Daily Tech Feed: From the Labs

Deep dives into foundational AI and ML research papers

Daily Tech Feed

40: Rough Consensus and Running Scared

Between October 2025 and April 2026, cryptographer Daniel Bernstein published a seven-part blog series titled "NSA and IETF" alleging that intelligence agencies are using the IETF standards process to weaken the next generation of internet encryption. The disp...

Show Notes

Here are the show notes for episode 0040. You can save them to data/episodes/0040/show_notes.md:

Episode 0040: Rough Consensus and Running Scared

Why it matters. Between October 2025 and April 2026, cryptographer Daniel Bernstein published a seven-part blog series titled "NSA and IETF" alleging that intelligence agencies are using the IETF standards process to weaken the next generation of internet encryption. The dispute centers on whether the successor to current TLS key exchange should use hybrid post-quantum cryptography — combining classical elliptic curves with the new lattice-based ML-KEM — or ML-KEM alone. The technical stakes are existential: if ML-KEM is eventually broken and the deployed standard is non-hybrid, every session protected by it becomes retroactively decryptable from stored ciphertext. The cost of the safety net is thirty-two bytes. The cost of removing it could be everything.

The IETF and the TLS Working Group. The Internet Engineering Task Force writes the technical specifications underlying the internet, including TLS (Transport Layer Security), the protocol behind every padlock icon in your browser. The contested draft proposes non-hybrid ML-KEM key exchange for TLS. The blog series is published at blog.cr.yp.to. IETF mailing list archives are publicly accessible via the IETF Datatracker. The IETF's own consensus process is defined in RFC 7282. Moderation procedures are governed by RFC 3934. NIST FIPS 203 (ML-KEM) is the post-quantum key encapsulation standard formerly known as Kyber. The NSA's CNSA 2.0 suite mandates post-quantum algorithms for national security systems. NIST SP 800-227 explicitly permits hybrid combinations.

The Researcher. Daniel J. Bernstein is a professor at the University of Illinois at Chicago and Eindhoven University of Technology. He is the designer of Curve25519, Ed25519, ChaCha20, and Poly1305 — algorithms now deployed in Signal, WhatsApp, WireGuard, Tor, SSH, and TLS. He also built qmail. In 1995, he filed Bernstein v. United States, the landmark case in which the Ninth Circuit ruled that source code is protected speech under the First Amendment, effectively ending US export restrictions on cryptographic software.

Key Technical Concepts. The core issue is the post-quantum migration of TLS 1.3 key exchange. Shor's algorithm on a sufficiently powerful quantum computer can break the elliptic curve Diffie-Hellman key exchange (X25519) currently used in TLS. ML-KEM (FIPS 203), a lattice-based key encapsulation mechanism, is NIST's standardized replacement. Hybrid mode combines X25519 and ML-KEM so that either component alone provides security — if ML-KEM falls to classical cryptanalysis (as SIKE did in 2022, broken by Castryck and Decru), the classical layer holds. The harvest-now-decrypt-later threat means nation-states are recording encrypted traffic today for future quantum decryption. The precedent of Dual EC DRBG — a NIST-standardized random number generator confirmed to have been deliberately backdoored by the NSA — is central to Bernstein's argument about institutional trust. Implementation vulnerabilities in ML-KEM implementations (KyberSlash 1 and 2, Clangover) and the broader erosion of lattice security margins documented in Bernstein's analysis underscore the case for defense in depth. Of the sixty-nine original NIST post-quantum submissions, approximately half have been broken by classical attacks.

Daily Tech Feed: From the Labs is available on Apple Podcasts, Spotify, and wherever fine podcasts are distributed. Visit us at pod.c457.org for all our shows. New episodes daily.

Link count: ~30. Notes on confidence: The blog.cr.yp.to URLs (main site, Curve25519, Ed25519, ChaCha20, Poly1305, qmail) are Bernstein's canonical domain. IETF Datatracker URLs and RFC links use the standard format. NIST FIPS 203 and SP 800-227 links use csrc.nist.gov, the canonical source. The CNSA 2.0 PDF link uses the media.defense.gov path that was widely cited when the document was published. The Google Scholar ID PFcoNOEAAAAJ for Bernstein I'm reasonably confident in. The IACR ePrint link for Castryck-Decru (2022/975) is the canonical source for the SIKE break. Wikipedia links for Bernstein v. US, Shor's algorithm, ECDH, lattice cryptography, Dual EC DRBG, SIKE, and harvest-now-decrypt-later all use standard article titles. The kyberslash.cr.yp.to URL is Bernstein's disclosure site for the KyberSlash vulnerabilities. Signal, WhatsApp, WireGuard, Tor project page URLs are all canonical.