Dear Travis,

You "turned it around" and asked the question whether Scott is 100% sure
without any doubt whatsoever that ML-KEM and these specs are completely
secure forever. May I turn it around (in good cheer) and ask the other side:
*How many United States Dollars shall I put on a bet with you about a
hypothetical future in which quantum computers exist and break ECC, and on
what timeline?*

>From https://en.wikipedia.org/wiki/Scientific_wager, I find that

In 2017, Daniel J. Bernstein
<https://en.wikipedia.org/wiki/Daniel_J._Bernstein> made a bet for US$2,048
(equivalent to $2,600 in 2024)[11]
<https://en.wikipedia.org/wiki/Scientific_wager#cite_note-inflation-USGDP-11>
 with Francisco Rodríguez-Henríquez
<https://en.wikipedia.org/wiki/Francisco_Rodr%C3%ADguez-Henr%C3%ADquez?action=edit&redlink=1>
 that quantum computers <https://en.wikipedia.org/wiki/Quantum_computer> will
publicly break the RSA-2048 <https://en.wikipedia.org/wiki/RSA-2048> factoring
challenge no later than 2033.[23]
<https://en.wikipedia.org/wiki/Scientific_wager#cite_note-quantum-bet-23> In
2023, John Preuß Mattsson bet $2,050 that the challenge will withstand
quantum computing until at least 2050. Daniel J. Bernstein
<https://en.wikipedia.org/wiki/Daniel_J._Bernstein>, John Sahhar
<https://en.wikipedia.org/wiki/John_Sahhar?action=edit&redlink=1>, Daniel
Apon <https://en.wikipedia.org/wiki/Daniel_Apon?action=edit&redlink=1>,
and Michele
Mosca <https://en.wikipedia.org/wiki/Michele_Mosca> accepted the bet.[24]
<https://en.wikipedia.org/wiki/Scientific_wager#cite_note-24>

So, in the grand tradition and good spirit of public scientific wagers
(with a beautiful, storied, and even hallowed history across many
scientific disciplines!), I will happily entreat you to make a
USD-denominated wager on your position. My position is that ECC will be
broken "soon" -- indeed, just as DJB has been willing to go on the record
for public wagers before (along with me) -- as in his case, that ECC would
be broken by 2033 and 2050.

Please let me know what terms you're willing to publicly put money behind.
(And cheers to the mailing list for joyfully humoring this humble request!)
My kindest regards,
--Daniel Apon

On Thu, Jul 2, 2026 at 8:24 PM Travis Burtrum <[email protected]>
wrote:

> Hi Scott,
>
> On 7/2/26 2:49 PM, Scott Fluhrer (sfluhrer) wrote:
> > I feel I need to ask this (both to you and to others who have suggested
> > that ML-KEM cannot be trusted): do you support the publication of draft-
> > ietf-tls-ecdhe-mlkem?
>
> Surely if anyone knew for sure ML-KEM was broken they'd bring that up,
> but "cannot be trusted" is a different thing.  Obviously we've seen tons
> of standardized crypto over the decades that everyone thought was secure
> and then it turned out was broken.  So let me turn it around and ask you
> a question, are you absolutely 100% sure without any doubt whatsoever
> that both ML-KEM and these specs are completely secure forever?  If not
> (and I'm not sure how anyone could be) it's only sensible to hedge
> against this, which is why only hybrid should exist and this
> draft-ietf-tls-mlkem should not be published.
>
> Thanks,
> Travis
>
> _______________________________________________
> TLS mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
>
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to