The NSA Is Trying To Backdoor Bitcoin, Warns Peter Todd — Here’s How

Prominent Bitcoin developer Peter Todd alleged on Monday, October 6, that the US National Security Agency (NSA) is “looking to backdoor crypto again” via the rollout of so-called quantum-secure algorithms—this time by pushing deployments that exclude tried-and-tested classical cryptography. “Tl;dr: the NSA is clearly looking to backdoor crypto again with the rollout of “ quantum secure ” ￰0￱ obvious way to implement them is AND: traditional AND quantum ￰1￱ you need to break ￰2￱ NSA is trying to remove that seatbelt: quantum-only,” Todd ￰3￱ The NSA Plotting A Quantum Backdoor Into Bitcoin? Todd’s comments came as cryptographer Daniel ￰4￱ (DJB) published a pair of blog posts—on October 4 and 5—criticizing current Internet Engineering Task Force (IETF) processes and warning that “weakened cryptography” could be standardized through procedural changes that suppress ￰5￱ “MODPOD: The collapse of IETF’s protections for dissent,” Bernstein argues that a new moderation framework enables content-based censorship of objections, including objections to eliminating “hybrid” deployments that combine classical and post-quantum ￰6￱ adds there is “useful action” stakeholders can take by Tuesday, October 7 to oppose these ￰7￱ the heart of the dispute is whether migrations to post-quantum cryptography (PQC) should favor hybrid combinations—e.

g., classical ECDH and PQ key encapsulation—rather than quantum-only ￰8￱ hedge the unknowns of newly standardized PQC by requiring an attacker to break both components to compromise a session or ￰9￱ IETF formalized the term “hybrid” in June 2025 (RFC 9794), and NIST’s own guidance and FAQs likewise describe and allow hybrid key-establishment modes during ￰10￱ context underpins Todd’s claim that pushing “quantum-only” is a dangerous deviation from best practice. Bernstein’s companion post on October 4 details real-world hybrid deployments—Google’s CECPQ1/2 experiments (ECC+NewHope, ECC+NTRU, ECC+SIKE), multi-vendor SSH support for ECC+sntrup761, and today’s browser usage dominated by ECC+ML-KEM (Kyber)—as evidence that hybridization is already mainstream and operationally feasible at Internet ￰11￱ post argues that eliminating hybrids would lower safety margins precisely when new PQC is still maturing.

NIST, for its part, has led the global PQC program since 2016 and in August 2024 finalized standards for ML-KEM (Kyber) and two signature schemes (ML-DSA/Dilithium and SLH-DSA/SPHINCS+), with additional algorithms such as HQC selected in ￰12￱ its materials, NIST acknowledges hybrid modes as legitimate transition mechanisms and has hosted dedicated workshops on KEM guidance—positions that cut against a blanket “quantum-only” ￰13￱ this matters for Bitcoin and broader crypto is twofold. First, Bitcoin’s ecosystem relies heavily on standardized primitives and network protocols—hashes, signatures, handshakes—whose evolution is shaped by NIST and IETF outputs even when implementation occurs in open-source codebases.

Second, Todd grounds his warning in history: the NSA’s alleged role in the Dual_EC_DRBG fiasco two decades ago, where a NIST-endorsed random number generator was later withdrawn amid credible backdoor concerns, including reports that RSA made it the default in its toolkit following a secret payment. “Endorsement of backdoored crypto has happened before at the behest of the NSA,” Todd wrote, adding “It’s not a theoretical risk. They’re clearly gearing up to do it again.” There is, however, no public proof that the NSA is currently inserting a specific backdoor into NIST’s PQC standards or IETF ￰14￱ continues to publish open guidance, workshops, and public comment processes around PQC, including explicit documentation of hybrid ￰15￱ Fudmottin (@Fudmottin) objected to Todd: “If NIST endorsed cryptographic algorithms such as SHA-256 turn out to have back doors or a weakness, then NIST is ￰16￱ one will even ask them about the time of day (yes, NIST keeps that standard for the USA).” The immediate call to action comes from Bernstein’s posts urging stakeholders to engage IETF mechanisms by Tuesday, October 7 (any time zone) to object to MODPOD-style moderation and to defend hybrid cryptography as the default transition path.

Todd’s amplification into the Bitcoin community underscores a longstanding mistrust of intelligence-led cryptographic policy—shaped by Dual_EC and other episodes—and a desire to keep consensus-critical systems insulated from standards that may weaken ￰17￱ press time, Bitcoin traded at $134,545.