "conspiracy theorist" no matter who the pejorative is aimed at, no matter the arguments they make nor the evidence they present. "Conspiracy theorist" is a thought-stopping, ad hominem cliché, with no place in serious discussion, yet it is widely used in exactly that; the possibility of conspiracy itself is what is eschewed in such discussions.

    • > Funny thing about conspiracy "theory" is that a lot of the time the theory turns out to be true.

      I would love to see any sources on this claim.

      A lot of "conspiracy theories" end up being true in some vague way; "the NSA is spying on all of us", yeah, that was true. The NSA is using satellites to read our thoughts? Not so much. Still, people will point to things like the Snowdon leaks to prove that the US government cannot be trusted (which is true) and therefore all the other claims that people make are also true.

      The reality is that most conspiracy theories are impossible, either from a technical sense or a logistical one. The extreme examples, like "the earth is flat and the governments are hiding it" or "COVID isn't real and the vaccine is going to kill everyone but every government and doctor on earth is secretly in on it" get shrugged off as "well, not THOSE ones obviously", but most of the rest I've ever seen are also completely unbelievable.

      Here's the thing: anyone can come up with a theory and stitch together the most circumstantial "evidence" to "prove" it, combining misinformation, misunderstanding, and misrepresentation to produce something that feels like it could be true on its face if people don't do any real digging, and most don't. I've yet to see a "conspiracy theory" backed by any actual hard evidence; they seem to entirely spring from an overactive imagination and are then "justified" and "proven" by finding other facts to fit the narrative retroactively.

      Is there clandestine activity? Absolutely. Are there groups of people trying to manipulate situations and lie to the public for their own gain? Almost certainly. Do people with unsourced, unproven conspiracy theories make it easier for governments to get away with whatever they want because the rampant proliferation of crackpot theories allows for a convenient smokescreen whenever the truth starts to come out? Also yes.

      Even if only 10% of conspiracy theories are true, which they are not, the people repeating them do more harm than good by doing so in a way that discredits themselves and others.

      1 reply →