https://web.archive.org/web/20240925031754/https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF includes the following note: "Even though hybrid solutions may be allowed or required due to protocol standards, product availability, or interoperability requirements, CNSA 2.0 algorithms will become mandatory to select at the given date, and selecting CNSA 1.0 algorithms alone will no longer be approved."
This looks 100% compatible with a TLS WG decision saying "PQ in TLS has to be hybrid". ECC+PQ in TLS is compliant with CNSA 2.0, as long as the PQ part is one of the CNSA 2.0 algorithms. ECC+PQ wouldn't be taking NSA/NIST ECC "alone", so the stated prohibition doesn't apply. To be clear, I'm not saying that this compatibility should be factored into the TLS WG decision. On the contrary, I would encourage the TLS WG to make this decision on security grounds even if there were an official NSA statement that (1) indisputably banned all use of hybrids, (2) committed billions of dollars to anti-hybrid purchasing, and (3) said that NSA no longer accepts what it wrote in https://web.archive.org/web/20220524232250/https://www.nsa.gov/Portals/75/documents/resources/everyone/csfc/threat-prevention.pdf about mitigating "the ability of an adversary to exploit a single cryptographic implementation". > > In other words, does CNSA 2.0 tolerate ECC, by effectively ignoring its > > presence, or not? > From https://www.ietf.org/archive/id/draft-becker-cnsa2-tls-profile-00.html: That I-D isn't CNSA 2.0, nor is it labeled as an official NSA statement. The draft has an author from NSA and says it complies with CNSA 2.0; but saying that the draft doesn't allow X isn't evidence that CNSA 2.0 disallows X or that NSA disallows X. Obviously there's a pattern of NSA and GCHQ saying things to discourage hybrids. The most extreme statement I've seen is https://web.archive.org/web/20220524232249/https://twitter.com/mjos_crypto/status/1433443198534361101/photo/1 where an NSA employee back in 2021 said that NSA "does not expect to approve" hybrids. But there was then backlash, followed by the official NSA statement that "hybrid solutions may be allowed or required due to protocol standards, product availability, or interoperability requirements". ---D. J. Bernstein _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
