Trump’s Golden Post-Quantum EO(s)

Trump’s Golden Post-Quantum EO(s)

The dear leader has actually bleated out some not-dumb executive orders (EOs) to accelerate adoption of post-quantum crypto for the US government! This looks to be in response to a flurry of advancements in quantum computing and quantum attack algorithms a few months ago. We cram legalize into our eyeballs— plus, ECDSA.fail!

Links:

  • The EO https://www.whitehouse.gov/presidential-actions/2026/06/securing-the-nation-against-advanced-cryptographic-attacks/
  • CNSA2 https://media.defense.gov/2022/Sep/07/2003071836/-1/-1/0/CSI_CNSA_2.0FAQ.PDF
  • https://media.defense.gov/2025/May/30/2003728741/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS.PDF
  • https://www.ecdsa.fail/
  • https://blog.google/innovation-and-ai/technology/safety-security/cryptography-migration-timeline/
  • https://blog.cloudflare.com/post-quantum-roadmap/
  • https://blog.google/innovation-and-ai/technology/research/neutral-atom-quantum-computers/
  • https://en.wikipedia.org/wiki/FedRAMP
  • https://www.whitehouse.gov/presidential-actions/2026/06/ushering-in-the-next-frontier-of-quantum-innovation/
  • https://blog.trailofbits.com/2026/04/17/we-beat-googles-zero-knowledge-proof-of-quantum-cryptanalysis/
  • https://scottaaronson.blog/?p=9861

This rough transcript has not been edited and may have errors.

David: Recording earlier because like, I don’t want to do cold opens anymore. I just want to have something from before we actually start talking to edit it because I hate copy pasting things in.

Deirdre: Okay.

David: For example, this.

Deirdre: Hello, welcome to Security Cryptography Whatever. I’m Deirdre.

David: I’m David. Thomas is on a plane or something like that. He’s either buying a bandsaw or on a plane or both. He has a bandsaw on a plane. It’s a whole thing. What do you say?

Deirdre: And I hope he doesn’t get arrested. Um, we have a special emergency pod where we’re hopping on to take advantage of the news that there is a new executive order about post-quantum cryptography specifically. It’s not just buried in like 100 pages of a Kyber EO, um, and the, the top line headline is the U.S. government is moving up its post-quantum migration from approximately 2035 to 2030 and 2031. Uh, so it is ordered, so it shall be done. Because Golden— because Trump signed it with the big pen. Um, and so this is our excuse to finally catch up on a bunch of news about quantum attacks and post-quantum cryptography and a whole bunch of other little thingies that have happened in basically the last 3 months that we just never really hopped on the pod and talked about, even though they happened. Um, David, what do you think?

David: Which had the EO on it because I hit this fun bug where if you set your window height at the exact right spot, the, the dropdown on the Trump White House site would just bounce up and down and up and down and up and down like a Jack Russell Terrier. Um, but as soon as I started streaming, it adjusted the window size and now you can’t see the funny bug. Anyway, great, great technology, bleeding edge cryptography here. Okay, so I figured let’s just go through the EO.

Deirdre: Sure. Um, the context for this EO, this executive order from our dear leader, President Trump. Also, we did not— we do not have a crystal ball. We have produced multiple episodes, and by we I mean David produced multiple episodes featuring, um, some, you know, fictional presidents. Yes, the AI Gamer presidents, who, including, including our dear leader, a fake version of our— of President Trump, talking about post-quantum cryptography and quantum cryptography and things like that. And we do— do not ask us for KALSHI bets. Do not ask us what the spreads should be for anything else. We, we were doing satire and unfortunately it became real. That seems to be a current risk of doing satire.

David: However, the official stance of this podcast is that insider trading makes markets more efficient.

Deirdre: Sure, sure, why not? Sure. Anyway, so the context is in, in March, um, there were some results for both improving quantum attacks against especially elliptic curve Diffie-Hellman, or elliptic curve, sorry, the elliptic curve discrete logarithm problem, um, and there were improvements, uh, in, uh, in different ways of producing a quantum computer, specifically about building quantum computers using neutral atoms. And basically, um, we’ve— we had multiple results that were kind of percolating amongst, you know, the, the Whisper network, uh, and then got published by Google, uh, predominantly. They put— I think they published both things, the, the neutral atom stuff and this, uh, this improved attack efficient, more efficient attack against, uh, the elliptic curve discrete logarithm problem. And they specifically were trying to be like, this is, uh, we think this will make attacking P-256, um, especially EC, the ECDSA signature scheme over P-256, uh, much easier. And then you put those things together, you— it’s much more efficient, uh, to get a, a cryptographically relevant quantum computer, and you get a much more efficient attack algorithm. And basically the projection of where you get a scary quantum computer that can run a scary, very fast for what we’ve had before, quantum attack algorithm, especially against elliptic curves, brought that reality, projected reality, a lot closer. And in response to that, Google and Cloudflare announced that they were gonna be moving their targeted, their target dates to be quantum fully migrated to quantum-resistant cryptography. Up to the end of 2029. And then I think a lot of people in the industry like really stood up and started paying attention because that’s moving up target dates that people have been working against up by at least 5 years. It was more 5 or 6 years.

David: Start of 2029 actually is what Google—.

Deirdre: Oh, did they say that? Oh gosh. Um, so, but that happened in March-ish, and we’ll have links to those in the, in the show notes. We— some people have been saying there might be a, another Kyber EO, executive order, or a cryptography EO or something like that. But like, you know, you never know what the fuck’s going on, uh, in, uh, our dear leader’s, uh, house. Uh, so this just showed up yesterday, and there’s some lovely video of, of Trump just talking, learning the phrase quantum cryptography for the very first time and uttering it. The result is Um, but it’s a lot of fun.

David: And pointing out that no one cares when, when Einstein— what year Einstein published some paper about quantum something or other, apparently.

Deirdre: So here it is. This is, uh, Securing the Nation Against Advanced Cryptographic Attacks. And yeah, there’s a— there’s several things in here actually, because I thought it was just about cryptography, and it’s not just about the, the cryptography, uh, of the, uh, the U.S. government.

David: Um, so for the sake of the like 8 readers that, um, take audio only, what we’ll do is we’ll read through, I think, most of this.

Deirdre: Okay.

David: And then pause and talk through it instead of relying on everybody to simply read the screen. Um, so section 1, the advent of large-scale quantum computers, particularly in the hands of adversaries, will pose a significant threat to widely used cryptographic security systems. Ongoing Kyber activity against our nation also presents the risk of adversaries collecting United States information now and decrypting it once the large-scale quantum computers are operational.

Deirdre: I agree.

David: So right off the bat, we have a reference to the store now, decrypt later threat, which we have talked on and on and on about. I mean, it’s still not clear, like, who this risk acts like in the grand scheme of risks. Where does this apply to you? But this is sort of the main risk of quantum computers now.

Deirdre: It is the live threat, if that is within your threat model.

David: Um, in light of these threats, the United States must take steps to strengthen cryptographic protection, protections for the nation’s sensitive data, critical infrastructure, and digital economy. Uh, it is the policy of the United States to safeguard national security and maintain technological leadership by responsibly and effectively executing the transition of federal information systems to the NIST-approved Federal Information Processing Standards, FIPS, for post-quantum cryptography, PQC, and to assist critical infrastructure owners and operators with their transitions. Um, so, um, unfortunately, unlike AI Gamer Obama, who said that he would become a Republican if Doge got rid FIPS. Um, well, we still have FIPS. Section 2 is just a bunch of definitions, so we’ll skip all of that.

Deirdre: Although the one thing that I will not skip is the term high-value asset, or HVA, um, which has a specific definition and an OMB memo, blah blah blah blah blah. And this is— and the, uh, another definition that follows, the term national security systems, or NSS. So Up until about recently, until this memo actually, the U.S. government has been targeting, um, FIPS standards that includes post-quantum cryptography, uh, to be rolled out and in use by any of these applied systems. So this is like any system that the U.S. government is using. This includes like the Department of Education to, you know, this freaking website that we’re looking at. I’m pretty sure this has to be served with NIST curves or something like that at the moment. Um, that’s all U.S. federal government, uh, from very boring stuff to less boring stuff. For national security systems like Department of Defense stuff or NSA stuff or top secret SCI, no foreign system stuff like that, they have their own suite of more constrained algorithms that are basically a subset of the FIS FIPS stuff, and they are using PQ only, no hybrid, except for, you know, if you’re doing IPsec or something like that, you’re doing some VPN stuff, they trust elliptic curves a little bit. Um, they just have a much more constrained set, and they have all of the parameter sets pegged to the most tippy-top parameter set possible. Um, those were all trying to get migrated by the end of 2035, although I think there were different targets for different systems for CNSA 2.0. They were trying to get some stuff migrated earlier.

David: For CNSA 2.0, it’s really vague, but it was kind of already closer to 2031 for most things. And there’s a statement that’s very vague about like new systems, new, new procurements should be like CNSA 2.0 compliant in starting in 2027, which like is just on one hand, just like not gonna happen at all. On the other hand, like, um, talking with the people that wrote that, what it really means is you better not be charging us an extra update for it.

Deirdre: Right.

David: Uh, okay.

Deirdre: Yeah.

David: So, um, they should be doing as much CNSA 2 things as are reasonable.

Deirdre: Yeah.

David: So for example, like you’re not gonna have, uh, um, an HTTPS certificate that’s CNSA 2 compliant for like a number of years.

Deirdre: Yeah. Bye. That’s publicly trusted. Yes.

David: That’s publicly trusted.

Deirdre: Yeah.

David: For private PKIs, you can do whatever you want. Starting—.

Deirdre: You can basically do it now, depending—.

David: In Chrome 150, which releases on June 30th. So 7 days from now.

Deirdre: That’s nice.

David: You’ll be—.

Deirdre: Breaking news. Breaking news on the podcast.

David: I don’t know that it’s breaking. It’s like on a public site describing Chrome releases.

Deirdre: This is a scoops. We’re doing scoops. Scoops. Who cares where the information came from? It’s an exclusive.

David: It’s been discussed on IETF threads by other implementers. Uh-huh. Breaking news.

Deirdre: One of the only other definitions in the section is the Cryptographic Module Validation Program, the CMVP program, which is part of getting FIPS certified. So if anyone has ever mentioned anything about being FIPS certified, This is the program that basically does it. It started with hardware and firmware implementations and then they just said also we’ll, we’ll certify software implementations of FIPS stuff in a module, in a module boundary. And it’s, you know, it’s a whole thing. And unfortunately it leads to kind of, you know, reading the tea leaves to try and predict what will be FIPS certifiable or not in the program, the lab that does the program. And a lot of that is wrong. But that’s what that is. And we’ll talk about that later.

David: There’s, there’s two types of FIPS certification actually. There’s the, well, there’s a bunch of types, but relevant to this, there’s, there’s the CMVP, the Cryptographic Module Validation Program, which is the really annoying one to get.

Deirdre: Yeah.

David: That a lot of things require. And then there is Cryptographic Algorithm Validation, CAVP.

Deirdre: True.

David: Yes. Which is more straightforward to get. ‘Cause CAVP is like, did you implement this algorithm correctly based on like some test vectors. Mm-hmm.

Deirdre: And CMVP is like, do you meet all of these arbitrary other like, um, requirements that make it very difficult to test in like, like how do you, like, everything has to be within a module boundary and it has to be started up a certain way.

David: And this is why it needs to be able to do a self-test with fixed random. So you have to build in like a backdoor to your system to prove that it operates correctly. Basically it’s a pain in the ass.

Deirdre: Yeah.

David: Um, and then you have to certify it on every, uh, uh, well, depending you, in theory, it, the certification only applies to specific environments. So for example, like Arch Linux 4.0 on a Chromebook.

Deirdre: Yeah.

David: Or like Debian in Google Cloud.

Deirdre: Yeah.

David: Um, and in practice what you do is you get some bullshit certified for some platform and then you convince your auditor that that’s what everything is.

Deirdre: Yep. But you still have to like juggle all of those like certs in case you, your compliance auditor is like, is your cert for this module on this platform is still up to date? And you have to keep it alive. And that’s a lot of juggling and, you know, bookkeeping for questionable amounts of additional security.

David: So, and then NIST will take like 6 to 18 months to actually issue your certificate once you pass the testing.

Deirdre: That too. Okay. Section 3, Coordinating the PQC Transition. The Director of OMB and the National Kyber Director, in consultation with the Assistant to the President of National Security Affairs and the Administrator of the Office of Electronic Government— I didn’t know that that was a thing— OMB shall lead the strategic coordination oversight of the national PQC migration policy and strategy set forth in this order, ensuring its alignment with broader cybersecurity goals. B, the Secretary of Commerce, Blutnick, through the Director of NIST and in consultation with the Director of National Security Agency, NSA, and the Secretary of Homeland Security. Is that still known? Do we have an acting secretary?

David: We— I don’t remember who it is, but it’s not known anymore.

Deirdre: I think we need—.

David: I think it’s an acting secretary at the moment, but they have to be approved. Yeah.

Deirdre: Oh gosh. Uh, through the Director of the Cybersecurity Infrastructure Security Agency, CISA, and the Department of Redundancy Department. Shall provide agencies on ongoing basis with comprehensive technical guidance on PQC implementation, including best practices, implementation, and risk management strategies.

David: Cool. Just what we needed, more guidance from CISA.

Deirdre: Section 4, Accelerating the PQC Transition. Within 30 days of the date of this order, which is yesterday, uh, June 22nd, each agency head shall identify its PQC migration lead and provide the name and contact details of the PQC migration lead to the Director of OMB and the National Kyber Director within 90 days. Yes.

David: Yeah. So this is like fairly standard stuff for like how a government, like the executive branch, tells agencies to do things. There’s like a similar, um, guidance around like doing inventory a while ago that’s like, yes, define a point person, and then that person has to submit a report to these other people that contains these things. Blah, blah, blah, blah, blah. And then you need to do this other thing by this other time. And then that all goes through the point person back to whoever, as deemed by the authority stated at the top, which in this case is like NSA plus Secretary of Commerce.

Deirdre: Yep. And we explored a lot of that when we talked about the, the big Kyber EO that came down just before the end of the Biden administration. And it’s like a lot of similar stuff.

David: Um, I think the big takeaway in this section is that like, we’ve included the HVAs, the high impact systems and national security systems. And given this like, timeline for both key establishment at the end of 2030 and then digital signatures by the end of 2031, which, you know, very nice that these have actually been split out because it’s much, much, much, much easier to do key establishment that it is to do signatures in most cases. And you can actually just like, doing key establishment is basically just update your OpenSSL. Mm-hmm. At this point.

Deirdre: And, or, you know, your Go, you like, you can upgrade Go, you can upgrade, uh, I think it’s in Java 25 or JDK 25, um, that you get it as well. Like a lot of the places where you just update, uh, and you are serving TLS, for example, Um, you will get your post-quantum FIPS interoperable, uh, key agreement and it just works. Uh, it’s not that easy if you’re using, uh, signatures and you need to share, uh, a public key or rotate keys or certs or have any sorts of roots of trust or anything like that.

David: Yeah. Fundamentally, like independent of any of the like struggles with size that we’ve discussed with PQC in the past, um, like you are going to have a new trust hier— like a PKI hierarchy for PQCE.

Deirdre: Yeah.

David: Which means that like, in some way you’re going to have to get a certificate from like something vaguely new. And like, even if that certificate is done in such a way that it looks like this looks like the old stuff to old things, like at some point your ACME client’s gonna have to either be pointed at a new endpoint or have that endpoint just like do some sort of, uh, you know, Indiana Jonesing to a new hierarchy when you’re not looking., um, uh, and actually have like certificates issued.

Deirdre: Yeah.

David: Which is just fundamentally like more work, hopefully marginally more work, and hopefully mostly handled, um, automatically still, but like not as straightforward as, oh, I’ve just updated my, my SSL/TLS implementation and now there’s a new cipher suite available and you just use that with new things.

Deirdre: And now—.

David: Because it involves a long-lived credential instead of just an ephemeral credential.

Deirdre: Yep. And not even like long-lived, but just like someone needs to trust it in some way. It needs to be sort of like, have some sort of like, where does this come from? Did like, is this real? Is this like not expired and things like that? Um, and we, and we haven’t even gotten an update to, uh, SSH or OpenSSH for, uh, keys, the actual keys that do the signing for you. We have gotten an update, uh, for the key agreement of your SSH session in OpenSSH. So that’s cool. But we still aren’t sure what SSH, uh, pub keys, PQ pub keys are gonna look like yet. Um, there’s still discussion going on about that. Um, yay. Um, but one, one of the huge things is like, okay, 2030 for key agreement, like that’s kind of on par, but the fact that they’re moving up signatures to be done by the end of 2031 is pretty big because we, that is a short runway for things that don’t have solved solutions ready to go yet. And it’s like aggressive. So that, that was a big thing that caught my eye.

David: Yeah. I mean, Chrome’s expecting to be able to accept, um, post-quantum, uh, Merkle tree certificate CAs in 2027. Um, cool. Uh, but the first round of those will not have key strengths suitable for CNSA 2. Oh, you’re right. Um, but it will be, yeah, they’ll get there eventually, but they’ll at least be PQC. And this actually doesn’t say anything about key strength.

Deirdre: Correct. I think it’s just, it needs to be FIPS, which means if it supports ML-DSA 44, you’re good. And I think a lot of people will be perfectly well suited to use ML-DSA 44.

David: Um, Yeah, it’s really complicated to decide what’s, um, like a national security system. If you talk to most people from like NSA, they’ll be like, oh, you know, that’s like the DOD servers running in like a DOD data center or whatever, like on a private DOD network. And it’s like, yes, that’s definitely true. Um, but like what, like more and more of the government uses like public clouds and SaaS. And then you have the question of like, is your cloud console considered a national security system?

Deirdre: Yeah.

David: You are deploying using that cloud console to deploy, uh, you know, a national security system on some cloud.

Deirdre: Yeah.

David: Um, and then like now you have like a whole host of basically publicly accessible websites that become in scope for rules that were written to be for like, uh, basically a DoD network. Which is where all of this gets complicated.

Deirdre: It’s like, do I really need— does like AWS have to serve me, uh, an mldsA87 cert and everything in that chain and an MLKEM1024, uh, key exchange just to like, you know, load up the console? Like, I don’t— maybe, I don’t know, I don’t work for them.

David: MLKEM1024 is like not that bad in the grand scheme of things compared to— whereas like mldsA87 is It’s just like, you really gonna send me 35 kilobytes of certs? Like, come on.

Deirdre: Yeah. Like, when you’re sort of thinking about like, well, yes, if you are like doing X-keystore crap, like the stuff that Snowden leaked, you know, sure. I give me the fat, you know, NIST Level 5 certs and like, sure, gimme ML-KEM 1024. But when you’re just like, well, you know, if you’re trying to twiddle something in the like, defense cloud that is being served by, you know, AWS, like, do you need it there too? And like, it, the answer might be yes. And then you’re just like, oh, goddammit. Like, to just serve me a website, a regular website, um, you need to support this stuff is like, oh boy. Okay.

David: The struggle is if you can’t split your domain, like split your users by domain, because it’s easy to make one domain that only uses the high strength stuff and another domain that uses like the normal strength stuff. To be clear, the normal strength stuff is like strong enough to survive like a Dyson sphere built around the sun being used to like brute force it. But, um, like if you say you’re on a search engine, if that somehow becomes in scope for a national security system, like you probably don’t actually want to pay, um, the cost of the cryptography for, you know, a few billion users.

Deirdre: Yeah. Um, all right. Well, the last rest of the section, advancing to Section 6.

David: Procurement, um, because I think everything else is more just like reporting details on timing and reporting. Yeah, Section 6 procurement is where it gets exciting.

Deirdre: Hold on, hold on, at the end of Section 5, uh, uh, um, Homeland Security shall release public guidance regarding cryptographic bill of materials and they should enable the automated assessment of assets utilized by hardware software element. I’m like Great, we’re just gonna keep doing that. We’re gonna keep doing C-bombs. Okay, sure, we’re moving the timelines up super aggressively, but first we gotta get that bill of materials. Oh, okay, sure, maybe you gotta do that.

David: I don’t remember this for sure, but I feel like some of the like S-bomb stuff got revoked by an earlier Trump EO, but maybe—.

Deirdre: Oh, that— yeah, that might have been in the Kyber EO, and he wrote like a few months after he came into office, he basically had a short one that was like, revoke all that except for this, this, this, and this. It might— that might have been it. But, uh, uh, 6.

David: So moving on to Section 6, procurement, Section B: Within 180 days of the date of this order, the Secretary of Commerce, through the Director of NIST, shall, to the extent appropriate and consistent with applicable law, revise the processes used by the Cryptographic Module Validation Program to accelerate validations of cryptographic modules. Um, now what does it mean to revise these processes? I don’t know. Um, I also, like, I’m gonna be pessimistic about this cuz I don’t really know how you fix these things. I think you just get rid of, like, in my opinion, we shouldn’t have CMVP at all. We should just have CAVP, if that. Really, we should just have the FIPS list of algorithms and say like, these are the ones that you have to use. And like, you don’t, you know, we, we expect that like software works correctly and like that’s part of, you know, the purchasing agreement is that like software works correctly. Right. Mm-hmm. If it doesn’t, it gets fixed. This is kind of how all software works, but somehow it becomes like just the cryptographic algorithm part and not the network part. It’s like, oh, well we have to do all this additional testing. It’s like, yeah, you should, you know, make sure that you’re procuring software that works for your use case and works well. But like, do we really need this like additional testing versus saying, you know, Yes, this, this software complies with the guidelines in the sense of it uses the algorithms that the NSA wants to use for the national security systems. It like meets the product requirements that are required to do the government thing. So I don’t know. I suspect that we will not get rid of CMVP. And as a result, I don’t really know like how to improve CMVP very well. Yeah. I haven’t specifically taken something through CMVP. I’ve, you know, worked with teams that I’ve had to make changes so that it can go through CMVP, but I’ve not been the point person to like, take something to a lab, get it tested, submit that to NIST, and so on.

Deirdre: I bet, I bet we know some people who do have opinions, but I am quite— the way this, this is written, I’m a little bit worried now because it’s like within 180 days, the revise the processes, like you have 6 months to revise the processes, not come up with a plan, give to go up the chain about how you’re going to revise the processes. Like, no, you’re going to change them.

David: So I’m, I mean, I think 6 months is more than enough time to change the processes, but like, you know, government, government, it’s, it’s also tough to do because like in practice, like at least for, for, uh, like CNSA too, a bunch of this also goes through NIAP where then like NIAP has a protection profile that is like in theory above and beyond just the CMVP. That’s like, oh, you know, you have this broader set of requirements and NIAP is supposed to check that all of that complies with those requirements. But in practice, like, NIAP just writes requirements that are impossible to comply with and, like, make no sense, and, like, combine requirements for clients and servers and then say that you have to follow all of them, but in ways that just don’t make sense. And so getting any, like, NIAP protection profile for a product, which again is also done through, like, a third party, so you, like, take it to a tester, like, Booze Allen Hamilton, and then they like, well, that’s a thing, and send it to NIAP. Um, and then just like, nope, nobody, like the testers don’t understand the product. NIAP doesn’t understand TLS. And then everybody’s just trying to get it through. But also like you’re, it’s just a bunch of people like bullshitting and lying each other to each other until eventually you get the stamp. And then what is used in practice is not at all what was tested because the requirements were like literally impossible to comply with. Even though like the requirements from CNSA 2 are actually very straightforward.

Deirdre: Oh gosh. I keep forgetting about NIAM and yeah, I don’t, I’ve looked at it once and I’m just sort of like, okay, sure.

David: Yeah. Like the NIAM protection profiles don’t like correctly discern between like must offer something and must negotiate something when a client or a server, so it’ll be like, you TLS client, like you must offer You must use Extended Master Secret with TLS 1.2. And it’s like, well, if you’re like a web browser, like, you know, what, what happens if like the server, like we offer it in Chrome, but like not every server speaks that. I think most do, but like, are we just supposed to reject it? And then they’re like, oh, well you must use, you know, AES-256, cuz that’s what’s in CNSA2. It’s like, well, here’s the incantation you can put in to make it so you get AES-256 with Google. But like, if we just turn off AES-256 in like Chrome, for example, then you just can’t load most The internet.

Deirdre: Yep.

David: Because it’s all using AES-128.

Deirdre: Yep. Which is fine, by the way. Uh, I don’t know. There was a, a lovely blog post that went around recently because people were like, oh, so to be post-quantum, we need to go to AES-256. And it’s like, no, actually you don’t. And I guess people don’t, don’t know this. Basically Grover’s is not efficient against, uh, against thing, especially things like AES, but even hash functions. AES-128 is, is fine. You do not need to upgrade. The only reason you need to upgrade is if you need to be compliant with CNSA 2.0, and that’s just because they, they put all the parameter sets to 11, not because they actually are protecting against Grover’s attack. Anyway, sidebar.

David: Anyway, so my feedback is to just simply get rid of CMVP entirely.

Deirdre: Who knows? Like, we’ve already had Doge come, come through our government. You— who knows? Maybe that will actually happen. It’d be very, very interesting. Uh, anything else? Oh, uh, contractor vulnerability disclosure programs. Cool. That VDPs incorporate reports of cryptographic vulnerabilities including testing for lack of encryption, the use of non-FIPS approved algorithms. Cool, that’s neat. What’s FAR?

David: It was probably the Federal Acquisition Regulatory Council.

Deirdre: Oh, okay.

David: Uh, I think this is probably going to be a net negative. Um, well, I don’t know, like, what do they mean by, I guess it’s probably in the definitions up above, but like contractor, if contractor means like labs, like, I hope they don’t, aren’t like having the labs check for vulnerabilities. If they’re just saying like people that we’re buying cryptography from should have a vulnerability disclosure program, then like, sure.

Deirdre: Yeah, I guess that sounds good.

David: Everyone should have a vulnerability disclosure policy. Most people should not have a bug bounty. Yeah, that is my stance. Uh, and, uh, I think, and then Section 7 is the none of this is illegal section.

Deirdre: Hopefully the costs for the public issue of the source shall be borne by the Department of Commerce. Of course, poor, poor them. Poor Litnik. Cool. Yeah, so that’s, uh, that’s it. That’s, uh, that’s the EO. It’s very exciting.

David: Yeah. So I think takeaways for most people should just be to update your TLS server software or, um, which if you’re like using a VM, you can just like do now and you should be getting TLS Quantum Key Exchange out of the box, probably hybrid, um, 25519 with MLKEM768. That’s enabled by default in, yep. I believe like OpenSSL 3.5 and newer and boringSSL and all the other SSLs.

Deirdre: Yep.

David: If you’re using a, like, TLS load balancer from a cloud, it probably supports all of those now as well. And if not, it will very soon. And like, again, the step there will just be to like, roll your config to the new version, enable it, or just let it update itself depending on, you know, how you’re configured. And all of that should be pretty straightforward. And then for publicly accessible websites, like, you’re just gonna need to wait until the certificates are available.

Deirdre: Yeah.

David: And then you have just a certificate management problem, you know?

Deirdre: Yep. Uh, and you know, Modulo Chrome trusting, Modulo Chrome having a, a trust store beyond Merkle tree certs. Um, I’m pretty sure that a lot of publicly trusted CAs, um, either already have ML-DSA support, um, like operational, they just don’t have an ML-DSA root, uh, in other root stores, trust stores out in the world. It’s kind of a little bit of a chicken and an egg issue with them. Um, and this is regular schmegular ML-DSA certificates, not the fancy new, new gen Merkle tree certs.

David: Um, no, those are like not gonna end up being an option for publicly trusted sites. Like at this point, like all but like a lot of the browsers have signaled in various forums, not to speak on behalf of any of them. Um, yeah. That like the, because of the need for transparency for public PKIs, meaning like the full set of certificates is publicly disclosed.

Deirdre: Yeah.

David: Um, uh, the, if there was a, a non-Merkle tree certificate, which we haven’t really defined, but we’ve been talking around, but if there was an old style ButML DSA, like root store, that would require old style certificate transparency and that system would fall over, um, in a post-quantum world for a number of reasons.

Deirdre: And so in a post-quantum world, or you could just do something, a terrible bridge where you have your ML-DSA cert, but you have, uh, ECDSA, uh, transparency statements.

David: That would still fall over publicly in a sense, because like the full certificate contents are logged. And so if you like drastically increase the size of the certificate, the set of people that are currently basically running CT logs out of the goodness of their heart,, would probably not be super happy about, you know, um, these things that are just like basically a net negative to run suddenly, like doubling, quadrupling, 10x-ing in storage costs.

Deirdre: Yeah. I, I was thinking of literally all the SIGs and, and key public keys that you’re downloading. Yeah. Those would be smaller if you did a little bit of mix and match and relied on and just kind of, you know, crossed your fingers that the transparency benefits, uh, be given by ECDSA would give you a little bit longer. But you’re right, for the log operators, there still gets They’ll still get fucked.

David: Yeah, but there are definitely a number of companies that offer like private PKI ML-DSA products right now. Yeah, I think I’ve done it for a while. There are many HSMs that support it, although none of them have a CMVP yet, um, because NIST is just behind on, uh, on approving them. Yes, they have CAVPs but not CMVPs.

Deirdre: Was it the first, uh, validated implementation of ML-DSA was only like this year, 2026 or something like that, that finally got through. And it was in the pipeline for like 18 months or something like that.

David: It took so long. The final standard was released in like July of 2024.

Deirdre: Yeah, I think that’s correct. Yeah, or August, I forget.

David: Yeah, July or August.

Deirdre: Yeah, and it took that long. They, they had it ready to go and they, they shoved it in there and it took that long to get validated or whatever.

David: Yeah, it was an extremely minor change in the final standard from the last draft standard.

Deirdre: And so yeah, Yep. It just takes so long. So yeah, we’ll see if, uh, they literally just chuck CMVP out the window. That’s a way to update procedures or what they do, because this may be possibly the best opportunity to overhaul that program since it’s come into existence, I think. But, uh, we’ll see. We’ll see how that goes.

David: Earlier in the year, um, I saw this talk. And it was, it was kind of like the scene in The Big Short where Steve Carell’s character comes and meets the guy in Vegas who’s like on the other side of the trade, like selling stuff.

Deirdre: And they’re eating sushi.

David: Yeah. And they’re eating sushi. And Steve Carell’s getting angrier and angrier at this guy who’s basically just like taking money off the top of the trade and like fucking over his customers. But you’re just like, oh, like this person like actually exists. And for me earlier this year, I was at this talk and there was someone who was like, just giving this talk about how important it is that when you’re in a sys— system where like you need FIPS cryptography, you make sure that you’re like, actually using all of the FIPS stuff everywhere, because otherwise who knows what kind of cryptography you’re getting. And like, it’s not just enough to like get OpenSSL that lists FIPS, like other stuff might be used. And the only way to know that you have like high assurance cryptography is to like make sure you have the thing that actually got like FIPS verified. And I was like, oh shit, man. Like, I got bad news for you about like most products you’ve ever used, right? Like, not, not that like everyone’s out here doing fraud, but just like in practice, it’s not possible to get these validations, um, at a rate or reflective of every environment in the way that like all of this stuff is actually used. And that’s, that’s why I think like CAVP makes much more sense because it’s just like, let’s make sure we’re using the right algorithms. But like the chance of you actually being able to verify to the letter of the law of how you’re supposed to verify a cryptographic module is basically zero when it comes to actually distributing software.

Deirdre: And the argument of like, and even if you are able to do it, like the value to security, uh, is very debatable, um, about that procedure for actually like validation, um, is debatable.

David: And there’s a they’re supposed to have like a self-test of them as well, which requires like a hash of itself in it, basically. Yeah. Yeah. Yeah. Um, which then gets submitted in the cert. And so like your, your, your validation only applies to like the specific, like hash of your thing, technically. Um, but that is a problem of like, well, if it takes 18 fucking months to like get one of these things verified, like you’re gonna make changes underneath.

Deirdre: Yeah. Um, and so it’s also, uh, you can’t, you can’t change like a doc comment. You can’t like, there’s, well, depending on how you, in theory.

David: Yeah.

Deirdre: Well, that, that’s not technically basically, you know, FIPS approved.

David: Now, most of the downstream requirements that like you don’t need specifically to have that FIPS thing. So like FedRAMP, for example, now lets you update, like be like, as long as you are regularly getting your cryptographic module validated whenever you make a large change, then it’s fine for you to update it in between because like, you know, bug fixes are good and new features or whatever are good. But like at some point, like, like what are we doing here?

Deirdre: Yeah, I got, I totally forgot about FedRAMP. So this, this is going to impact FedRAMP, but it’s not specifically named in here.

David: So like, I guess there’s nothing specific, but yeah, well, that’s just going to be downstream of like FedRAMP says you need things that are like FIPS 140-3 validated. And then that now involves covering these other things. So I don’t think FedRAMP itself really needs to change.

Deirdre: Yeah.

David: Like, I don’t know, maybe they make a, post-quantum secure statement at some point, but it’ll kind of fall out of the FIPS validation. Oh, personally, I like it better when there aren’t a bunch of executive orders around, like my non-government job.

Deirdre: Yeah.

David: Yeah. I don’t know about your experience.

Deirdre: Yeah. I don’t, I, part of me is like, this could be good. And part of me is just like, what, what are we doing? I mean, I— yeah, I don’t know. We’ll see. Especially because it’s like high-impact systems, which, for example, those might be things like the IRS’s computers and the State Department systems that let it issue passports and things like that, and like help maintain consular security, stuff like that. Um, so important stuff, but definitely there’s going to be whole— a whole bunch of parts of the federal government that may not be PQ, um, even if everything in this EO is like, um, fulfilled all the way down to the, down to the letter. Um, we’ll see, we’ll see how it goes. I don’t hate it. I’m kind of amazed it does not say quantum cryptography in there.

David: Also, I heard someone, I heard someone references the quantum key distribution or anything like that, quantum randomness.

Deirdre: Thank God, like The Little Mercies, because there’s been chatter, more chatter about that, I think because there’s funding coming out of like the EU or something for EU-based businesses. And it’s just like, no, no, no, we don’t want none of that. I was having to— you—.

David: Is a great place to take vacation.

Deirdre: There’s nothing about—.

David: This is a great place to host a World Cup, apparently.

Deirdre: Um, Boston is a great place to host any Scotland matches. Um, I am sad that I was not spending as much time in Boston while, you know, every Scots person, Scottish person, um, that could ambulate made it to my hometown for a week. But, uh, I want them to come back. Now the English are over there and everyone’s like, boo, we want the Scottish back.

David: English historically haven’t had a great time in Boston.

Deirdre: No, it was— yeah. Um, I swear someone said that there was a mention of investment in quantum computing, but it’s definitely not in this EO. Did I miss another one? Or maybe, maybe Trump was saying the wrong things out of his mouth again.

David: So, um, there is about that as well.

Deirdre: Hold on, I’m pasting it in here. Yes, there was another one, another presidential action. Um, gosh, ushering in— I’m sharing— ushering in the next frontier of quantum innovation.

David: How long?

Deirdre: It’s not this one. This is on— it’s not that long either.

David: No, so there’s a second EO.

Deirdre: Yeah.

David: Um, oh God, two EOs in one show. I think that, that might be a bit much.

Deirdre: I’m scanning, scanning, scanning. Updating quantum strategy. Harnessing quantum computing for science. Secretary of War and a bunch of other secretaries shall ensure that capabilities, manufacturing infrastructure, and expertise are made available to support this QC effort.

David: Exploration.

Deirdre: Coordinate with the NASA administrator, the director of NSA.

David: Uh, to attempt to like keep track of the relative capabilities of different quantum computing systems in order to accurately assess the performance. That’s interesting because it’s really hard to assess relative capabilities of them cuz they all work different ways and basically none of them do anything useful until one day. One of them will do many things useful.

Deirdre: All of a sudden they do a whole bunch of— a whole bunch of useful, uh, Secretary of Energy shall, uh, basically price out and scope out delivery for one QC. Cool. Um, develop a plan to encourage contributions to the effort from commercial quantum computing companies. Secretary of War, national security applications of quantum computing, establish a center for such a purpose.

David: Thought, thought, thought. I previously heard of NSA saying that they like to be approximately 7 years ahead in terms of the, like, general public in terms of cryptanalysis, which I know some people have taken to, well, that means they clearly have a quantum computer now. I think that’s a load of crap. There’s like no way. Yeah, that anyone has a quantum computer now. Um, like, we would— there would be downstream effects of that.

Deirdre: Yes, it’s, it’s sort of like when, um, all the nuclear scientists just stopped publishing for a while when, like, most of them were either working at the— at Los Alamos, uh, or, you know, some of them were working in Germany. Um, it’s just like the absence, uh, is a signal, and we we don’t have anything close to that, or, or the inverse of sort of like, um, we would see evidence, uh, even, even if it’s not direct evidence.

David: We would also need like technological advances that would probably see like effects of an industry that like don’t seem to have happened, like, you know, improvements in superconducting and things like that.

Deirdre: Yep.

David: Um, but speaking of building quantum computers, do you want— should we talk about ECDSA.fail?

Deirdre: Oh my goodness.

David: I love a good.fail domain.

Deirdre: Yeah. Um, yeah, that’s good before, uh, we, yeah, you get the gist of the rest of the CEO. They’re actually kind of like trying to tell people to do stuff regarding quantum computing, which is pretty cool. Um, we’ll see where that goes. Um, so we, we discussed how, um, there were published, uh, improvements, uh, to attacking Elliptic curve discrete logarithm problem, uh, with quantum attack algorithms, which are basically like iterations around Shor’s algorithm or improving parts of some of these like broad class attack algorithms. And specifically, the Google, uh, Google folks published a paper that claimed they had a quantum attack circuit for one of the, uh, slowest parts of, uh, running Shor’s algorithm to attack, uh, this discrete— elliptic curve discrete logarithm problem, which I think it was literally like the elliptic curve point operations itself, which is like funny because that’s the classical part. And it turns out running it on the quantum computer is actually kind of like the slow bottleneck of using Shor’s algorithm to attack the thing, to find that like the periodicity of your, you know, elliptic curve group or whatever it may be. Um, so they claim— they published a paper that claimed that they were able to do this in, you know, n million Toffoli— I think it was like a million and change Toffoli, um, gates, which is like a way to measure the circuit depth of the, uh, quantum circuit that you’re actually going to use. It’s kind of like measuring the number of multiplies or divides or whatever you might have in a certain attack algorithm or another, another algorithm on a classical computer. It’s just a way to kind of like measure. And then, um, I think they claimed that they needed like, you know, a 1024, some, some small number of logical qubits or whatever. Not— they didn’t, they didn’t require like 10 million or a million logical qubits to run this. It was some, some small number or something like that. Um, but they did not publish the circuit. They published a zero-knowledge proof of the circuit statement and they published the proof and they published their claims about the size and the speed that this should take to attack, you know, elliptic curve, uh, sorry, uh, elliptic curve DSA, uh, algorithm, uh, based on P-256 curve. Yeah. Um, yeah.

David: The Google publication was 2.1 million gates and 1,425 qubits.

Deirdre: Nice. I was pretty close.

David: In March, late March.

Deirdre: 2024.

David: Um, excuse me, 2026.

Deirdre: And this, this was kind of interesting because two people have been following quantum attack algorithms and, and sort of like, this is part of a, um, lineage of like, here’s our improvement and here’s like our tweak on how, how many resources, how fast can we get some of these attack algorithms to be. Even though we don’t have a quantum computer yet to really, you know, test them. Like, this is— I’m going to write it up or whatever. But this was new in that the authors claimed that their results were too dangerous to publish. So that is why they published a zero-knowledge proof of them, and they directly compared it to, um, uh, to— I think it was literally like the Manhattan Project or whatever. Like, they didn’t want to, like, publish the ingredient, like, the specific ingredients of how to make an atomic bomb or something like that. And it’s just like, uh, like, I don’t know, like, we can’t run it yet, can we? Like, it’s gonna be several years until we can— until we can run it. So like, all right, whatever. But that’s not the funny part. That, that was an interesting kind of— it, it caused a little bit of a debate of like, oh my goodness, if we make any more improvements of attack algorithms, do we have to— is this the way we disclose them now? Is this a new form of responsible disclosure? Like, blah, blah, blah, blah. That didn’t matter. People saw this result and they’re like, ooh, you’re trying to attack the, the signing algorithm of Bitcoin. Hmm, let’s try if we can like really run this down. And someone set up ECDSA.fail, and they were basically— they basically started crowdsourcing, um, attempts to improve this, uh, theoretical construction, uh, you know, this construction published by Google, but without publishing the actual circuit, and tried to beat their claimed, um, uh, costs and speed and resource requirements. And people were using ChatGPT and Claude and Opus and all this stuff to try and incrementally try to improve and improve and improve and improve and submit it. And the zero-knowledge proof turned out to be a great way to like cross-test your results or something like that. I think that’s what it was. One, there was also a bug in it. The Trail of Bits people were able to find that, like, you, they were able to get it to validate things that it was not supposed to validate. Was that it? And that, that’s what they were using to, to validate other things. I don’t remember.

David: Um, no, they’re, they’re using the, just the same, like, sim circuit simulators that, um, were in the Google paper, but then like Uh, the Google paper didn’t include like the actual circuit that just had like a proof about the circuit. Yeah. But like the circuit simulator is basically just code. And so you can have a coding agent, you know?

Deirdre: Yeah. Okay. That was, that was it.

David: Optimize this circuit, make no mistakes.

Deirdre: Yep. And it took 3 days. Let me see if I can find, if I can cross-reference. I think this was the 30th and the first result that beat it was June 2nd. So I think it was 3-ish days before the entire point of this thing is too dangerous to publish, so we’re just going to publish a zero-knowledge proof on it, which is completely blown out of the water by people crowdsourcing competing results on the internet. And they’re still going, and they’ve been able to drive it down. It’s like not quite twice as fast or twice as efficient in terms of gates as the Google, uh, results. But it’s very— it— people have been able to get a very good, um, much better, like 45% less gates and like, yeah, uh, 25% less—.

David: Or excuse me, 25% or 30% less gates and like 45% less qubits. Yeah.

Deirdre: And, uh, uh, it’s, it’s a lot of fun. It, it’s a, it’s a lot of fun.

David: So, um, power of telling people, it’s, it’s telling people that like something can be done and then trying to figure it out. Like, uh, when, when DROWN happened, like the way we got involved at Michigan was we heard there was a rumor that like there was something wrong with SSLv2. And so because we heard that, myself and my advisor like opened up the OpenSSL source code and just looked at the SSLv2 handshake for a while, like on a projector screen. And then we were like, ah, that pointer’s wrong after a while. And that was like our contribution. That turned out a bunch of people much smarter than us had come up with like a cryptographic vulnerability. And we were just like, no, that pointer’s wrong. And those two combined are what like led to the fan— the fanciest version of Ground. But like the only reason that we thought to look there was someone said, well, someone said, the rumor was there was something there. Same with this. Once you know something can be beaten, well, let’s go, let’s go try it.

Deirdre: Yeah.

David: Or just the same as like, uh, Nicholas Carlini, you know, saying the vulnerability is probably in this function. Yeah. Go, go find it. No, it’s in this function. Like, once you know the vulnerability is in the function, then you can find it. But yeah, otherwise you’d never find it.

Deirdre: Gosh, I love it. Um, I’m amused. I kind of hope that, like, this is, this is a great way to get improvements. Like, their attack algorithms, like, okay, but like, that’s how, that’s how defenses get better because the attacks get better and then we get better at defending. So that means you migrate off of ECDSA.

David: Spoiler alert, but, um, or, you know, a little culture clash between the physicists and the software security people.

Deirdre: Yes. Um, that, that was a thing that may not be obvious from just looking at the papers and the blog posts was that those results for that attack algorithm actually came out of like a different part of Google than say cryptography and security. And only the cryptography and security people found out about this thing that was coming, like very last minute, as far as I know. And like, they’re just like, what? Like, wait, what? Like, what do you— and then it was a whole negotiation of trying to get it out of Google. There’s no NSA or US government meddling, being like, no, no, you can’t publish this, it’s too dangerous. Like, none of that, as far as— that’s everything I’ve learned. It’s just like people, these physicists spooked themselves And instead of working with security people and cryptography people who are used to publishing, you know, things that affect security postures out in the world, they just spooked themselves. They said, I don’t know if we should publish this. Oh, let’s go get a zero-knowledge proof to slap on it. That, that’ll let us get it out the door.

David: So, um, yeah, I mean, Scott Aaronson even had a blog post kind of about this where he was like, you know, maybe like we shouldn’t publish some of this stuff cuz we’re close. And then he was like, Nadia Henninger talked me out of it on Facebook. And I thought that was interesting. Because I didn’t realize Nadia was still on Facebook.

Deirdre: Oh my goodness. I, I didn’t—.

David: But you know, thank you to Nadia for keeping your Facebook so that you can like tell Scott Aaronson when he’s wrong. Yes.

Deirdre: Uh, thank you very much because I’m not going on Facebook. And what I wonder— oh, I wonder, I think his blog posts are, or the, the comment section are, are cross-synchronized, uh, with, with Facebook. That might be why. I don’t know.

David: I don’t know.

Deirdre: Well, I haven’t logged into Facebook in many years.

David: Thank you to Nadia Henninger for discussing this with Scott Aaronson.

Deirdre: Yeah. But yeah, easy to say it’s fun. Uh, go, go fork the, the circuit simulator and see if you can do better with your favorite, uh, on your own or with your favorite, uh, large language model or something, because apparently they’re good at it. Seems fun. Cool. Did we miss anything?

David: I think that’s enough, uh, executive orders for 10 PM on a Tuesday.

Deirdre: Yeah, I don’t want to discover any new, uh, Trump EOs that involve quantum or cryptography or security. Um, cool. Yay, emergency pod done. Security Cryptography Whatever is a side project from Deirdre Connolly, Thomas Ptacek, and David Adrian. Our editor is Nettie Smith. You can’t— oh my God, I need—

David: Fuck, is our editor Nettie Smith? Like, we keep editing ours.

Deirdre: Uh, yeah, I need the fucking—.

David: I need to find this online. Yes, @tqbf, um, @durumcrustulum or @dadrian. Yes, that’s right, I ponied up the money to change my handle.

Deirdre: Oh, it’s not David C. Adrian no more.

David: All right, don’t forget to like us, rate us, smash that like and subscribe, follow us on whatever preferred format you get your podcasts or video podcasts.

Deirdre: Yes.

David: And thank you for listening.

Deirdre: And also you can get merch at merch.securitycryptographywhatever.com. Thank you for listening.