If you are aware of a weakness in ML-KEM, please enlighten us.

On Tue, Jun 30, 2026 at 6:29 PM Tanja Lange <[email protected]> wrote:

> You mean the competition where Rainbow got broken in February 2022, a few
> months after the end-of-2021 date which NIST had announced as the planned
> end
> of the competition? Where GeMSS had its underlying hardness assumption
> pulled
> out under it in November 2020? Where we're having an entire extra
> competition
> on signatures because of this? Where an IND-CCA2 issue in HQC was found
> after
> it was selected for standardization? Not to mention all the other systems
> that
> went down along the away, despite being seemingly based on solid
> assumptions.
> Did you count how many of them used lattices?
>
> Funny enough there doesn't seem to be anything wrong with the "moon math"
> as
> far as we know, it was just the usual issue that a hard math problem got
> weakened in the process of turning it into a cryptosystem, the torsion
> points
> had always been the most likely issue, we just didn't see the right tool to
> use them. Are we going to say the same about power-of-2 cyclotomics in a
> few
> years?
>
> In the short term I'm more concerned about implementation errors, given the
> scale of the new rollout, and consider it reckless to give up on existing
> protections that have gone through years of vetting and fixes. In the long
> run
> I'm not convinced that what we'll switch to after ECC + ML-KEM is ML-KEM,
> it's
> much more likely that by then we'll have a different system -- in the
> optimistic case because we can do so much better (already now we have
> systems
> that are smaller and/or faster and based on the same ideas as Kyber, 9
> years
> more of research make a difference), and in the pessimistic case because we
> need to increase the parameters or even move to a different system. I don't
> like the term "agility" and have complained about the misunderstandings it
> creates, but any change in systems now should be done in a way to make the
> next one easy.
>
> All the best
>         Tanja
>
> On Tue, Jun 30, 2026 at 05:20:44PM -0400, Soatok Dreamseeker wrote:
> > Something that has already happened to a moon math submission that was
> not as
> > widely understood as lattices. SIKE being broken was the international
> > standardization effort successfully working to motivate folks to find
> attacks
> > against novel cryptosystems. Using it as an indictment of an unrelated
> > algorithm is alarmingly ignorant.
> >
> > On Tue, Jun 30, 2026 at 5:13 PM Rob Sayre <[email protected]> wrote:
> >
> >     On Tue, Jun 30, 2026 at 2:09 PM Blumenthal, Uri - 0553 - MITLL <
> >     [email protected]> wrote:
> >
> >         People seem to keep forgetting (or ignoring) the whole purpose
> of the
> >         PQ.
> >
> >         If your data won’t remain sensitive by the time CRQC arrives -
> you
> >         don’t en need a hybrid. Just use your Classic ECC, experiment
> with PQ
> >         or not, and prepare for eventual transition at some point in the
> >         future.
> >
> >         If your data will remain sensitive - then the difference between
> “it
> >         got compromised today” and “it got compromised with CRQC” is
> small, and
> >         ECC won’t help at all.
> >
> >
> >
> >     That's not the argument, though.  It's that classical attacks might
> break
> >     the PQ algorithms. Something that has already happened.
> >
> >     thanks,
> >     Rob
> >
> >     _______________________________________________
> >     TLS mailing list -- [email protected]
> >     To unsubscribe send an email to [email protected]
> >
>
> > _______________________________________________
> > TLS mailing list -- [email protected]
> > To unsubscribe send an email to [email protected]
>
>
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to