The U.S. NSA is truly insidious and an enemy of freedom (privacy). They are now attempting to rush through a quantum cryptography standard without proper consensus from the cryptography community, some of whom raise valid concerns about what is being proposed. The NSA has a history of intentional sabotage of cryptography standards, giving themselves (and other adversaries) sly backdoor access to presumed private communications.
Thank you, Dan Bernstein, for once again standing up to power and fighting for our collective right to privacy.
By 2013, NSA had a quarter-billion-dollar-a-year budget to "covertly influence and/or overtly leverage" systems to "make the systems in question exploitable"; in particular, to "influence policies, standards and specification for commercial public key technologies". NSA is quietly using stronger cryptography for the data it cares about, but meanwhile is spending money to promote a market for weakened cryptography, the same way that it successfully created decades of security failures by building up the market for, e.g., 40-bit RC4 and 512-bit RSA and Dual EC. I looked concretely at what was happening in IETF's TLS working group, compared to the consensus requirements for standards-development organizations. I reviewed how a call for "adoption" of an NSA-driven specification produced a variety of objections that weren't handled properly. ("Adoption" is a preliminary step before IETF standardization....) On 5 November 2025, the chairs issued "last call" for objections to publication of the document. The deadline for input is "2025-11-26", this coming Wednesday.