logoalt Hacker News

mswphdtoday at 5:57 PM0 repliesview on HN

the NSA has a history of weakening cryptography in a very specific way, known as "NOBUS"

https://en.wikipedia.org/wiki/NOBUS

DES key-size weakening is consistent with NOBUS (given the computational dominance of the US at the time). DUAL_EC_DRBG is consistent with NOBUS. DES S-box strengthening (vs linear/differential cryptanalysis, I forget which) is also consistent with NOBUS.

There have been *no* proposed mechanism that would allow NSA to have a NOBUS-style attack against ML-KEM.

Separately, this RFC (pure ML-KEM) is marked "recommended to implement = N". It is highly likely all browsers etc will use hybrids. In certain areas (say hardware) it is not free to use a hybrid. You all of a sudden need both a SHA2 and SHA3 implementation, for example. Some organizations that view the threat of quantum computers as more credible may also not want to drag around the ECC component (which is known to be broken, once a CRQC appears. Google and the US government have publicly stated concerns this may occur within the next ~5 years after recent QC breakthroughs).