On Sat, Feb 28, 2026 at 06:53:16PM +0100, Tibor Jager wrote: > > > > Am 28.02.2026 um 16:43 schrieb Ilari Liusvaara <[email protected]>: > > > > On Fri, Feb 27, 2026 at 11:19:41PM +0100, Tibor Jager wrote: > > > > >> For almost every broken cryptosystem there was a time when there > >> seemed to be no evidence that it is weak. ML-KEM still needs to stand > >> the test of time. > > > > Kyber has had consderable analysis in NISTPQC. There was at least > > one candidate (based on lattices) that was not advanced because > > there was too little analysis. > > > > And in addition to analyis Kyber in NISTPQC, there has been considerable > > amount of analyis of MLWE and general lattice problems before that. > > Many other cryptosystems have received considerable analysis before > they were broken.
Well, one of the scariest examples was SIKE. Made it through Round 3 before someone discovered some old obscure result that absolutely wrecked it. "go SIKE". And then earlier in NISTPQC, there was a new attack that did nasty stuff (even if it was not a catastrophic break) to crypto based on rank distance. And then similar-looking attacks did rather nasty stuff to multivariate quadrics (demolishing at least one algorithm). Most of the "broken" algorithms in NISTPQC were not broken by cryptoanalytic advances on well-known problems. > Most importantly, do you see how your example from above is actually > another example why a hybrid mode is preferable? In your example, the > hybrid scheme is only broken after a CRQC exists. For ML-KEM-only, > it is game-over immediately after the flaw that you described is > discovered , which seems much worse to me. Not reusing keys makes exploiting side channel attacks and most implementation flaws MUCH harder (other than the kind of flaws that would be game over even in hybrids). ML-KEM testing tip: Generate a keypair, encapsulate to the public key then decapsulate the ciphertext and all its single-bit corruptions, verify that all the results differ. This works because lack of explicit transcript hashing in ML-KEM (it does not work with Kyber, which has explicit transcript hashing). -Ilari _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
