logoalt Hacker News

mswphdtoday at 5:40 PM1 replyview on HN

DJB has for years claimed anyone who disagrees with him is affiliated with the NSA. See for example this post as part of the NIST-PQC competition

https://blog.cr.yp.to/20220805-nsa.html

> Some people seem to be unable to rationally consider the possibility that NSA is sabotaging post-quantum cryptography. I've heard people saying, for example, that submissions to the NIST Post-Quantum Cryptography Standardization Project (NISTPQC) were publicly designed and evaluated by top experts, and that NSA can't have bribed the submission teams. > > Let's look at the facts.

Note that the authors of ML-KEM are overwhelming European.


Replies

adrian_btoday at 6:47 PM

DJB did not claim that there exists any weakness in ML-KEM or that NSA had anything to do with ML-KEM.

He just pointed that the predecessor of ML-KEM (SIKE) has already been broken. Because ML-KEM is also very new, there is a non-negligible probability that it will also be broken in a few years.

It is very simple to guard against this, by using both ML-KEM and the currently used elliptic-curve Diffie-Hellman algorithm.

ML-KEM is much more expensive than the current algorithm, so using both does not increase much the cost.

I do not see any flaw in his arguments, while anyone who says that ML-KEM should be used alone is making a bet for which there exists no justification, i.e. the risk is extremely high and the reward is extremely low.

In cryptography bets must be done only when the odds are extremely favorable, which is not the case for the proposal criticized by DJB.

show 2 replies