← Back to context

Comment by wahern

4 hours ago

You may not have any questions about the security of ML-KEM, but many people do. See, for example, DJB's compilation of such doubts from the IETF WG: https://blog.cr.yp.to/20260221-structure.html

DJB himself seems to prefer hybrid over non-hybrid precisely over concern about the unknowns: https://blog.cr.yp.to/20260219-obaa.html

These doubts may not be the kind curious onlookers have in mind, but to say there are no doubts among researchers and practitioners is a misrepresentation. In fact, you're flatly contradicting what DJB has said on the matter:

> SIKE is not an isolated example: https://cr.yp.to/papers.html#qrcsp shows that 48% of the 69 round-1 submissions to the NIST competition have been broken by now.

https://archive.cr.yp.to/2026-02-21/18:04:14/o2UJA4Um1j0ursy...

Unqualified assurances is what you hear from a salesman. You're trying to sell people on PQC. There's no reason to believe ML-KEM is a lemon, but you're effectively saying, "it's the last KEX scheme we'll ever need", and that's just not honest from an engineering point of view, even if it's what people need to hear.

1 comment

wahern

Reply
tptacek  3 hours ago

I think you just gave away the game. To the extent I believe a CRQC is imminent, I suppose I am "trying to sell people on PQC". But then, so is Daniel Bernstein, your only cryptographically authoritative cite to your concern. Bernstein's problem isn't that we're rushing to PQC. It's that we didn't pick his personal lattice proposal.

And, if we're on the subject of how trustworthy Bernstein's concerns are, I'll note again: in his own writing about the potential frailty of MLKEM, he cites SIKE, because, again, he thinks you're too dumb to understand the difference between a module lattice and a generic lattice.

Finally, I'm going to keep saying this until I don't have to say it anymore: PQC is not a "kind" of cryptography. It doesn't mean anything that N% of the Round 1 submissions to the NIST PQC Contest were cryptanalyzed. Multivariate quadratic equation cryptography, supersingular isogeny cryptography, and F_2^128 code-based cryptography are not related to each other. The point of the contest was for that to happen.