On Mon, Jul 06, 2026 at 04:04:44PM +0000, Blumenthal, Uri - 0553 - MITLL wrote: > > Presumably, the Canadian Government has access to first-rate > > cryptographers, and they have decided that, for protecting internal > > Canadian Government communications, > > that pure ML-KEM is sufficient, at least in some cases. > > This strongly suggests that if the “first-rate cryptographers” (and > not those playing ones on the Internet) decided that pure ML-KEM is > sufficient to protect internal communications of their governments — > it is good enough to allow as an option for everyone else.
I believe that nothing new has been said in the past year. There are roughly two camps: - ML-KEM is fine, obviously not backdoored, etc., let's publish - ML-KEM comes from or is pushed by the people that gave us 1DES w/ 56-bit keys and Dual_EC -- we should apply the reputational death penalty and never publish their work or their favored work There's a third camp, the one I'm in: - The ML-KEM horse has left the barn, and yeah, it's obviously not backdoored, but it might prove weak, but that's ok people will have to reconfigure if/when ML-KEM gets successfully cryptanalyzed, so all this brouhaha is a bit much, and we really don't get to or want to apply the reputational death penalty. Yes, that means that the NSA and friends get to keep doing to the public the things we wish they didn't. Are there other camps? Identifying every camp might help us stop retreading. "I'm in camp <fill-in-the-blank>" would be a great short-hand for the sub-thread we then don't need to have (:please:). It's an idea. Nico -- _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
