[kragen]

Historically the NSA has sabotaged public cryptography standards so that it could crack them, while adversaries hopefully couldn't. It pays its employees to do this. It seems plausible that that's what's going on here, but even if so, whether that's because they know of a fatal weakness in NTRU they fear adversaries will exploit, or know of one in Kyber that they hope to exploit themselves, is anybody's guess.

[bigfatkitten]

NSA makes public their own policy for national security systems.

https://media.defense.gov/2025/May/30/2003728741/-1/-1/0/CSA...

If the U.S. Government is willing to bet the SECRET-and-above farm on particular cryptography standards and implementations, it’s probably safe for you to use them too.

[pxeger1]

If NSA and only NSA can crack a particular system, they probably wouldn't mind using it for their own secrets.

And anyway why is there any reason to believe they really do use the system they say they use?

[bigfatkitten]

> If NSA and only NSA can crack a particular system, they probably wouldn't mind using it for their own secrets.

How do you think they could assess that they, and only they will ever be able to exploit a particular cryptographic vulnerability at any time over the next few decades?

They can’t, they would be well aware of that, and they are extremely risk averse.

> And anyway why is there any reason to believe they really do use the system they say they use?

Because these systems exist widely throughout government today.

https://www.nsa.gov/Resources/Commercial-Solutions-for-Class...

https://www.disa.mil/-/media/files/disa/fact-sheets/dmcc-s-f...

[jandrewrogers]

FWIW, the US government actively develops and maintains a suite of classified cryptography algorithms[0] which are completely separate from the suite of algorithms they publish publicly. The reason for the existence of Suite A algorithms has never really been explained. I’ve heard rumors that it contains capabilities not known in public cryptographic algorithms, but that’s speculation.

[0] https://en.wikipedia.org/wiki/NSA_Suite_A_Cryptography

[bigfatkitten]

They do, and there are a lot of situations in which those algorithms are not usable, such as on mobile devices, hence the introduction of Suite B and now CNSA.

[kragen]

What they've been doing consistently for the last 50 years counts for more than what they say today.

[bigfatkitten]

They haven’t been using commercial cryptography to protect classified information for 50 years.

The fact they are now is a relatively recent development, and it’s significant because they now have their own skin in the game whereas they previously did not.