Comment by Retr0id
2 days ago
Unless the implementation bug is severe enough to give RCE, memory dumping, or similar, I don't see how a bug in the MLKEM implementation (for example) would be able to leak the x25519 secret, even with sidechannels. A memory-safe impl would almost guarantee you don't have any bugs of the relevant classes (I know memory-safe != sidechannel-safe, but I don't see how sidechannels would be relevant). You still need to break need both to break the whole scheme.
I've rewritten some PQ implementations that had RCEs and memory disclosure vulnerabilities in them. No shade, but those implementations were from scientists who don't typically build production systems. As an industry, we're past this phase. Side-channels more commonly reveal plaintext than key material, but that shouldn't be fatal in the case of hybrid key agreement.
Based on what we've seen so far in industry research, I'd guess that enabling Denial of Service is the most common kind of issue.