Hi Eliot,

Thanks for your reply. I am not claiming that ML-KEM is itself an intentionally placed undisclosed back door.

Please see my comments below.

On 7/8/26 11:35, Eliot Lear wrote:
Hi!

~~~~Disclaimer
I'm not a cryptographer.
~~~~>
Please see below.

On 08.07.2026 08:04, Viktor Dukhovni wrote:
On Tue, Jul 07, 2026 at 10:27:56PM -0700, Christian Huitema wrote:

I just read Jacob Applebaum's message. Given his description of the
late-standardization suspicious change that looks like a backdoor in the
ML-KEM specification, I agree with his conclusion. The WG should not ask for publication of the current graph, not until the changes requested by Jacob
are made.
The removal of whitening of the `m` random input to Encaps is not a
plausible backdoor.  If all you have is a broken RNG, you're free to
apply whitening to obtain a new less bad RNG and use that instead.

Nothing stops an ML-KEM implementation from hashing some input (any
number of times, mixing in whatever additional inputs, ...) to produce
its random values.  The abstract algorithm starts from the final output
of an adequate RNG that requires no further post-processing.

There's nothing suspicious about this simplification.  The critique in
question makes no sense to me.  Don't use a broken RNG.

That sounds about right to me, but as someone who is not a cryptographer, perhaps someone who is could explain how this amounts to a back door, and not a requirement for a good PRNG? And if it's not a back door, should we really relitigate NIST's choices here?

Eliot


* By "back door", I mean an intentionally placed undisclosed weakness that could be exploited by the people who placed it there.

The issue is that NIST removed a defense-in-depth step from Kyber. Kyber hashed `m` and explicitly said "Do not send output of system RNG." FIPS 203 removed that hash and justified the change by _requiring_ NIST-approved randomness generation. That requirement is not stated in the security considerations of the draft under discussion.

That change also coincidentally _creates_ a covert channel. It becomes dangerous when another layer supplies a sabotaged RNG. Users and/or servers generally do not know when they have a sabotaged RNG, so we should close such channels when the fix is cheap.

In TLS 1.3, a client can send an ML-KEM key share, receive a server ciphertext, and recover the server's internal `m` by instrumenting its own decapsulation. If `m` comes directly from a Dual_EC_DRBG-shaped RNG, this gives the client an oracle on server RNG output. Restoring Kyber's original `m <- H(m)` destroys the structure of that oracle.

This is why Extended Random is relevant here: it would have made Dual_EC_DRBG easier to exploit by exposing more RNG-derived material. We rightly consider that a scandal. Here, again, NIST influence removed a simple defense-in-depth step from a sound Kyber design. It is reasonable to worry about NSA influence given NIST's statutory obligation to consult with other agencies, including NSA, when developing such standards and guidelines.

Similarly in this draft, the security considerations ignore the Kyber team's own advice about hybrids where they state [0]:

'Use Kyber in a so-called hybrid mode in combination with established "pre-quantum" security; for example in combination with elliptic-curve Diffie-Hellman.'

So no, this is not just relitigating NIST. The TLS WG is deciding whether to publish a TLS use of standalone ML-KEM that inherits this assumption. The draft should restore the Kyber-style hash over m, or clearly state the FIPS 203 randomness-generation dependency and its consequences.

Kind regards,
Jacob

[0] https://pq-crystals.org/kyber/index.shtml

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to