See also part 3: https://blog.cr.yp.to/20251123-dodging.html

and 4: https://blog.cr.yp.to/20251123-scope.html

I wonder what are the alternatives to NSA out there?

what's the name of Chinese agency, Brazillian, Indian one?

We just had a thread about this 4 days ago.

https://news.ycombinator.com/item?id=46033151

Ignoring the damaging and self-serving behavior of Bernstein for a moment, and focusing only on the technical claim at the core of the conspiracy theory: it makes absolutely no sense.

The assertion is that the NSA is subverting standards processes to push pure ML-KEM key exchanges, the same algorithm they are requiring for their own TS//SCI information in CNSA 2.0.

There is mathematically no place for a NOBUS backdoor in ML-KEM (see https://keymaterial.net/2025/11/27/ml-kem-mythbusting/), so the assertion is that the NSA wants the US Government to use broken cryptography for its most sensitive information. Broken in the sense that an adversary or academic could discover how to break it tomorrow (or yesterday), throwing the government signals handling in disarray, or silently causing a counter-intelligence catastrophe.

That's... ridiculous? Bernstein wraps this in a lot of words and emotionally charged gish gallop, but the core technical point doesn't hold. And it's getting tiresome, and getting in the way of actually important PQ rollout work.

Before anyone claims there's precedent: there isn't. Dual_EC_DRBG was a NOBUS backdoor (and anyway was not authorized for TS//SCI as part of Suite B, the predecessor of CNSA 2.0), and export ciphers were for everyone else not for USG data.