Comment by digitalPhonix
3 months ago
> Well it turns out there is one customer who really really hates hybrids, and only wants to use ML-KEM1024 for all their systems. And that customer happens to be the NSA. And honestly, I do not see a problem with that.
Isn’t the problem (having only read a little about the controversy) that the non-hybrid appears to be strictly worse, except for the (~10%) decrease in transmission size; and that no one has articulated why that’s a desirable tradeoff?
On the face of it, I don’t see a problem with the tradeoff (both ways, that is) choice existing. I expect smarter people than me to have reasons one way or the other but I haven’t seen a reason for saving bandwidth that could articulate the concrete use case that it makes a difference.
> There is no backdoor in ML-KEM, and I can prove it. For something to be a backdoor, specifically a “Nobody but us backdoor” (NOBUS), you need some way to ensure that nobody else can exploit it, otherwise it is not a backdoor, but a broken algorithm
Isn’t a broken algorithm also a valid thing for NSA/whoever to want?
Them saying they want to use it themselves doesn’t actually mean much?
Actually, thinking about this a bit more - saying that there's no "Nobody but us backdoor" to prove there's no backdoor is a poor argument.
As an example - if there's a weakness that affects 50% of keys (replace with whatever hypothetical number), NSA can make sure it doesn't use those affected keys but still retain the ability to decrypt 50% of everyone else's communications. And using the entropy analysis from this post, that would require 1 bit hidden in the parameters which is clearly within the entropy budget.