With the ongoing debate around non-hybrid PQ-only in TLS, it is worth revisiting a relatively obscure episode from 2010 that did not receive much attention at the time.

In September 2010, Ian Cooper, a representative of GCHQ's National Technical Assistance Centre (NTAC), the unit responsible for assisting law enforcement and intelligence agencies with decryption and data analysis, attended a meeting of the 3GPP SA3-LI committee in Tallinn, Estonia. The committee handled lawful interception requirements for 4G mobile networks. On the agenda was MIKEY-IBAKE, a proposed encryption standard for securing voice calls over IP that used ephemeral Diffie-Hellman key exchange, providing forward secrecy and resistance to passive eavesdropping.

The GCHQ submission argued against adopting it. The technical objections were detailed: the man-in-the-middle approach required for lawful interception would add detectable latency to call setup, would cause all intercepted calls to drop simultaneously if the interception system failed, and could not be applied retrospectively. There was also a legal concern that actively modifying data in transit might violate the Computer Misuse Act 1990.

What the submission did not say, but what its logic made unmistakable, was that the real objection was that MIKEY-IBAKE worked too well. One passage is worth reading carefully:

"This will be especially pronounced when large numbers of Surveillance Subjects are active in one region or one switch. Computationally intensive elliptic curve calculations will need to be performed for every call setup under surveillance."

In other words, MIKEY-IBAKE would introduce a mass-surveillance scaling problem.

Having argued against MIKEY-IBAKE, the submission proposed an alternative the UK government had developed: MIKEY-SAKKE, using identity-based encryption with a key management server holding a master private key, a design that by construction allows any call to be decrypted by the network operator. The submission described this as having "additional benefits such as low latency." MIKEY-IBAKE was not incorporated into the 3GPP standard, and MIKEY-SAKKE became mandatory for UK government secure voice communications.

The document was published on 3GPP's FTP server in September 2010 and has been publicly accessible there ever since. It gained little attention until January 2016, when cryptography researcher Steven Murdoch published a detailed analysis of MIKEY-SAKKE. A commenter linked to a Cryptome mirror of the document (which had been uploaded to Cryptome around the time The Intercept republished and referenced the document in a March 2014 article on NSA/GCHQ hacking/malware infrastructure) and Murdoch updated his post accordingly. The Register covered it shortly after. Murdoch's analysis is thorough and worth reading in full.

The reason this seems worth mentioning now is the structural resemblance to the current debate around non-hybrid PQ-only in TLS. There, a draft specifying standalone ML-KEM for TLS 1.3 without the elliptic curve layer is being pushed through the IETF TLS Working Group despite substantive unresolved objections and, by Daniel J. Bernstein's count, more votes against publication than for it. As with MIKEY-IBAKE, the stated rationale obscures the real one: removing the ECC layer is most useful to an adversary with cryptanalytic capabilities against ML-KEM, and normalising non-hybrid PQ-only deployments expands that attack surface across the entire ecosystem. Bernstein has documented the procedural failures and the arguments in detail across a series of blog posts, which are essential reading for anyone following the debate.

This is of course not an isolated example. NSA's history of cryptographic standard manipulation is well documented: the deliberate weakening of DES to 56-bit keys in the 1970s, the secretly NSA-designed DSA with a 512-bit key in 1991, and the Dual EC backdoored random number generator standardized through ANSI, ISO, and NIST after NSA "worked covertly to get its own version of a draft security standard approved for worldwide use." Project BULLRUN confirmed the broader pattern, documenting "covert measures to ensure NSA control over setting of international encryption standards" and the insertion of "secret vulnerabilities, known as backdoors or trapdoors, into commercial encryption software." Bernstein's blog posts cover this history in detail. The 2010 MIKEY-IBAKE episode is a smaller footnote in that record, but a notable one; it is GCHQ rather than NSA, a Five Eyes partner operating through its own institutional presence in a separate standards body.

The parallel is not perfect. The MIKEY-IBAKE intervention happened entirely out of public view, while the non-hybrid PQ-only TLS debate is playing out in the open with documented objections and responses on a public mailing list. And where GCHQ promoted MIKEY-SAKKE publicly on entirely different grounds (public safety, enterprise governance, regulatory compliance) never acknowledging the mass-surveillance scaling rationale that appears in the 3GPP submission, the non-hybrid PQ-only TLS push at least states its rationale openly, even if that rationale obscures the real one.

The 2010 3GPP submission is simply a useful reminder that the pattern of NSA/GCHQ manipulating encryption standards to preserve mass-surveillance capabilities, while publicly arguing on entirely different grounds, is not hypothetical, not only historical, and not limited to NSA. It is documented in writing, it spans decades, and the current non-hybrid PQ-only TLS debate is the latest iteration. When these matters come up, the conversation tends to reach for the same familiar examples - Dual EC, DSA's 512-bit key, BULLRUN - but the GCHQ intervention at the 3GPP SA3-LI committee in 2010 rarely gets mentioned, perhaps because it happened quietly in an obscure standards body and the document sat unnoticed for years. It is worth keeping in mind.

Note: the 3GPP SA3-LI MIKEY-IBAKE document came to attention while reviewing published Snowden documents. In some archives it has been mistakenly catalogued as a Snowden document under the identifier nsa-uk-mikey-ibake -- it is not; it is a public 3GPP standards submission that has been accessible as a .doc file on 3GPP's FTP server since September 2010, and which was only republished as a PDF file by The Intercept in 2014 (and mirrored by Cryptome).