| ▲ | timschmidt 3 days ago | |||||||
> there has been no hint of a backdoor in ML-KEM Wanting to standardize it's use without the secondary layer of protection provided by existing algorithms over the objections of a well known cryptographer counts as a hint to me. In the same way that paying RSA to make Dual-EC DRBG the default RNG in it's security products when it was newer and more expensive than alternatives was a hint. | ||||||||
| ▲ | mswphd 3 days ago | parent [-] | |||||||
those are not remotely the same things though? You're also (formally) wrong about DUAL_EC_DRBG for two reasons 1. the payment to RSA (in 2004) was secret. So it could not have been a public indication of a problem, as it was not discovered until nearly a decade after it happened (in 2013, when it became public) 2. the problematic part of DUAL_EC_DRBG (the "hint of a backdoor") I was mentioning was known pre-2004. blind paranoia is not a rational approach to cryptography. I say this as someone who prefers hybrid schemes! I just don't think it is sensible to attempt to "ban" the usage of pure ML-KEM by not standardizing it. It won't work! It'll just increase the risk of non-interoperable implementations. | ||||||||
| ||||||||