The cr.yp.to blog
2025.10.04: NSA and IETF: Can an attacker simply purchase standardization of weakened cryptography? #pqcrypto #hybrids #nsa #ietf #antitrust
It's normal for post-quantum cryptography to be rolled out as an extra layer of security on top of traditional pre-quantum cryptography, rather than as a replacement.
For example, Google's CECPQ1 experiment was double encryption with traditional pre-quantum ECC (specifically X25519) and post-quantum NewHope1024. CECPQ2, a joint experiment between Google and Cloudflare, was ECC+NTRUHRSS701. CECPQ2b was ECC+SIKEp434. Ten SSH implementations support ECC+sntrup761. Today's usage of post-quantum cryptography by browsers is approaching half of the connections seen by Cloudflare, where 95% of that is ECC+MLKEM768 and 5% is ECC+Kyber768.
If post-quantum cryptography is designed to be super-strong, so strong that it even survives future quantum computers, then why are we keeping the ECC layer? Same reason that you wear your seatbelt: in the real world, cars sometimes crash, and seatbelts reduce the damage.
Google already explained this back in 2016: "The post-quantum algorithm might turn out to be breakable even with today's computers, in which case the elliptic-curve algorithm will still provide the best security that today's technology can offer." We've seen many breaks of post-quantum proposals since then, including the sudden public collapse of SIKE three years after CECPQ2b applied SIKE to tens of millions of user connections. The only reason that this user data wasn't immediately exposed to attackers is that CECPQ2b encrypted data with SIKE and with ECC, rather than switching from ECC to just SIKE. As another example, the reference Kyber/ML-KEM software went through two rounds of security patches for KyberSlash at the end of 2023, and then had another security patch in mid-2024.
Deploying ECC+PQ rather than just PQ is an easy common-sense win. ECC software is practically everywhere anyway, and nobody has identified an application that can afford PQ without being able to afford ECC+PQ.
Typically people talk about deploying ECC+PQ as deploying "hybrids" rather than "non-hybrids", although you have to be careful with this terminology since the word "hybrid" also has other meanings in cryptography. It's more descriptive to talk about "double encryption" and "double signatures" rather than "single encryption" and "single signatures".
The problem in a nutshell. Surveillance agency NSA and its partner GCHQ are trying to have standards-development organizations endorse weakening ECC+PQ down to just PQ.
Part of this is that NSA and GCHQ have been endlessly repeating arguments that this weakening is a good thing (in much the same way that NSA advertised Dual EC as providing "increased assurance"). I have a previous blog post showing that those arguments collapse upon examination. But that's not today's topic. In today's blog post I'm instead looking at how easy it is for NSA to simply spend money to corrupt the standardization process.
... continue reading