Remix.run Logo
mswphd 3 days ago

DJB has for years claimed anyone who disagrees with him is affiliated with the NSA. See for example this post as part of the NIST-PQC competition

https://blog.cr.yp.to/20220805-nsa.html

> Some people seem to be unable to rationally consider the possibility that NSA is sabotaging post-quantum cryptography. I've heard people saying, for example, that submissions to the NIST Post-Quantum Cryptography Standardization Project (NISTPQC) were publicly designed and evaluated by top experts, and that NSA can't have bribed the submission teams. > > Let's look at the facts.

Note that the authors of ML-KEM are overwhelming European.

adrian_b 3 days ago | parent [-]

DJB did not claim that there exists any weakness in ML-KEM or that NSA had anything to do with ML-KEM.

He just pointed that the predecessor of ML-KEM (SIKE) has already been broken. Because ML-KEM is also very new, there is a non-negligible probability that it will also be broken in a few years.

It is very simple to guard against this, by using both ML-KEM and the currently used elliptic-curve Diffie-Hellman algorithm.

ML-KEM is much more expensive than the current algorithm, so using both does not increase much the cost.

I do not see any flaw in his arguments, while anyone who says that ML-KEM should be used alone is making a bet for which there exists no justification, i.e. the risk is extremely high and the reward is extremely low.

In cryptography bets must be done only when the odds are extremely favorable, which is not the case for the proposal criticized by DJB.

mswphd 3 days ago | parent | next [-]

SIKE is a completely different scheme based on completely different hardness assumptions from a completely different area of math. It is just as sensible to call elliptic curve cryptography to be a predecessor to ML-KEM. Nobody would do that.

The hardness assumption from ML-KEM is from 2005 (in teh algebraically unstructured case. The biggest speedup known due to algebraic structure is ~3 bits, e.g. 8x speed improvement). It has taken exponential time to attack since then. Instantiating a standard ~20 years after introduction is slower than what we did with RSA, or with elliptic curve cryptography.

Therea re settings where hybrids are not free, for example hardware. The standard hybrid suggestion (XWING) would require hardawre to implement both SHA2 and SHA3. See this recent TLS WG post detailing this

https://mailarchive.ietf.org/arch/msg/tls/_9i3uIVDQ3pDRswpm9...

mswphd 3 days ago | parent [-]

actually another more basic point: SIKE is much more closely related to elliptic-curve cryptography than lattices. People would not use SIKE to argue that ECC is unreliable though.

throw0101d 3 days ago | parent | prev | next [-]

> I do not see any flaw in his arguments, while anyone who says that ML-KEM should be used alone is making a bet for which there exists no justification, i.e. the risk is extremely high and the reward is extremely low.

And who is making that 'ML-KEM alone' argument? AIUI, the IETF currently recommends hybrid.

It's on the US government talking to itself that would maybe do non-hybrid:

* https://en.wikipedia.org/wiki/Commercial_National_Security_A...

If the US government wants to compromise itself… then fine?

Also, HQC (FIPS 207) has been chosen as a backup / alternative to ML-KEM (formerly "Kyber"):

* https://www.nist.gov/news-events/news/2025/03/nist-selects-h...

some_furry 3 days ago | parent | prev [-]

I recommend reading this perspective

https://mailarchive.ietf.org/arch/msg/tls/SXo4iVmp0ng_vi57ce...

Also, https://keymaterial.net/2025/11/27/ml-kem-mythbusting/

ML-KEM is not "very new" compared to the age of other algorithms historically deployed.