The NSA Is Trying To Backdoor Bitcoin, Warns Peter Todd — Here’s How

Prominent Bitcoin developer Peter Todd alleged on Monday, October 6, that the US National Security Agency (NSA) is “trying to backdoor crypto once more” by way of the rollout of so-called quantum-secure algorithms—this time by pushing deployments that exclude tried-and-tested classical cryptography.

“Tl;dr: the NSA is clearly trying to backdoor crypto once more with the rollout of “quantum secure” algorithms. The apparent method to implement them is AND: conventional AND quantum safe. So you might want to break each. The NSA is attempting to take away that seatbelt: quantum-only,” Todd wrote.

Is The NSA Plotting A Quantum Backdoor Into Bitcoin?

Todd’s feedback got here as cryptographer Daniel J. Bernstein (DJB) printed a pair of weblog posts—on October 4 and 5—criticizing present Internet Engineering Task Force (IETF) processes and warning that “weakened cryptography” might be standardized via procedural adjustments that suppress dissent.

In “MODPOD: The collapse of IETF’s protections for dissent,” Bernstein argues {that a} new moderation framework permits content-based censorship of objections, together with objections to eliminating “hybrid” deployments that mix classical and post-quantum schemes. He provides there’s “helpful motion” stakeholders can take by Tuesday, October 7 to oppose these adjustments.

At the center of the dispute is whether or not migrations to post-quantum cryptography (PQC) ought to favor hybrid combos—e.g., classical ECDH and PQ key encapsulation—slightly than quantum-only switches. Hybrids hedge the unknowns of newly standardized PQC by requiring an attacker to interrupt each parts to compromise a session or signature. The IETF formalized the time period “hybrid” in June 2025 (RFC 9794), and NIST’s personal steering and FAQs likewise describe and permit hybrid key-establishment modes throughout transition. That context underpins Todd’s declare that pushing “quantum-only” is a harmful deviation from greatest observe.

Bernstein’s companion put up on October 4 particulars real-world hybrid deployments—Google’s CECPQ1/2 experiments (ECC+NewHope, ECC+NTRU, ECC+SIKE), multi-vendor SSH help for ECC+sntrup761, and in the present day’s browser utilization dominated by ECC+ML-KEM (Kyber)—as proof that hybridization is already mainstream and operationally possible at Internet scale. The put up argues that eliminating hybrids would decrease security margins exactly when new PQC remains to be maturing.

NIST, for its half, has led the worldwide PQC program since 2016 and in August 2024 finalized requirements for ML-KEM (Kyber) and two signature schemes (ML-DSA/Dilithium and SLH-DSA/SPHINCS+), with extra algorithms equivalent to HQC chosen in 2025. Throughout its supplies, NIST acknowledges hybrid modes as authentic transition mechanisms and has hosted devoted workshops on KEM steering—positions that minimize towards a blanket “quantum-only” mandate.

Why this issues for Bitcoin and broader crypto is twofold. First, Bitcoin’s ecosystem depends closely on standardized primitives and community protocols—hashes, signatures, handshakes—whose evolution is formed by NIST and IETF outputs even when implementation happens in open-source codebases. Second, Todd grounds his warning in historical past: the NSA’s alleged function within the Dual_EC_DRBG fiasco 20 years in the past, the place a NIST-endorsed random quantity generator was later withdrawn amid credible backdoor issues, together with experiences that RSA made it the default in its toolkit following a secret fee. “Endorsement of backdoored crypto has occurred earlier than on the behest of the NSA,” Todd wrote, including “It’s not a theoretical threat. They’re clearly gearing as much as do it once more.”

There is, nevertheless, no public proof that the NSA is currently inserting a selected backdoor into NIST’s PQC requirements or IETF drafts. NIST continues to publish open steering, workshops, and public remark processes round PQC, together with specific documentation of hybrid approaches. Developer Fudmottin (@Fudmottin) objected to Todd: “If NIST endorsed cryptographic algorithms equivalent to SHA-256 end up to have again doorways or a weak point, then NIST is finished. No one will even ask them concerning the time of day (sure, NIST retains that commonplace for the USA).”

The instant name to motion comes from Bernstein’s posts urging stakeholders to interact IETF mechanisms by Tuesday, October 7 (any time zone) to object to MODPOD-style moderation and to defend hybrid cryptography because the default transition path. Todd’s amplification into the Bitcoin group underscores a longstanding distrust of intelligence-led cryptographic coverage—formed by Dual_EC and different episodes—and a want to maintain consensus-critical techniques insulated from requirements which will weaken defense-in-depth.

At press time, Bitcoin traded at $134,545.