← Back to context

Comment by tptacek

10 hours ago

The whole point of the competition is to see if anybody can cryptanalyze the contestants. I think part of what's happening here is that people have put all PQC constructions in bucket, as if they shared an underlying technology or theory, so that a break in one calls all of them into question. That is in fact not at all the case. PQC is not a "kind" of cryptography. It's a functional attribute of many different kinds of cryptography.

The algorithm everyone tends to be thinking of when they bring this up has literally nothing to do with any cryptography used anywhere ever; it was wildly novel, and it was interesting only because it (1) had really nice ergonomics and (2) failed spectacularly.

6 comments

tptacek

Reply
wahern  4 hours ago

SIKE made it all the way to round 3. It failed spectacularly, but it happened rather abruptly. In one sense it wasn't surprising because of its novelty, but the actual attack was somewhat surprising--nobody was predicting it would crumble so thoroughly so quickly. Notably, the approach undergirding it is still thought secure; it was the particular details that caused it to fail.

It's hubris to say there are no questions, especially for key exchange. The general classes of mathematical problems for PQC seem robust, but that's generally not how crypto systems fail. They fail in the details, both algorithmically and in implementation gotchas.

From a security engineering perspective, there's no persuasive reason to avoid general adoption of, e.g., the NIST selections and related approaches. But when people suggest not to use hybrid schemes because the PQC selections are clearly robust on their own, well then reasonable people can disagree. Because, again, the devil is in the details.

The need to proclaim "no questions" feels more like a reaction to lay skepticism and potential FUD, for fear it will slow the adoption of PQC. But that's a social issue, and imbibing that urge may cause security engineers to let their guard down.

  • tptacek  2 hours ago

    What's your point? SIKE has literally nothing to do with MLKEM. There is no relationship between the algorithms. Essentially everybody working on PQC, including Bernstein himself, have converged on lattices, which, again, were a competitor to curves as a successor to RSA --- they are old.

    SIKE: not lattices. Literally moon math. Do you understand how SIKE/SIDH works? It's fucking wild.

    I'm going to keep saying this: you know the discussion is fully off the rails when people bring SIKE/SIDH into it as evidence against MLKEM.

    • wahern  1 hour ago

      You may not have any questions about the security of ML-KEM, but many people do. See, for example, DJB's compilation of such doubts from the IETF WG: https://blog.cr.yp.to/20260221-structure.html

      DJB himself seems to prefer hybrid over non-hybrid precisely over concern about the unknowns: https://blog.cr.yp.to/20260219-obaa.html

      These doubts may not be the kind curious onlookers have in mind, but to say there are no doubts among researchers and practitioners is a misrepresentation. In fact, you're flatly contradicting what DJB has said on the matter:

      > SIKE is not an isolated example: https://cr.yp.to/papers.html#qrcsp shows that 48% of the 69 round-1 submissions to the NIST competition have been broken by now.

      https://archive.cr.yp.to/2026-02-21/18:04:14/o2UJA4Um1j0ursy...

      Unqualified assurances is what you hear from a salesman. You're trying to sell people on PQC. There's no reason to believe ML-KEM is a lemon, but you're effectively saying, "it's the last KEX scheme we'll ever need", and that's just not honest from an engineering point of view, even if it's what people need to hear.

ls612  6 hours ago

Yeah I get that, what I am really asking is that I know in my field, I can quickly get a vibe as to whether certain new work is good or not so good, and where any bugaboos are likely to be. For those who know PQC like I know economics, do they believe at this point that the algorithms have been analyzed successfully to a level comparable to DH or RSA? Or is this really gonna be a rush job under the gun because we have no choice?

  • tptacek  6 hours ago

    Lattice cryptography was a contender alongside curves as a successor to RSA. It's not new. The specific lattice constructions we looked at during NIST PQC were new iterations on it, but so was Curve25519 when it was introduced. It's extremely not a rush job.

    The elephant in the room in these conversations is Daniel Bernstein and the shade he has been casting on MLKEM for the last few years. The things I think you should remember about that particular elephant are (1) that he's cited SIDH as a reason to be suspicious of MLKEM, which indicates that he thinks you're an idiot, and (2) that he himself participated in the NIST PQC KEM contest with a lattice construction.

    • lmm  3 hours ago

      Bernstein's ego is at a level where he thinks most other people are idiots (not without some justification), that's been clear for decades. What are you hinting at?