美国国家安全局(NSA)试图削弱 ML-KEM 的标准化进程。
NSA tries to weaken mlkem standardisation

原始链接: https://nsa.2026.action.cr.yp.to

作者声称,美国国家安全局(NSA)正在推动将“ietf-tls-mlkem”标准化,并称该版本的后量子密码学弱于更优越的“ietf-tls-ecdhe-mlkem”。据文中描述,NSA 正在积极游说这一标准,并被指责通过安排此前不活跃的人员“充场”来影响即将到来的 IETF 投票。 作者指出,支持者已从最初的公开要求转变为使用误导性的技术理由。在首次投票失利后,NSA 要求在 2026 年 7 月 8 日前进行新一轮投票。 为了反对这一举动,作者敦促技术社区成员加入 IETF TLS 邮件列表,并在 2026 年 7 月 7 日前提交对“draft-ietf-tls-mlkem-08”发布的正式反对意见。作者强调,必须使用真实姓名,因为支持者可能会忽视匿名反对。目前已有超过 30 位专家表达了反对意见。

这篇 Hacker News 的讨论聚焦于 IETF TLS 工作组内部关于标准化“纯” ML-KEM(一种抗量子加密算法)引发的一场激烈争议。 著名密码学家 D.J. Bernstein (DJB) 主张,标准应强制采用“混合”方案——即将 ML-KEM 与现有的椭圆曲线加密技术相结合,以防范新型抗量子算法中可能存在但尚未发现的缺陷。他指控美国国家安全局 (NSA) 及其盟友推动“纯” ML-KEM 标准是为了削弱安全防护,并列举了历史上政府影响加密后门的案例(如 Dual_EC_DRBG)。 批评 DJB 的人士认为: 1. 拟议中的纯 ML-KEM RFC 已被标记为“推荐:否”,这意味着它仅适用于混合实现成本过高的特定小众场景(如资源受限的硬件)。 2. DJB 的攻击性言论和程序战术正在阻碍工作组的进展,不必要地延迟了向抗量子加密的过渡。 3. 所谓的“阴谋论”缺乏确凿证据,因为目前没有任何迹象表明基于经过严格验证的格密码困难假设构建的 ML-KEM 存在后门。 尽管许多专家认同混合方案是当前最审慎的做法,但他们反驳了 DJB 关于 IETF 流程是削弱全球安全的恶意企图的定性。
相关文章

原文
</head> <body id="readabilityBody" readability="46.241200230814"> <h2>Background</h2> <p> NSA's <a href="https://www.eff.org/files/2014/04/09/20130905-guard-sigint_enabling.pdf">SIGINT Enabling Project</a> includes sabotaging cryptographic standards. NSA is now overtly paying for standardization of "ietf-tls-mlkem", a <a href="https://blog.cr.yp.to/20251004-weakened.html">weakening</a> of the much more sensible "ietf-tls-ecdhe-mlkem". </p> <p> After objections started appearing, NSA's minions started switching from honest arguments along the lines of "NSA demands this so we should standardize it" to fake technical arguments. I have a <a href="https://blog.cr.yp.to/20260221-structure.html">chart of the debate</a>. I also have a shorter <a href="guide.html">guide to recent talking points from proponents</a>. </p> <p> NSA <a href="https://blog.cr.yp.to/20260405-votes.html">lost the most recent mlkem vote</a> in the IETF TLS working group. However, they called another vote on 24 June 2026 and started packing the room. For example, a positive vote appeared on 25 June 2026 from NSA's Mike Jenkins, who has <i>never</i> shown up on the working-group mailing list before. This is <i>allowed</i> under IETF rules, which <a href="https://web.archive.org/web/20250603130154/https://www.ietf.org/about/introduction/">say</a> that "There is no membership in the IETF" and that "Anyone can participate by signing up to a working group mailing list". </p> <h2>Action</h2> <p> You can have your voice heard too. All you have to do is <a href="https://mailman3.ietf.org/mailman3/lists/tls.ietf.org/">join the IETF TLS mailing list</a> and send a message to the mailing list <a href="https://web.archive.org/web/20260625052729/https://mailarchive.ietf.org/arch/msg/tls/ol2otAvtdDrdz_xY0_eKcuY1om0/">by 7 July 2026</a> under the subject line "Re: [TLS] WG Last Call: draft-ietf-tls-mlkem-08 (Ends 2026-07-08)" saying that you do not support the publication of this document. </p> <p> Please use your real name. I know this is bad from a privacy perspective, but the reality is that proponents will seize upon occasional pseudonyms as an excuse to ignore the entire opposition. </p> <h2>Examples</h2> <p> There have been more than 30 opposition statements as of 1 July 2026. Here are links to some examples of different lengths: <a href="https://archive.cr.yp.to/2026-07-01/16:08:36/_akapbL9zzOnQJBT4YR2JZbtfMPS-rk8QQdMogTpe9s/https/mailarchive.ietf.org/arch/msg/tls/Err40FOTKRJkd1x5sKsV0cH4ZKs/">Christian Grothoff</a>. <a href="https://archive.cr.yp.to/2026-07-01/16:07:24/qtkD-1JFduNRK4zInRk5w9ziWyK-4G_6A0okNQtph_0/https/mailarchive.ietf.org/arch/msg/tls/RbpRQbHkEizsM8P9XeyBzIm2Bpw/">Orr Dunkelman</a>. <a href="https://archive.cr.yp.to/2026-07-01/16:10:28/LlM9K6evJGlnknH8rCD6xToMC34K-OB9IkNnEeb6VjE/https/mailarchive.ietf.org/arch/msg/tls/SABh7Sw1dqdv_I04WFUeQByoVVY/">Simon Josefsson</a>. <a href="https://archive.cr.yp.to/2026-07-01/16:12:02/wWjSAriqQfA6WTzgarXD9gRKbZJfpn0ZqsrJ47z0q80/https/mailarchive.ietf.org/arch/msg/tls/G8RweFH4IBTBXXSi_nOTAKMI9Vw/">Yaakov Stein</a>. <a href="https://archive.cr.yp.to/2026-07-01/16:07:52/qbngTb2vXHguklcI2xA8kPCxbSf1dXhPEn3dmMuWyps/https/mailarchive.ietf.org/arch/msg/tls/wB2mPlX4XU6FlkEZjzkuAboLt7s/">Peter Gutmann</a>. <a href="https://archive.cr.yp.to/2026-07-01/16:01:58/vGQT9GkM15Cp2tmPMSRa8a8TnbiqWn6VweYf2mzb2Go/https/mailarchive.ietf.org/arch/msg/tls/TodOftD9_5f-YdLvkpNor1lo6s4/">David Stainton</a>. <a href="https://archive.cr.yp.to/2026-07-01/16:00:54/KTiv1OIyfO9XLxPeAcQA_zGR_Dn-QEc-ShY74iiEPVs/https/mailarchive.ietf.org/arch/msg/tls/ebO-XDf2_dsJmekTCYjCJccrK8U/">Stephan Neuhaus</a>. <a href="https://archive.cr.yp.to/2026-07-01/16:13:48/e6PXICNeQxNs2fNxzPiKklLbcfTfudAiy1UPP32CitY/https/mailarchive.ietf.org/arch/msg/tls/g2JIyULihGxzNTDhhgl1MabOnYM/">Tanja Lange</a>. <a href="https://archive.cr.yp.to/2026-07-01/16:03:25/eq7GzQcI3Wj9p8xpX8AiQoDpAYKk3aSJEBFVSlgBi38/https/mailarchive.ietf.org/arch/msg/tls/sbXARP74r1ZwIMk02t2Z2jaD1mw/">Bertrand Jacquin</a>. </p> </body> </div> </div> </div> </div> <div class='clear'></div> </div> <div style='position:fixed; bottom:0; left:0; right:0;'> </div> <div align='center' style='border-top:1px solid #EEE; padding:1em; margin-top:2em;'> 联系我们 contact @ memedata.com </div> <!-- Global site tag (gtag.js) - Google Analytics --> <script async src="https://www.googletagmanager.com/gtag/js?id=G-PFMR8YTWGP"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-PFMR8YTWGP'); </script> </body> </html>