Hi Christian, I would encourage anyone interested in this topic to start by reading the PQC Forum archives from that period. The technical pros and cons of the change were discussed extensively on the public PQC Forum mailing list. My view is that removing the hash was the right decision, and that this was the consensus that emerged from the public discussion. As the archives show, I was initially opposed to the change but changed my opinion after considering the arguments raised. https://groups.google.com/a/list.nist.gov/g/pqc-forum
ML-KEM is secure when used with a strong RNG (whether NIST-approved or not) and insecure when used with a weak RNG (attacker controlled or low entropy). The presence or absence of the hash does not change that. The change was requested based on implementation experience, as the hashing step significantly increased implementation complexity. Hashing does not protect against an attacker-controlled or otherwise weak RNG. In fact, hashing an n-bit random message to produce an n-bit digest reduces the entropy by approximately 0.7 bits. Cheers, John Preuß Mattsson On 2026-07-08, 07:27, "Christian Huitema" <[email protected]> wrote: I just read Jacob Applebaum's message. Given his description of the late-standardization suspicious change that looks like a backdoor in the ML-KEM specification, I agree with his conclusion. The WG should not ask for publication of the current graph, not until the changes requested by Jacob are made. -- Christian Huitema Cheers, John Preuß Mattsson
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
