Perhaps to illustrate my point, WolfSSL has received a CVE for a bug in ML-KEM on https://nvd.nist.gov/vuln/detail/CVE-2026-10097.

I do remember seeing this with a CWE of CWE-327: Use of a Broken or Risky Cryptographic Algorithm, but that has since changed in the NVD to read CWE-697: Incorrect Comparison. (See the CVE change history in the NVD.)

Cheers

Stephan

On 7/1/26 12:32 PM, Stephan Neuhaus wrote:
I do not support the publication of this document.

I remember well that security standards get broken: when they have been well-reviewed, but especially when they're new. Bugs show up in the math, but also in implementations. Lattice cryptography seems to me to be a very active field of research, when quite fundamental results (and bugs!) are still being discovered, both in the math and in the implementations. From a risk-management perspective alone, I believe that it's too risky to standardise, even as "informational", a mode of encryption that relies only on these new methods.

Cheers

Stephan

PS: Full disclosure: I have just joined the TLS mailing list, mainly to say just this. I also have no standing in the cryptographic community, except that I have published a paper last year together with Peter Gutmann of this parish, about how all of the published quantum factorisation records are bogus [1]. What kind of standing this gives me, if any, is anybody's guess.

[1] https://eprint.iacr.org/2025/1237

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to