Hi yall. I'm Félix Fischer Marqués. I'm from Chile.

I don't support the publication of this document. As to why, that's coming
up
next. I'll try to be brief.

In cryptography today, we rely on strong assumptions. We try to make the
least amount of those we can, but as of right now, we're kind of screwed:
we
must make assumptions. Nonetheless, we try to keep the number and strength
of
them as low as we can.

This draft assumes that ML-KEM is computationally strong. Meaning, it
assumes
that any adversary would indeed need an exponentially-growing amount of
resources to break it (exponential in terms of the cost to the users).

That's an extremely silly assumption to make. There is so much we just
don't
know about computational complexity that, in the best scenario, I would
describe this as hubris. We don't even know if one-way functions exist,
much
less public-key cryptography. Let's remain humble and accept the reality
that
ML-KEM might not be computationally strong at all.

We have to remember that standards like these are adopted in tens of
millions
of devices. Hubris here kills people over there.

Have a good week.
-- Félix
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to