Prominent Bitcoin developer Peter Todd alleged on Monday, October 6, that the US National Security Agency (NSA) is “looking to backdoor crypto again” via the rollout of so-called quantum-secure algorithms—this time by pushing deployments that exclude tried-and-tested classical cryptography. “Tl;dr: the NSA is clearly looking to backdoor crypto again with the rollout of “ quantum secure ” algorithms. The obvious way to implement them is AND: traditional AND quantum secure. So you need to break both. The NSA is trying to remove that seatbelt: quantum-only,” Todd wrote . Is The NSA Plotting A Quantum Backdoor Into Bitcoin? Todd’s comments came as cryptographer Daniel J. Bernstein (DJB) published a pair of blog posts—on October 4 and 5—criticizing current Internet Engineering Task Force (IETF) processes and warning that “weakened cryptography” could be standardized through procedural changes that suppress dissent. In “MODPOD: The collapse of IETF’s protections for dissent,” Bernstein argues that a new moderation framework enables content-based censorship of objections, including objections to eliminating “hybrid” deployments that combine classical and post-quantum schemes. He adds there is “useful action” stakeholders can take by Tuesday, October 7 to oppose these changes. At the heart of the dispute is whether migrations to post-quantum cryptography (PQC) should favor hybrid combinations—e.g., classical ECDH and PQ key encapsulation—rather than quantum-only switches. Hybrids hedge the unknowns of newly standardized PQC by requiring an attacker to break both components to compromise a session or signature. The IETF formalized the term “hybrid” in June 2025 (RFC 9794), and NIST’s own guidance and FAQs likewise describe and allow hybrid key-establishment modes during transition. That context underpins Todd’s claim that pushing “quantum-only” is a dangerous deviation from best practice. Bernstein’s companion post on October 4 details real-world hybrid deployments—Google’s CECPQ1/2 experiments (ECC+NewHope, ECC+NTRU, ECC+SIKE), multi-vendor SSH support for ECC+sntrup761, and today’s browser usage dominated by ECC+ML-KEM (Kyber)—as evidence that hybridization is already mainstream and operationally feasible at Internet scale. The post argues that eliminating hybrids would lower safety margins precisely when new PQC is still maturing. NIST, for its part, has led the global PQC program since 2016 and in August 2024 finalized standards for ML-KEM (Kyber) and two signature schemes (ML-DSA/Dilithium and SLH-DSA/SPHINCS+), with additional algorithms such as HQC selected in 2025. Throughout its materials, NIST acknowledges hybrid modes as legitimate transition mechanisms and has hosted dedicated workshops on KEM guidance—positions that cut against a blanket “quantum-only” mandate. Why this matters for Bitcoin and broader crypto is twofold. First, Bitcoin’s ecosystem relies heavily on standardized primitives and network protocols—hashes, signatures, handshakes—whose evolution is shaped by NIST and IETF outputs even when implementation occurs in open-source codebases. Second, Todd grounds his warning in history: the NSA’s alleged role in the Dual_EC_DRBG fiasco two decades ago, where a NIST-endorsed random number generator was later withdrawn amid credible backdoor concerns, including reports that RSA made it the default in its toolkit following a secret payment. “Endorsement of backdoored crypto has happened before at the behest of the NSA,” Todd wrote, adding “It’s not a theoretical risk. They’re clearly gearing up to do it again.” There is, however, no public proof that the NSA is currently inserting a specific backdoor into NIST’s PQC standards or IETF drafts. NIST continues to publish open guidance, workshops, and public comment processes around PQC, including explicit documentation of hybrid approaches. Developer Fudmottin (@Fudmottin) objected to Todd: “If NIST endorsed cryptographic algorithms such as SHA-256 turn out to have back doors or a weakness, then NIST is done. No one will even ask them about the time of day (yes, NIST keeps that standard for the USA).” The immediate call to action comes from Bernstein’s posts urging stakeholders to engage IETF mechanisms by Tuesday, October 7 (any time zone) to object to MODPOD-style moderation and to defend hybrid cryptography as the default transition path. Todd’s amplification into the Bitcoin community underscores a longstanding mistrust of intelligence-led cryptographic policy—shaped by Dual_EC and other episodes—and a desire to keep consensus-critical systems insulated from standards that may weaken defense-in-depth. At press time, Bitcoin traded at $134,545.
