On Mon, Jul 6, 2026 at 7:38 PM Blumenthal, Uri - 0553 - MITLL < [email protected]> wrote:
> > This strongly suggests that if the “first-rate cryptographers” (and not > those playing ones on the Internet) decided that pure ML-KEM is sufficient > to protect internal communications of *their* governments — it is good > enough to allow *as an option* for everyone else. > I do hope that I am not considered one of those playing a cryptographer on the Internet. Yet, I wish to recall that some governments in the past wished weak encryption to be used by their own nation, as long as it lured others to use it as well. Just to clarify - I am not saying nor implying this is the situation here, but I do wish to clearly point out this basic fact, which I believe disproves the conclusion of this specific point. > > Should it matter, really? > Yes. Were they operating because the SIGINT side of the discussion in some organization put its foot down, while the National security people said it was a bad idea? Who is accountable for this decision? Again, we see that the NSA did not really take any responsibility about the DUAL EC DBRG nor its Bullrun project. As you may have read Matthew Green's summary (which I do hope we agree is not just a cryptographer wanna-be playing so on the internet), it is not that the NSA came clean about the deliberate devastation of cryptographic standards. So if the Canadian equivalent of that project won the internal argument, do you see we need to know who those people are? What are their objectives? > > Some did (Germany), some didn’t (UK, USA). It probably means that their > threat model views differ in both breadth and depth from those of the > crypto-wannabes who are now flooding this list. > > It is interesting to note that the proponents of “pure ML-KEM” aren’t > trying to push it upon the entire community, but request it as an *option*. > While its opponents are trying to force hybrids down everybody’s throat, > presumably because they are convinced that “know better” than the rest of > us. > I tend to agree with this statement - there is no effort to force this as the only solution (and just to be clear, I do not think that ML-KEM is backdoored, nor that the proposed draft is backdoored), but it does two things: puts a "seal of approval" that this is a good idea (even if the RFC is informational see comment [1]), increases the chance of black swan events. While I am not a public-key expert, to me (and a few colleagues I've consulted with, who prefered to stay anonymous, because, and quoting Uri - "Should it matter, really?") it seems more likely that a new devastating attack on ML-KEM will be discovered (either classical or quantum) compared with a new classical one on ECDH. Obviously, this is a risk-management decision - and I personally prefer the more cautious approach (and thus, I object to the publication). [1] - I've done a very unprofessional survey over my Twitter account in Hebrew, whether people see an IETF standard and trust it or not. Given the "very scientific" nature of a twitter survey, I am not sure that this is the best argument, but I wish to note that 30% of the people who answered claimed that they trust a cryptographic RFC published by the IETF without any checks (i.e., not looking at the informational status, or any of these things). Surprisingly, 20% more suggested that they do so only if there are other standards of this primitive (i.e., other standardization bodies went for this algorithm), and 20% suggested that they actually check (and 30% suggested that they don't trust RFC, because of the interference with the process). Even I refuse to make any real statement out of that, but I think that the "seal of approval" is something worth noting when discussing whether the Russian ACPKM mechanism (informational RFC 8645) is published, even though it is to be used only inside Russia. Cheers,
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
