The cr.yp.to blog

Older (Access-J): 2026.04.05: NSA and IETF, part 7: Counting votes. #pqcrypto #hybrids #nsa #ietf #voting
Table of contents (Access-I for index page)
2026.06.19: EuroQCI feedback: A simple idea for improving Europe's investments in data security. #qkd #quantumcrypto #euroqci #pqcrypto
2026.04.05: NSA and IETF, part 7: Counting votes. #pqcrypto #hybrids #nsa #ietf #voting
2026.02.21: NSA and IETF, part 6: The structure of the debate. #pqcrypto #hybrids #nsa #ietf #chart
2026.02.19: NSA and IETF, part 5: One battle after another. #pqcrypto #hybrids #nsa #ietf #lastcall
2025.11.23: NSA and IETF, part 4: An example of censored dissent. #pqcrypto #hybrids #nsa #ietf #scope
2025.11.23: NSA and IETF, part 3: Dodging the issues at hand. #pqcrypto #hybrids #nsa #ietf #dodging
2025.11.23: NSA and IETF, part 2: Corruption continues. #pqcrypto #hybrids #nsa #ietf #corruption
2025.10.05: MODPOD: The collapse of IETF's protections for dissent. #ietf #objections #censorship #hybrids
2025.10.04: NSA and IETF: Can an attacker simply purchase standardization of weakened cryptography? #pqcrypto #hybrids #nsa #ietf #antitrust
2025.09.30: Surreptitious surveillance: On the importance of not being seen. #marketing #stealth #nsa
2025.04.23: McEliece standardization: Looking at what's happening, and analyzing rationales. #nist #iso #deployment #performance #security
2025.01.18: As expensive as a plane flight: Looking at some claims that quantum computers won't work. #quantum #energy #variables #errors #rsa #secrecy
2024.10.28: The sins of the 90s: Questioning a puzzling claim about mass surveillance. #attackers #governments #corporations #surveillance #cryptowars
2024.08.03: Clang vs. Clang: You're making Clang angry. You wouldn't like Clang when it's angry. #compilers #optimization #bugs #timing #security #codescans
2024.06.12: Bibliography keys: It's as easy as [1], [2], [3]. #bibliographies #citations #bibtex #votemanipulation #paperwriting
2024.01.02: Double encryption: Analyzing the NSA/GCHQ arguments against hybrids. #nsa #quantification #risks #complexity #costs
2023.11.25: Another way to botch the security analysis of Kyber-512: Responding to a recent blog post. #nist #uncertainty #errorbars #quantification
2023.10.23: Reducing "gate" counts for Kyber-512: Two algorithm analyses, from first principles, contradicting NIST's calculation. #xor #popcount #gates #memory #clumping
2023.10.03: The inability to count correctly: Debunking NIST's calculation of the Kyber-512 security level. #nist #addition #multiplication #ntru #kyber #fiasco
2023.06.09: Turbo Boost: How to perpetuate security problems. #overclocking #performancehype #power #timing #hertzbleed #riskmanagement #environment
2022.08.05: NSA, NIST, and post-quantum cryptography: Announcing my second lawsuit against the U.S. government. #nsa #nist #des #dsa #dualec #sigintenablingproject #nistpqc #foia
2022.01.29: Plagiarism as a patent amplifier: Understanding the delayed rollout of post-quantum cryptography. #pqcrypto #patents #ntru #lpr #ding #peikert #newhope
2020.12.06: Optimizing for the wrong metric, part 1: Microsoft Word: Review of "An Efficiency Comparison of Document Preparation Systems Used in Academic Research and Development" by Knauff and Nejasmic. #latex #word #efficiency #metrics
2019.10.24: Why EdDSA held up better than ECDSA against Minerva: Cryptosystem designers successfully predicting, and protecting against, implementation failures. #ecdsa #eddsa #hnp #lwe #bleichenbacher #bkw
2019.04.30: An introduction to vectorization: Understanding one of the most important changes in the high-speed-software ecosystem. #vectorization #sse #avx #avx512 #antivectors
2017.11.05: Reconstructing ROCA: A case study of how quickly an attack can be developed from a limited disclosure. #infineon #roca #rsa
2017.10.17: Quantum algorithms to find collisions: Analysis of several algorithms for the collision problem, and for the related multi-target preimage problem. #collision #preimage #pqcrypto
2017.07.23: Fast-key-erasure random-number generators: An effort to clean up several messes simultaneously. #rng #forwardsecrecy #urandom #cascade #hmac #rekeying #proofs
2017.07.19: Benchmarking post-quantum cryptography: News regarding the SUPERCOP benchmarking system, and more recommendations to NIST. #benchmarking #supercop #nist #pqcrypto
2016.10.30: Some challenges in post-quantum standardization: My comments to NIST on the first draft of their call for submissions. #standardization #nist #pqcrypto
2016.06.07: The death of due process: A few notes on technology-fueled normalization of lynch mobs targeting both the accuser and the accused. #ethics #crime #punishment
2016.05.16: Security fraud in Europe's "Quantum Manifesto": How quantum cryptographers are stealing a quarter of a billion Euros from the European Commission. #qkd #quantumcrypto #quantummanifesto
2016.03.15: Thomas Jefferson and Apple versus the FBI: Can the government censor how-to books? What if some of the readers are criminals? What if the books can be understood by a computer? An introduction to freedom of speech for software publishers. #censorship #firstamendment #instructions #software #encryption
2015.11.20: Break a dozen secret keys, get a million more for free: Batch attacks are often much more cost-effective than single-target attacks. #batching #economics #keysizes #aes #ecc #rsa #dh #logjam
2015.03.14: The death of optimizing compilers: Abstract of my tutorial at ETAPS 2015. #etaps #compilers #cpuevolution #hotspots #optimization #domainspecific #returnofthejedi
2015.02.18: Follow-You Printing: How Equitrac's marketing department misrepresents and interferes with your work. #equitrac #followyouprinting #dilbert #officespaceprinter
2014.06.02: The Saber cluster: How we built a cluster capable of computing 3000000000000000000000 multiplications per year for just 50000 EUR. #nvidia #linux #howto
2014.05.17: Some small suggestions for the Intel instruction set: Low-cost changes to CPU architecture would make cryptography much safer and much faster. #constanttimecommitment #vmul53 #vcarry #pipelinedocumentation
2014.04.11: NIST's cryptographic standardization process: The first step towards improvement is to admit previous failures. #standardization #nist #des #dsa #dualec #nsa
2014.03.23: How to design an elliptic-curve signature system: There are many choices of elliptic-curve signature systems. The standard choice, ECDSA, is reasonable if you don't care about simplicity, speed, and security. #signatures #ecc #elgamal #schnorr #ecdsa #eddsa #ed25519
2014.02.13: A subfield-logarithm attack against ideal lattices: Computational algebraic number theory tackles lattice-based cryptography.
2014.02.05: Entropy Attacks! The conventional wisdom says that hash outputs can't be controlled; the conventional wisdom is simply wrong.

2026.06.19: EuroQCI feedback: A simple idea for improving Europe's investments in data security. #qkd #quantumcrypto #euroqci #pqcrypto

The European Commission has a survey requesting feedback regarding EuroQCI, Europe's sky-high investment in "quantum communication infrastructure".

If you have your own thoughts on EuroQCI then you can still respond to the survey today. The survey says it closes "24 June 2026" but I wouldn't recommend waiting until then: (1) this could mean that on the 24th it's already closed; (2) the time zone isn't clear; (3) the people running the survey might "accidentally" close the survey early if they don't like what they're seeing.

My own thoughts start with the 2019 agreement among European countries to establish EuroQCI. The agreement states a goal of "enabling information and data to be transmitted and stored ultra-securely and capable of linking critical public communication assets all over the Union" within 10 years.

The agreement mentions a particular technology for this, namely quantum key distribution (QKD). QKD claims to provide "the ultimate security assurance of the inviolability of a Law of Nature". However, the reality is that QKD is doing a remarkably poor job of achieving security. So how about rebalancing the EuroQCI investment between quantum key distribution and post-quantum cryptography?

I don't mean to downplay the risks of post-quantum cryptography. Half of post-quantum proposals have been broken already. The current deployment panic is going to give away millions of keys through predictable software bugs. But the failures of post-quantum cryptography are nowhere near the levels of consistency and comprehensiveness of the failures of QKD. Even the most die-hard QKD fans can't seriously believe that EuroQCI is going to reach its 10-year goal of "enabling information and data to be transmitted and stored ultra-securely and capable of linking critical public communication assets all over the Union". It's time for EuroQCI to recognize the risk of QKD not delivering what it has promised, and to put appropriate mitigations in place.

The rest of this blog post is a copy of my own filing in response to the EuroQCI survey.

Question 1: deployment. Here's the survey question:

Operationalising QKD deployments

1. Which urgent steps and challenges are currently missing or lacking EU-support in order to move early QKD deployments towards real operational systems, considering targeted use-cases /applications and integration with networks infrastructures first at a small/medium scale?

Here's the answer I filed.

The EU should expand its EuroQCI vision to better position EuroQCI to protect European citizens and organizations against systematic surveillance by large-scale attackers. In particular, the EU should expand the technological choices in EuroQCI to include not just QKD but post-quantum cryptography.

The surveillance threat has already been documented for years. See, for example, the European Parliament's 2001 "REPORT on the existence of a global system for the interception of private and commercial communications", and the "European Parliament resolution of 12 March 2014 on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens' fundamental rights and on transatlantic cooperation in Justice and Home Affairs".

The current EU investment includes far more funding for QKD than for post-quantum cryptography. This is backwards from what would provide the most security value for Europe. QKD has much higher ongoing costs per user than post-quantum cryptography, has been broken much more consistently than post-quantum cryptography, and lacks basic security features provided by post-quantum cryptography, such as end-to-end encryption and publicly verifiable signatures.

The 2019 EuroQCI Declaration established the goal of EuroQCI as deployment within 10 years "enabling information and data to be transmitted and stored ultra-securely and capable of linking critical public communication assets all over the Union". Focusing on QKD as the sole technology for this was a mistake. For the goal of ensuring security of critical public communication assets all across the EU, the security limitations and exceptionally high costs of QKD guarantee that QKD will remain a failure for the foreseeable future. Continuing to focus on QKD would be sacrificing the agreed security goal at the altar of a specific technology.

Question 2: auditing. Here's the survey question:

Cybersecurity measures and testing

2. In order to address the gap between QKD theory and real implementation, which cybersecurity measures and tests need to be carried out to support a successful and secure integration? Please indicate both device- and system-level testing considerations, and also in which format such testing should be performed to provide the most value.

Here's the answer I filed.

The history of cybersecurity shows some vulnerabilities being quickly patched but others remaining unpatched for years and in some cases exploited. For example, NSA secretly wrote that its QUANTUMINSERT attacks were "highly successful" starting in 2005; those attacks were not publicly detected until the Snowden documents revealed them in 2013.

Large-scale attackers have much larger budgets to search for weaknesses than defenders do. Furthermore, attackers win if they find one exploitable weakness, whereas defenders must protect everything. Giving defenders a chance requires not just increasing the investment in cybersecurity testing but also designing cybersecurity systems to make testing more effective.

Inexperienced cybersecurity designers continually get this wrong. For example, they frequently try to conceal their security designs inside proprietary software or proprietary hardware rather than open-source software. They hope that this concealment will prevent attackers from discovering vulnerabilities. Unfortunately, large-scale attackers can afford reverse engineering and industrial espionage. The concealment does far more damage to defense than it does to attack.

Experienced cybersecurity designers instead encourage scrutiny. The best cybersecurity solutions have comprehensive public specifications with clearly defined security goals, many years of stability in those specifications to support auditing, many years of publicly documented attack efforts against those specifications, detailed public risk assessments, and public verification that the specifications match what is actually deployed.

QKD has claimed for more than 40 years to provide security guaranteed by the fundamental laws of physics, and yet no QKD product has survived public attack efforts. The problem here is deeper than inadequate investment in testing. The underlying problem is that QKD's reliance upon physical effects makes comprehensive testing so expensive as to be practically impossible.

Expanding EuroQCI to include non-proprietary post-quantum cryptography will dramatically improve testability. Concretely, this expansion should budget for comprehensive, stable, public specifications for cryptographic systems, open-source software for those systems, and public tests ranging from cryptanalysis to formal verification.

Question 3: authentication. Here's the survey question:

Authentication, key management, and network orchestration

3. What challenges are the most pressing to be addressed in terms of authentication, key management and network orchestration, especially when going beyond point-to-point QKD?

Here's the answer I filed.

Authentication and key management are important motivations for expanding EuroQCI to rebalance European investments between QKD and post-quantum cryptography.

QKD says that it shares a secret key between Alice and Bob. However, if an attacker poses as Alice, then QKD actually shares a secret key between the attacker and Bob. Bob ends up sending confidential data to the attacker and accepting data from the attacker, while thinking that he is communicating with Alice.

The standard fix is to apply a separate authentication mechanism. This requires Alice and Bob to have a preexisting communication channel that guarantees the integrity of communication. This channel can be provided by a previously shared secret key, but then the effect of QKD is simply to obtain new keys from a previous key. The same effect is achieved by extensively audited, high-security, low-cost symmetric ciphers such as AES-256 and ChaCha20, which are part of both pre-quantum cryptography and post-quantum cryptography.

Another way to authenticate data is using public-key signatures. Public-key signatures are more flexible than symmetric solutions because they allow signatures to be verified by anyone in possession of a public key, while being generated only by a signer in possession of a corresponding private key. The X.509 public-key infrastructure used for HTTPS is an example of how important public-key signatures are for security today.

Public-key signatures (and public-key encryption) today usually rely on ECC or, in some cases, an older solution, RSA. RSA and ECC will both be broken by quantum computers. This is the main motivation for post-quantum cryptography. QKD does not provide public-key signatures.

Authentication is already visible as a security issue for point-to-point QKD. The QKD industry discusses authentication more frequently in the context of larger QKD networks than in the context of point-to-point QKD since larger QKD networks cannot avoid consideration of the reality that there are more parties than Alice and Bob.

Question 4: cost. Here's the survey question:

Miniaturisation, scalability, and industrialisation

4. What are the most needed technical priorities to the miniaturisation/scalability of QKD systems and QKD-enabling technologies? Focus should be on aspects related to EU-supply chain technology development, Size, Weight, Power, and Cost reduction, product industrialisation, and others. You may also consider aspects related to integration of classical cryptographic elements.

Here's the answer I filed.

Post-quantum cryptography (in both symmetric forms such as symmetric ciphers and asymmetric forms such as public-key signatures) is many orders of magnitude less expensive than QKD, and is correspondingly more scalable. One Euro pays for the complete computational costs and communication costs of millions of post-quantum key exchanges. Perhaps this was part of the reason for the mention of "classical cryptographic elements" in this question.

QKD's cost alone is enough reason for EuroQCI to place a high priority on post-quantum cryptography.

Question 5: quantum repeaters. Here's the survey question:

Early-stage quantum memories

5. How can early-stage quantum memories support early QKD deployments, quantum communications networks, and advanced cryptographic schemes?

Here's the answer I filed.

Beyond the manifold security failures of point-to-point QKD, there are further security failures coming from the usage of trusted repeaters. Point-to-point links from Alice to Trusted Repeater X and from Trusted Repeater X to Bob provide no security for Alice and Bob against the repeater. As in https://www.eff.org/deeplinks/2024/10/salt-typhoon-hack-shows-theres-no-security-backdoor-thats-only-good-guys, the repeater is an obvious point of attack.

In theory, untrusted quantum repeaters can create the equivalent of an end-to-end link between Alice and Bob. However, this end-to-end link still has all of the security failures of point-to-point QKD.

Question 6: research. Here's the survey question:

Advanced technologies and protocols

6. Which advanced technologies and protocols do you consider as the most promising to support the security of long-distance quantum communications? In this context, which research activities should be currently undertaken and which scientific challenges prioritized?

Here's the answer I filed.

EuroQCI's research vision should expand along with its deployment vision, again recognizing that a broader technological range that includes post-quantum cryptography better supports the goal of "enabling information and data to be transmitted and stored ultra-securely and capable of linking critical public communication assets all over the Union". European researchers have a long history of leadership in cryptography, and regularly form committees to formulate research priorities and evaluate specific research proposals.

Question 7: open-ended. Here's the survey question:

Additional comments or ideas

Please insert here any other comments or ideas that you may have.

I left this part blank.

Version: This is version 2026.06.19 of the 20260619-euroqci.html web page.