Hi Christian,

I would encourage anyone interested in this topic to start by reading the PQC 
Forum archives from that period. The technical pros and cons of the change were 
discussed extensively on the public PQC Forum mailing list. My view is that 
removing the hash was the right decision, and that this was the consensus that 
emerged from the public discussion. As the archives show, I was initially 
opposed to the change but changed my opinion after considering the arguments 
raised.
https://groups.google.com/a/list.nist.gov/g/pqc-forum

ML-KEM is secure when used with a strong RNG (whether NIST-approved or not) and 
insecure when used with a weak RNG (attacker controlled or low entropy). The 
presence or absence of the hash does not change that.

The change was requested based on implementation experience, as the hashing 
step significantly increased implementation complexity. Hashing does not 
protect against an attacker-controlled or otherwise weak RNG. In fact, hashing 
an n-bit random message to produce an n-bit digest reduces the entropy by 
approximately 0.7 bits.

Cheers,
John Preuß Mattsson

On 2026-07-08, 07:27, "Christian Huitema" <[email protected]> wrote:

I just read Jacob Applebaum's message. Given his description of the
late-standardization suspicious change that looks like a backdoor in the
ML-KEM specification, I agree with his conclusion. The WG should not ask
for publication of the current graph, not until the changes requested by
Jacob are made.

-- Christian Huitema


Cheers,
John Preuß Mattsson
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to