| ▲ | adrian_b 3 days ago | |
DJB did not criticize anything about ML-KEM. The TFA has nothing to do with ML-KEM, but only about how to transition from the current algorithms to post-quantum algorithms. For now, it is completely unknown how secure ML-KEM really is, because it is too new. For many complex cryptographic algorithms a decade or even a few decades have been required until someone discovered how to break them. The predecessor of ML-KEM, SIKE, has already been broken. Perhaps nobody will break ML-KEM, or perhaps it will be broken in a couple of years. The only risk-free strategy is to use both ML-KEM and the current key exchange algorithm. This adds a negligible cost, because ML-KEM is much more expensive. Therefore I agree with DJB about this, because I never bet that the worst case will not happen. Any good design must work fine even when the worst happens. | ||