On Mon, Jul 6, 2026 at 7:38 PM Blumenthal, Uri - 0553 - MITLL <
[email protected]> wrote:

>
> This strongly suggests that if the “first-rate cryptographers” (and not
> those playing ones on the Internet) decided that pure ML-KEM is sufficient
> to protect internal communications of *their* governments — it is good
> enough to allow *as an option* for everyone else.
>

I do hope that I am not considered one of those playing a cryptographer on
the Internet.

Yet, I wish to recall that some governments in the past wished weak
encryption to be used by their own nation, as long as it lured others to
use it as well.

Just to clarify - I am not saying nor implying this is the situation here,
but I do wish to clearly point out this basic fact, which I believe
disproves the conclusion of this specific point.



>
> Should it matter, really?
>

Yes. Were they operating because the SIGINT side of the discussion in some
organization put its foot down, while the National security people said it
was a bad idea? Who is accountable for this decision?

Again, we see that the NSA did not really take any responsibility about the
DUAL EC DBRG nor its Bullrun project. As you may have read Matthew Green's
summary (which I do hope we agree is not just a cryptographer wanna-be
playing so on the internet), it is not that the NSA came clean about the
deliberate devastation of cryptographic standards. So if the Canadian
equivalent of that project won the internal argument, do you see we need to
know who those people are? What are their objectives?


>
> Some did (Germany), some didn’t (UK, USA). It probably means that their
> threat model views differ in both breadth and depth from those of the
> crypto-wannabes who are now flooding this list.
>
> It is interesting to note that the proponents of “pure ML-KEM” aren’t
> trying to push it upon the entire community, but request it as an *option*.
> While its opponents are trying to force hybrids down everybody’s throat,
> presumably because they are convinced that “know better” than the rest of
> us.
>

I tend to agree with this statement - there is no effort to force this as
the only solution (and just to be clear, I do not think that ML-KEM is
backdoored, nor that the proposed draft is backdoored), but it does two
things: puts a "seal of approval" that this is a good idea (even if the RFC
is informational see comment [1]), increases the chance of black swan
events.

While I am not a public-key expert, to me (and a few colleagues I've
consulted with, who prefered to stay anonymous, because, and quoting Uri -
"Should it matter, really?") it seems more likely that a new devastating
attack on ML-KEM will be discovered (either classical or quantum) compared
with a new classical one on ECDH.

Obviously, this is a risk-management decision - and I personally prefer the
more cautious approach (and thus, I object to the publication).

[1] - I've done a very unprofessional survey over my Twitter account in
Hebrew, whether people see an IETF standard and trust it or not. Given the
"very scientific" nature of a twitter survey, I am not sure that this is
the best argument, but I wish to note that 30% of the people who answered
claimed that they trust a cryptographic RFC published by the IETF without
any checks (i.e., not looking at the informational status, or any of these
things). Surprisingly, 20% more suggested that they do so only if there are
other standards of this primitive (i.e., other standardization bodies went
for this algorithm), and 20% suggested that they actually check (and 30%
suggested that they don't trust RFC, because of the interference with the
process). Even I refuse to make any real statement out of that, but I think
that the "seal of approval" is something worth noting when discussing
whether the Russian ACPKM mechanism (informational RFC 8645) is published,
even though it is to be used only inside Russia.

Cheers,
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to