The cr.yp.to blog
Table of contents (Access-I for index page)
| 2026.07.02: A standard by any other name: How IETF evades responsibility for its actions. #standards #doublespeak |
| 2026.06.30: Understanding lattice risks: Many differences between marketing and reality. #lattices #software #looseness #modules #asymptotics #worstcase |
| 2026.06.19: EuroQCI feedback: A simple idea for improving Europe's investments in data security. #qkd #quantumcrypto #euroqci #pqcrypto |
| 2026.04.05: NSA and IETF, part 7: Counting votes. #pqcrypto #hybrids #nsa #ietf #voting |
| 2026.02.21: NSA and IETF, part 6: The structure of the debate. #pqcrypto #hybrids #nsa #ietf #chart |
| 2026.02.19: NSA and IETF, part 5: One battle after another. #pqcrypto #hybrids #nsa #ietf #lastcall |
| 2025.11.23: NSA and IETF, part 4: An example of censored dissent. #pqcrypto #hybrids #nsa #ietf #scope |
| 2025.11.23: NSA and IETF, part 3: Dodging the issues at hand. #pqcrypto #hybrids #nsa #ietf #dodging |
| 2025.11.23: NSA and IETF, part 2: Corruption continues. #pqcrypto #hybrids #nsa #ietf #corruption |
| 2025.10.05: MODPOD: The collapse of IETF's protections for dissent. #ietf #objections #censorship #hybrids |
| 2025.10.04: NSA and IETF: Can an attacker simply purchase standardization of weakened cryptography? #pqcrypto #hybrids #nsa #ietf #antitrust |
| 2025.09.30: Surreptitious surveillance: On the importance of not being seen. #marketing #stealth #nsa |
| 2025.04.23: McEliece standardization: Looking at what's happening, and analyzing rationales. #nist #iso #deployment #performance #security |
| 2025.01.18: As expensive as a plane flight: Looking at some claims that quantum computers won't work. #quantum #energy #variables #errors #rsa #secrecy |
| 2024.10.28: The sins of the 90s: Questioning a puzzling claim about mass surveillance. #attackers #governments #corporations #surveillance #cryptowars |
| 2024.08.03: Clang vs. Clang: You're making Clang angry. You wouldn't like Clang when it's angry. #compilers #optimization #bugs #timing #security #codescans |
| 2024.06.12: Bibliography keys: It's as easy as [1], [2], [3]. #bibliographies #citations #bibtex #votemanipulation #paperwriting |
| 2024.01.02: Double encryption: Analyzing the NSA/GCHQ arguments against hybrids. #nsa #quantification #risks #complexity #costs |
| 2023.11.25: Another way to botch the security analysis of Kyber-512: Responding to a recent blog post. #nist #uncertainty #errorbars #quantification |
| 2023.10.23: Reducing "gate" counts for Kyber-512: Two algorithm analyses, from first principles, contradicting NIST's calculation. #xor #popcount #gates #memory #clumping |
| 2023.10.03: The inability to count correctly: Debunking NIST's calculation of the Kyber-512 security level. #nist #addition #multiplication #ntru #kyber #fiasco |
| 2023.06.09: Turbo Boost: How to perpetuate security problems. #overclocking #performancehype #power #timing #hertzbleed #riskmanagement #environment |
| 2022.08.05: NSA, NIST, and post-quantum cryptography: Announcing my second lawsuit against the U.S. government. #nsa #nist #des #dsa #dualec #sigintenablingproject #nistpqc #foia |
| 2022.01.29: Plagiarism as a patent amplifier: Understanding the delayed rollout of post-quantum cryptography. #pqcrypto #patents #ntru #lpr #ding #peikert #newhope |
| 2020.12.06: Optimizing for the wrong metric, part 1: Microsoft Word: Review of "An Efficiency Comparison of Document Preparation Systems Used in Academic Research and Development" by Knauff and Nejasmic. #latex #word #efficiency #metrics |
| 2019.10.24: Why EdDSA held up better than ECDSA against Minerva: Cryptosystem designers successfully predicting, and protecting against, implementation failures. #ecdsa #eddsa #hnp #lwe #bleichenbacher #bkw |
| 2019.04.30: An introduction to vectorization: Understanding one of the most important changes in the high-speed-software ecosystem. #vectorization #sse #avx #avx512 #antivectors |
| 2017.11.05: Reconstructing ROCA: A case study of how quickly an attack can be developed from a limited disclosure. #infineon #roca #rsa |
| 2017.10.17: Quantum algorithms to find collisions: Analysis of several algorithms for the collision problem, and for the related multi-target preimage problem. #collision #preimage #pqcrypto |
| 2017.07.23: Fast-key-erasure random-number generators: An effort to clean up several messes simultaneously. #rng #forwardsecrecy #urandom #cascade #hmac #rekeying #proofs |
| 2017.07.19: Benchmarking post-quantum cryptography: News regarding the SUPERCOP benchmarking system, and more recommendations to NIST. #benchmarking #supercop #nist #pqcrypto |
| 2016.10.30: Some challenges in post-quantum standardization: My comments to NIST on the first draft of their call for submissions. #standardization #nist #pqcrypto |
| 2016.06.07: The death of due process: A few notes on technology-fueled normalization of lynch mobs targeting both the accuser and the accused. #ethics #crime #punishment |
| 2016.05.16: Security fraud in Europe's "Quantum Manifesto": How quantum cryptographers are stealing a quarter of a billion Euros from the European Commission. #qkd #quantumcrypto #quantummanifesto |
| 2016.03.15: Thomas Jefferson and Apple versus the FBI: Can the government censor how-to books? What if some of the readers are criminals? What if the books can be understood by a computer? An introduction to freedom of speech for software publishers. #censorship #firstamendment #instructions #software #encryption |
| 2015.11.20: Break a dozen secret keys, get a million more for free: Batch attacks are often much more cost-effective than single-target attacks. #batching #economics #keysizes #aes #ecc #rsa #dh #logjam |
| 2015.03.14: The death of optimizing compilers: Abstract of my tutorial at ETAPS 2015. #etaps #compilers #cpuevolution #hotspots #optimization #domainspecific #returnofthejedi |
| 2015.02.18: Follow-You Printing: How Equitrac's marketing department misrepresents and interferes with your work. #equitrac #followyouprinting #dilbert #officespaceprinter |
| 2014.06.02: The Saber cluster: How we built a cluster capable of computing 3000000000000000000000 multiplications per year for just 50000 EUR. #nvidia #linux #howto |
| 2014.05.17: Some small suggestions for the Intel instruction set: Low-cost changes to CPU architecture would make cryptography much safer and much faster. #constanttimecommitment #vmul53 #vcarry #pipelinedocumentation |
| 2014.04.11: NIST's cryptographic standardization process: The first step towards improvement is to admit previous failures. #standardization #nist #des #dsa #dualec #nsa |
| 2014.03.23: How to design an elliptic-curve signature system: There are many choices of elliptic-curve signature systems. The standard choice, ECDSA, is reasonable if you don't care about simplicity, speed, and security. #signatures #ecc #elgamal #schnorr #ecdsa #eddsa #ed25519 |
| 2014.02.13: A subfield-logarithm attack against ideal lattices: Computational algebraic number theory tackles lattice-based cryptography. |
| 2014.02.05: Entropy Attacks! The conventional wisdom says that hash outputs can't be controlled; the conventional wisdom is simply wrong. |
2026.07.02: A standard by any other name: How IETF evades responsibility for its actions. #standards #doublespeak
IETF
prominently advertises itself
as "the premier standards development organization (SDO) for the Internet".
The
dictionary
says that a "standard" is
"something set up and established by authority as a rule for the measure of quantity, weight, extent, value, or quality";
IETF is an authority issuing rules for measuring the quality of various components of the Internet.
IETF says it "publishes its technical documentation as RFCs".
Every RFC issued by every IETF working group
(after final approval by a small central committee)
is labeled as "consensus of the IETF community".
Corporate purchasing managers understand "RFC" to mean "Internet standard".
Cisco sends around 100 people to every IETF meeting,
plus endless email messages between meetings,
all aimed at influencing what ends up in RFCs.
Cisco is just one Internet company.
But then IETF plays wording games
to evade responsibility for the damage caused by any particular RFC.
IETF labels
only 1% of its standards
as "Internet standards",
mostly older ones basically locked into stone at this point,
and about 0% of Cisco's IETF activity is aimed at influencing those.
The rest are just "proposed standards" or "informational" or some similar weaseling.
Let's look at a concrete example of why this evasion matters.
The events I'll describe are part of a vote on an
explicitly NSA-driven effort
for IETF's TLS working group to issue an RFC extending the TLS 1.3 standard
to allow solo ML-KEM as an alternative to the common-sense, widely deployed ECC+ML-KEM.
These are current events, a vote that's still happening right now:
you can join and
cast your own vote
through 7 July 2026.
If the vote passes then NSA will keep waving around money
to pressure more and more companies to switch to this option in IETF's TLS standard.
The status right now is that the specification of solo ML-KEM in TLS is an unapproved draft.
Proponents continually argue that it's important for IETF to turn this draft into an RFC.
For example, here are quotes from two supporting votes from NSA's partner GCHQ:
-
Peter Campbell
writes "I support publication as an RFC. An Internet Draft with
codepoints is not sufficient as most SDOs (including the IETF) won't
allow their standards to cite I-Ds normatively".
-
Florence Driscoll
writes "We would also like to be able to recommend use of RFCs rather
than draft standards in operational systems, as this is clear and
consistent for those reading our guidance. As such, I am in favour of
this document being published as an RFC".
"SDOs" in the first quote means "standards-development organizations".
Here's what it means for document X to cite document Y "normatively":
part of following the X rules is following the Y rules;
if an authority (e.g., IETF or another SDO) is telling you to follow the X rules then the authority is also telling you to follow the Y rules;
in other words, if X is a standard then Y is a standard too.
The second quote is accurately describing the current document as a "draft standard"
and is accurately describing an RFC as an upgrade from that.
An RFC would be a standard.
An RFC would be adding IETF's authority to the notion that it's acceptable to use solo ML-KEM.
People objecting to IETF issuance of this security-damaging document as an RFC
often accurately express this as objecting to standardization.
But then proponents suddenly switch to hyping IETF's deceptive labels.
It's not a "standard"!
It's not on the IETF "standards track"!
It's just "Informational"!
There's this buried note in Section 6 saying "Recommended: N"!
And, by the way, TLS 1.3 isn't actually a standard; it's just a "proposed" standard!
IETF is the premier not-standards development organization for the Internet!
For example,
the same Peter Campbell from GCHQ who wrote
"I support publication as an RFC. An Internet Draft with
codepoints is not sufficient as most SDOs (including the IETF) won't
allow their standards to cite I-Ds normatively"
responded to an objection by
writing
"Good news! While draft-ietf-tls-ecdhe-mlkem is standards track,
draft-ietf-tls-mlkem is not. Its intended status is Informational."
Praise the influence of an RFC when you're voting in favor of issuing the RFC,
and then flip to denying the influence of the same RFC in response to people objecting to issuing that RFC?
C'mon, you can't have it both ways.
How many objections have been deterred by these denials?
The reality is that
if this document is issued by IETF as an RFC
then it's a standard,
"something set up and established by authority as a rule for the measure of quantity, weight, extent, value, or quality";
concretely, it's an IETF rule saying that rolling out ML-KEM without ECC has acceptable quality.
A corporate purchasing manager will accurately understand the RFC as a standard,
and won't even see, let alone care about, labels such as "Informational" or "Recommended: N".
NSA contractor Eric Rescorla has
admitted
that what's controversial here is the endorsement conveyed by the issuance of an RFC,
even an "informational" non-"recommended" RFC:
"I think it's clear that many regard the publication
of an RFC by the TLS WG as a form of endorsement, even when Recommended=N [0].
In fact, this is precisely why the publication of some documents has become so
controversial. ...
[0] I don't think this position is entirely unreasonable given that the documents
state on the face of them that they 'represent[s] the consensus of the IETF community.' "
Version:
This is version 2026.07.02 of the 20260702-standard.html web page.