Remix.run Logo
tptacek 3 days ago

No, I'm very clear on what the question was asking, and it is not in fact "NSA" driving this process.

This is 100% Daniel Bernstein drama. Bernstein is upset that the NIST contest selected MLKEM (Kyber). He's been running a yearslong crusade to impeach the standard, up to and including opposition to lattice cryptography writ large, despite himself signing on to a lattice entrant (SNTRUP) to the PQC competition.

Over the last several months, the focal point of this crusade has been the IETF TLS Working Group, where Bernstein has been canvassing opposition to an RFC that will establish code points and documentation for pure, non-hybrid MLKEM TLS. Few systems in the near future are likely to use pure MLKEM TLS, but there are conceivable systems that we can foresee needing the option: for instance, embedded systems like smart meters that do ECC today, and could do MLKEM if it was urgently needed because of a CRQC, but couldn't practically do both.

The arguments being made on TLSWG are in spectacularly bad faith. People have varying levels of confidence in pure MLKEM (the closer your job title is to "cryptography engineer", the more likely it is you think hybrids are silly). But outside of the federal government itself, nobody in the entire world is being forced to use pure MLKEM; the entire controversy is about documenting what TLS would look like if you needed pure MLKEM.

The "NSA" stuff is just more innuendo.

Apart from bytes on the wire, MLKEM is not in fact "much more expensive" than 25519. Also, you have the maturity argument wrong; it's not a concern that risks/flaws will be discovered "in the standards".

cassonmars 3 days ago | parent [-]

Your argument would be far more charitable if NIST had not already been caught pushing a broken standard at the behest of the NSA before. DJB might be combative and somewhat caustic, but the one thing he's never been, given enough time in the retrospect to show it, is wrong.

tptacek 2 days ago | parent [-]

The logic you're using here would be just as valid in a campaign against SHA2. More valid, in fact, because unlike MLKEM, which was designed by European academic cryptographers, the NSA actually designed SHA2.