The Seatbelt Principle: Why NSA's Push for 'Pure' Post-Quantum Encryption Endangers Every TLS Connection
Share this article
The Cryptographic Seatbelt: Why Double Encryption Isn’t Optional
Imagine disabling your car's seatbelt because airbags exist. That’s the equivalent of abandoning hybrid encryption—combining traditional ECC with post-quantum algorithms—in favor of "pure" PQC. Yet this is precisely what surveillance agencies like the NSA and GCHQ are pushing within the Internet Engineering Task Force (IETF), risking catastrophic failures in TLS, the backbone of HTTPS security.
Hybrid encryption isn’t theoretical insurance; it’s a proven shield. When Google and Cloudflare experimented with CECPQ2b (ECC + SIKEp434) in 2019, they encrypted tens of millions of connections. Three years later, SIKE collapsed under a classical computer attack. Only the ECC layer prevented mass data exposure. Similarly, Kyber/ML-KEM—now dominating 95% of Cloudflare’s PQC traffic as ECC+MLKEM768—required three critical patches in 2023-2024 for flaws like KyberSlash. As Daniel J. Bernstein notes in his analysis:
"The only reason user data wasn’t immediately exposed is that CECPQ2b encrypted data with SIKE and ECC, rather than switching to just SIKE. ECC+PQ is an easy common-sense win—like wearing a seatbelt."
The Regulatory Gamble: NSA’s Playbook for Weaker Standards
Despite this, the NSA’s public “Commercial National Security Algorithm Suite 2.0” (CNSA 2.0) mandates "pure" ML-KEM-1024 for all U.S. national security systems by 2033, explicitly rejecting hybrids. This isn’t guidance—it’s economic coercion. Military purchasing power forces compliance, as Cisco tacitly admitted when an employee stated non-hybrid support was driven by buyers "whose cryptographic expertise I cannot doubt." Bernstein argues this mirrors past subversion:
- The DES Debacle: NSA weakened the Data Encryption Standard to 56 bits in the 1970s while publicly claiming it used DES for classified data—a marketing ploy to “drive out competitors.” Internally, NSA likely used multiple layers (e.g., Triple-DES) for actual protection.
- Dual EC DRBG: NSA bribed RSA Security to adopt this backdoored random number generator, leveraging standards to infiltrate ecosystems.
Today, NSA insists its NSS systems need "standalone" ML-KEM, yet its own policies admit using dual encryption layers for high-value data. The hypocrisy is strategic: normalizing single-layer PQC creates exploitable vulnerabilities for surveillance.
IETF Under Siege: How Consensus Was Overridden
In 2025, the IETF TLS working group faced two competing drafts:
1. Hybrid (Safe): ECDHE-MLKEM combining ECC with PQC (e.g., X25519+MLKEM768).
2. Non-Hybrid (Risky): ML-KEM standalone, with no ECC backup.
The hybrid draft achieved consensus adoption in March 2025. But weeks later, chairs called for adopting the non-hybrid draft—ignoring seven formal objections highlighting:
- Security Risks: Removing ECC eliminates a critical safety net for inevitable PQC breaks.
- Violations of IETF Principles: Breaching BCP 188 (anti-pervasive monitoring) and the WG charter’s "improve security" mandate.
- Lack of Justification: No technical or cost rationale (ECC overhead is negligible).
Despite 22 supporters (including Google, Cisco, and NSA-affiliated voices) versus 7 opponents, the chairs declared "consensus" based on "sufficient interest"—contradicting IETF’s own "rough consensus" ethos and U.S. antitrust law. As Bernstein details:
"The legal definition of consensus requires 'general agreement' and fair resolution of objections. IETF’s process—collecting votes without addressing critiques—is a textbook antitrust violation. HydroLevel v. ASME showed courts punish standards bodies that enable anti-competitive manipulation."
Why Developers Should Sound the Alarm
Standardizing weakened encryption isn’t benign. Purchasing managers, incentivized by perceived savings or compliance, will opt for "pure" PQC. This repeats the Dual EC disaster, where 62 implementations certified a flawed standard because it bore NIST/ANSI/ISO approval. The fallout? Widespread, avoidable breaches when (not if) PQC algorithms fail.
Hybrid deployment is accelerating—Cloudflare reports nearly half of connections use ECC+PQC. Rejecting non-hybrid TLS isn’t obstructionism; it’s learning from history. As quantum threats loom, the security community must demand standards that prioritize resilience over regulatory convenience. The seatbelt stays on.
Source: Analysis based on Daniel J. Bernstein’s technical blog, with additional context from cited NIST and NSA documents.