Hi Quynh,
Thanks for replying.
On 7/9/26 16:15, Dang, Quynh H. (Fed) wrote:
Everything I wrote in the message at 9:44AM US Eastern time 7/8/2026
is factual regardless of many questions you had for me about things.
That statement appears to include your earlier claim:
"The group authoring FIPS 203 did not have any meeting with the NSA and
the NSA had zero authorship of the FIPS 203."
That remains unreconciled with the public record unless you are using
very narrow definitions of "group authoring FIPS 203," "meeting," and
"authorship." Public FOIA material says there was substantial NSA
involvement in NIST PQC work, including secret NSA/NIST PQC meetings and
NSA participation in the [email protected] team [2]. It also includes an
email saying comments from "Donna and the NSA" were incorporated into
the PQC NISTIR, and that PQC NISTIR is cited by FIPS 203 [3][4].
If your point is only that NSA was not listed as an author of the final
FIPS 203 document, please make that clear to readers here. That is a
much narrower claim than saying that the group authoring FIPS 203 had no
meeting with NSA or that NSA had zero authorship or influence relevant
to FIPS 203.
The public record released by NIST after being subject to a lawsuit
appears to contradict those broader claims: it shows NSA involvement in
NIST PQC work, an email saying comments from "Donna and the NSA" were
incorporated into the PQC NISTIR, and that NISTIR is cited by FIPS 203.
Every technical change was publicly discussed at the pqc-forum and
there was a publicly known reason for the change.
That public discussion is not the same as analysis of this TLS failure
mode even though some points touched on the Dual_EC_DRBG concern.
You wrote [0] on behalf of NIST in May 2023:
"We appreciate the discussion about Kyber's tweaked FO transform. While
there are arguments that can be made for either including or not
including the hash of m during Encaps, NIST is not planning to include
this step in the upcoming draft standard for Kyber."
You then wrote:
"The upcoming standard focuses on FIPS-certifiable implementations,
which includes auxiliary functions such as the RGB. In the case of a
standardized version of Kyber being deployed in a non-FIPS-certified
setting, it is possible than an attacker can back-door the RBG to learn
all future outputs. In this case, NIST believes that adding an extra
hash to Kyber will not do much to mitigate the potential harms faced by
the jeopardized system."
That is not a technical analysis of the TLS case. It is an assertion
that NIST "believes" the hash will not do much good because the rest of
the system may already be jeopardized.
The primary public reasons against hashing can be summarized as: hashing
`m` has implementation cost, side-channel concerns were raised,
environmental cost was raised, and FIPS 203 requires an approved RBG
[0][1][4]. None of that answers the specific TLS question: if a TLS
server samples `m` directly from a Dual_EC_DRBG-shaped RBG, does the
decapsulating client get an RNG-state-recovery oracle that Kyber's
original `m <- H(m)` step would close?
Beside the removal of the hash of m, are there any other technical
details concerning you about the security of ML-KEM in TLS 1.3 ?
Yes. The removal of the hash over `m` is the primary technical concern.
The IPR/licensing question is the second technical concern because it
affects whether implementers are free to deploy the obvious mitigation.
For clarity, please answer these as technical yes/no questions:
1. Does FIPS 203 `ML-KEM.Encaps()` [4] sample a fresh 32-byte `m` and
pass it to `ML-KEM.Encaps_internal()` without Kyber's original `m <-
H(m)` step?
2. In TLS 1.3 standalone ML-KEM, does the client send an ML-KEM public
key and does the server encapsulate to it, producing a ciphertext that
the client decapsulates [5]?
3. Can a client that controls its own ML-KEM implementation instrument
decapsulation and recover the server's internal `m` value?
4. If that `m` is raw output from a Dual_EC_DRBG-shaped RBG, and the
client has the corresponding Dual_EC_DRBG secret/trapdoor, can that `m`
serve as an RNG-state-recovery sample?
5. Would restoring Kyber's `m <- H(m)` step before encapsulation destroy
the Dual_EC_DRBG algebraic structure available to that decapsulating peer?
6. Does the current TLS draft's Security Considerations clearly state
the FIPS 203 approved-RBG dependency and explain the security
consequence of removing Kyber's hash over `m`?
7. Do NIST's patent license agreements cover implementations that
restore Kyber's `m <- H(m)` step before `ML-KEM.Encaps_internal()`?
8. Do NIST's patent license agreements cover implementations that derive
`m` from an approved or non-approved RBG through a hash/XOF construction
before encapsulation?
9. If the answer to 7 or 8 is no, is NIST willing to say publicly that
it will seek clarification, amendment, or an additional license so
implementers can deploy this mitigation without IPR uncertainty?
If the answers to 1-6 are yes, yes, yes, yes, yes, and no, then the TLS
draft has a concrete Security Considerations defect. The WG does not
need to re-litigate all of NIST PQC to fix that. It can simply say: hash
`m`, or at minimum state the FIPS 203 approved-RBG assumption and the
risk of raw RNG-derived `m`.
If the answers to 7-9 are unclear, then the patent situation is not a
side issue. It is a technical deployment blocker. The obvious mitigation
is to restore the Kyber hash over `m`, but implementers need to know
whether NIST's patent license agreements cover that mitigation or only
ML-KEM exactly as published by NIST.
If the latter is the case then the Security Considerations of the draft
should at a minimum mention the _requirement_ from FIPS 203 that ML-KEM
requires a NIST-approved randomness source, and ideally it should also
state that not hashing `m` was based on the security assumption of that
requirement. Do you disagree with either of those two technical points?
PS: Don't be surprised if I don't answer your questions if I think
they are not technically important to ML-KEM's security in TLS 1.3.
These questions are exactly about ML-KEM's security in TLS 1.3 and about
whether implementers are legally free from NIST's perspective to deploy
a technical mitigation.
In any case, I am not surprised but I would like to be! Please do
consider answering the questions posed in a systematic way even if that
isn't the normal NIST process.
Kind regards,
Jacob Appelbaum
P.S.
People reading the FOIA release [3] probably fairly wonder: What,
exactly, did Donna and the NSA [3] have to say that was folded into the
later cited PQC NISTIR?
[0] https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/WFRDl8DqYQ4/
m/o2XJ2YvfAwAJ
[1] https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/WFRDl8DqYQ4/
m/d8SFB2RhAAAJ
[2] https://nist.pqcrypto.org/foia/highlights.html
[3] https://nist.pqcrypto.org/foia/20230508/PQC%20NISTIR%20version%202.pdf
[4] https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.pdf
[5] https://datatracker.ietf.org/doc/draft-ietf-tls-mlkem/
-----Original Message----- From: Jacob Appelbaum
<[email protected]> Sent: Wednesday, July 8, 2026 2:11 PM To:
Dang, Quynh H. (Fed) <[email protected]>; TLS List
<[email protected]> Cc: Markku-Juhani O. Saarinen
<[email protected]> Subject: Re: [EXTERNAL] Re: [TLS] Re:
[EXTERNAL] Re: WG Last Call: draft-ietf- tls-mlkem-08 (Ends
2026-07-08)
Hello Quynh,
Thank you for your reply.
On 7/8/26 15:43, Dang, Quynh H. (Fed) wrote:
Hi Jacob,
The group authoring FIPS 203 did not have any meeting with the
NSA and the NSA had zero authorship of the FIPS 203.
This is a surprising statement given the public information about
NIST and NSA's relationship.
Public FOIA material [0] appears to show substantial NSA
involvement in NIST PQC work, which makes your statement
surprising and worth clarifying.
The FOIA highlights [1] say the [email protected] team included more
NSA members than NIST members and that NSA had secret input/
meetings with NIST on PQC, but that is broader than FIPS 203
authorship:
"NIST's Post Quantum Cryptography Team was mostly NSA. The FOIA
results show that what NIST publicly labeled as the "Post Quantum
Cryptography Team, National Institute of Standards and Technology
(NIST), [email protected]" actually had more NSA members than NIST
members. The secret NSA members of the [email protected] team were
Bradley C. Lackey, Daniel Kirkwood, David Hubbard, David Tuller,
Jerry Solinas, John McVey, Laurie Law, Mark Motley, Nick
Gajcowski, Scott Simon, and later Rich Davis." [2] [3] [4]
Some of those names are familiar to me. Are any on this list
taking a position on the draft in question? A wonderful moment for
government transparency has presented itself. Thank you to the
IETF for this opportunity.
Looking at the released documents such as [5] where a well-known
NIST (Top) Cryptographer wrote in his email: "I've incorporated
the revisions and edits we discussed regarding the comments
received from Donna and the NSA." Quynh - the email metadata from
that FOIA release says that you were in the CC list.
How should the public reconcile your claim with the released email
[5] saying that comments from "Donna and the NSA" were
incorporated?
Is this a mistake or a misunderstanding? For example are you not
counting [5] comments from the NSA... because their feedback was
incorporated into the PQC NISTIR version 2 document as part of the
larger PQC process? Does that mean NIST's position is that FIPS
203 wasn't influenced by their own PQC NISTIR document? I read
`NISTIR` in Section 2.2 Acronyms (on page 4) of FIPS 203 and the
NISTIR is cited as reference [23] (on page 43) of FIPS 203 [6]:
"Alagic G, Apon D, Cooper D, Dang Q, Dang T, Kelsey J, Lichtinger
J, Liu YK, Miller C, Moody D, Peralta R, Perlner R, Robinson A,
Smith-Tone D (2022) Status report on the third round of the NIST
post-quantum cryptography standardization process (National
Institute of Standards and Technology, Gaithersburg, MD), NIST
Interagency or Internal Report (IR) 8413. https://doi.or/
g%2F10.6028%2FNIST.IR.8413-
upd1&data=05%7C02%7Cquynh.dang%40nist.gov%7C8a0445ed945f404f1
a1b08dedd2d61b4%7C2ab5d82fd8fa4797a93e054655c61dec%7C0%7C0%
7C639191384484652031%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hc
GkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIld
UIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=3Rlb5zid5iEipm%2F2fzO%2FMsL
GO8tIfr2nPEBwbPA6u4I%3D&reserved=0 "
I do not see how to reconcile your statement with the public FOIA
record without a more precise definition of "the group authoring
FIPS 203," "meeting," and "authorship."
It would be immensely helpful if you or NIST could clarify - who
do you include by name in the group authoring FIPS 203 and what
exactly do you mean by a meeting?
It sounds pedantic, I realize. Unfortunately it is only because of
a proactive lawsuit against NIST that members of the public are
able to cite the above emails. NIST could do themselves a big
favor here and release significantly more information without
being forced through legal process.
At the time of authoring/writing FIPS 203, we were very
confident in the security of the NIST-approved RBGs, we wanted
people to use them, so the FIPS had a requirement of using an
appropriate security strength NIST-approved RBG.
Didn't NIST write FIPS 203 _after_ NIST's John Kelsey did the
retrospective on NIST's failure in the Dual_EC_DRBG fiasco? Was
this history not part of your threat model or included in your
(internal or external) analysis in any documented manner?
There's an old joke about the TSA and how it tries to solve
yesterday's security threats tomorrow. Is NIST... at least trying
to solve its own security catastrophes of a decade ago... today or
at least for... tomorrow?
As others have pointed out before, hashing m in the ML-KEM's
spec only protects the KEM, the whole system is still considered
compromised when other crypto functions rely on the security of
the broken or attacker-controlled RBG.
Okay - I understand that we agree that hashing `m` is not harmful
to the ML- KEM spec. I also understand that we agree that hashing
m even protects the KEM.
But do I understand the rest of your point? I read you as saying
that... NIST... left the `m` unhashed so that the KEM would be
unprotected because... the rest of the system would also be
compromised anyway?
Do you dispute that, if `m` is produced by a Dual_EC_DRBG-shaped
RNG, not hashing `m` allows a TLS client to obtain a useful oracle
that hashing `m` would close?
Hashing `m` would protect the KEM and close this ML-KEM oracle
against a Dual_EC_DRBG-shaped NOBUS advantage for a large-scale
adversary. Naturally, if the larger protocol leaks a similar RNG
state before or after, we would have more than one problem to
resolve. Still, we should try to resolve each of the issues rather
than pointing at related problems to justify solving none of them.
We think we made a good judgement call to remove the hash
(discussed in my previous email). We also understood the reason
that some others wanted to keep the hash.
What is the standard of evidence that would convince you
personally or NIST to the contrary to issue an errata such that
`m` is hashed to prevent this issue?
For example, what if someone showed you a construction to make ML-
KEM not just secure against this exact issue but also to resolve
the hybrid debate without any extra bytes on the wire? I have such
a design and I have implemented it.
Relatedly, would NIST ensure that the patent/IPR concerns would
not be enforced against such an implementation?
It would help to clarify whether NIST's patent license agreements
apply only to ML-KEM as published by NIST, or also to variants
that hash `m` or otherwise transform `m`. If developers are free
to hash `m` or to use a non-NIST- approved RBG under NIST's patent
license agreements, I am certainly not alone in welcoming
clarification on this matter.
I have posed many questions, and I appreciate you taking the time
to read them. Thanks in advance, and thank you again for your work
authoring FIPS 203.
Kind regards, Jacob Appelbaum
[0] https://nist.p/
qcrypto.org%2Ffoia%2Findex.html&data=05%7C02%7Cquynh.dang%40nist.
gov%7C8a0445ed945f404f1a1b08dedd2d61b4%7C2ab5d82fd8fa4797a93e
054655c61dec%7C0%7C0%7C639191384484715842%7CUnknown%7CTW
FpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXa
W4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=KQ
D%2F%2FTl4lLVgd1YCz5WHMVboj9k7mBmT8iAR8Ypwd%2FQ%3D&reserved =0
[1] https://nist.p/
qcrypto.org%2Ffoia%2Fhighlights.html&data=05%7C02%7Cquynh.dang%40
nist.gov%7C8a0445ed945f404f1a1b08dedd2d61b4%7C2ab5d82fd8fa4797
a93e054655c61dec%7C0%7C0%7C639191384484767533%7CUnknown%7
CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOi
JXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=l
7f7UaDwXTyaTXOuYwYqn2YceWpcuAxic42VhpgiATE%3D&reserved=0
[2] https://nist.p/
qcrypto.org%2Ffoia%2F20230815%2FRe_%2520pqc%2520mailing%2520list
&data=05%7C02%7Cquynh.dang%40nist.gov%7C8a0445ed945f404f1a1b0
8dedd2d61b4%7C2ab5d82fd8fa4797a93e054655c61dec%7C0%7C0%7C63
9191384484812340%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiO
nRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoy
fQ%3D%3D%7C0%7C%7C%7C&sdata=esh2gmMa5l0D9chFkhE%2FgusyQP0
9wP0ndToGTyUj4bA%3D&reserved=0(1)-3.pdf
[3] https://web/.
archive.org%2Fweb%2F20230910091944%2Fhttps%3A%2F%2Fcsrc.nist.gov
%2FCSRC%2Fmedia%2FEvents%2FISPAB-MARCH-2014-
MEETING%2Fdocuments%2Fa_quantum_world_v1_ispab_march_2014.pdf&
data=05%7C02%7Cquynh.dang%40nist.gov%7C8a0445ed945f404f1a1b08d
edd2d61b4%7C2ab5d82fd8fa4797a93e054655c61dec%7C0%7C0%7C6391
91384484853183%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnR
ydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ
%3D%3D%7C0%7C%7C%7C&sdata=7fBkCMQjFUXEEl5M07iBe8Ahnf0gm%2
BHps5sQ9KRXb2Q%3D&reserved=0 was authored by "Post Quantum
Cryptography Team, National Institute of Standards and Technology
(NIST), [email protected]"
[4] https://nist.p/
qcrypto.org%2Ffoia%2F20230815%2FRe_%2520pqc%2520mailing%2520list
&data=05%7C02%7Cquynh.dang%40nist.gov%7C8a0445ed945f404f1a1b0
8dedd2d61b4%7C2ab5d82fd8fa4797a93e054655c61dec%7C0%7C0%7C63
9191384484884591%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiO
nRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoy
fQ%3D%3D%7C0%7C%7C%7C&sdata=7qLvBB0Se4BCW5rT2D6Qe4%2FW66
LwDds5xMDEFF5iNz8%3D&reserved=0(1)-3.pdf includes the list of
[email protected] people
[5] https://nist.p/
qcrypto.org%2Ffoia%2F20230915%2FRe_%2520PQC%2520NISTIR%2520ve
rsion%25202&data=05%7C02%7Cquynh.dang%40nist.gov%7C8a0445ed94
5f404f1a1b08dedd2d61b4%7C2ab5d82fd8fa4797a93e054655c61dec%7C0
%7C0%7C639191384484909081%7CUnknown%7CTWFpbGZsb3d8eyJFbXB
0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFp
bCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=sdhN0Wr05ckhl9vb4Roy
qPnTC86VVzZWkEwAW55GlcY%3D&reserved=0(2).pdf
[6] https://nvlpu/
bs.nist.gov%2Fnistpubs%2FFIPS%2FNIST.FIPS.203.pdf&data=05%7C02%7Cq
uynh.dang%40nist.gov%7C8a0445ed945f404f1a1b08dedd2d61b4%7C2ab
5d82fd8fa4797a93e054655c61dec%7C0%7C0%7C639191384484927281%
7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAu
MDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C
%7C%7C&sdata=6IyafioHpbMx620xq1tn0MgWzftZUcipmB5Zx2qS3Bk%3D&r
eserved=0
Regards, Quynh.
-----Original Message----- From: Jacob Appelbaum
<[email protected]> Sent: Wednesday, July 8, 2026 7:21 AM
To: Dang, Quynh H. (Fed) <[email protected]>; TLS List
<[email protected]> Cc: Markku-Juhani O. Saarinen
<[email protected]> Subject: [EXTERNAL] Re: [TLS] Re:
[EXTERNAL] Re: WG Last Call: draft-ietf-tls- mlkem-08 (Ends
2026-07-08)
Hi Quynh,
On 7/8/26 12:57, Dang, Quynh H. (Fed) wrote:
And NSA did not ask us to consider removing the hash.
For transparency and clarity: Are you making this statement as
a participant in the confidential NIST/NSA working group
meetings as part of authoring FIPS 203?
Kind regards, Jacob Appelbaum
Regards, Quynh.
From: Dang, Quynh H. (Fed) Sent: Wednesday, July 8, 2026
6:42 AM To: TLS List <[email protected]> Cc: Markku-Juhani O.
Saarinen <[email protected]> Subject: RE: [EXTERNAL]
[TLS] Re: WG Last Call: draft-ietf-tls-mlkem-08 (Ends
2026-07-08)
Hi all,
See the discussion here about removing the hash of the
message m.
https://gcc02.safelinks.protection.outlook.com/?
url=https%3A%2F%2Fgrou
ps.google.com%2Fa%2Flist.nist.gov%2Fg%2Fpqc-
forum%2Fc%2FWFRDl8DqYQ4%2F
m%2FqmVANi7EAwAJ&data=05%7C02%7Cquynh.dang%40nist.gov%7C27e
432e9a9ac41
68aad008dedce325b9%7C2ab5d82fd8fa4797a93e054655c61dec%7C0%7C
0%7C639191
065341348557%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRyd
WUsIlYiOiIwL
jAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0
%7C%7C%
7C&sdata=nrQbwjt%2FNOMJAsb43n8djjf6m1ec%2BeAkEKUJSq1gIXQ%3D&
reserved=0
The reason to remove it was that hashing m would be bad,
introduce a cost
for side-channel security implementations (ask Markku for
detail). In addition, we require an approved RBG. If the RBG
of a system is broken, or controlled by the attacker, the
security of the whole system should be assumed to be broken
anyway.
I was a main author of the FIPS 203.
Top level cryptographers know ML-KEM was not back-doored.
Regards, Quynh.
From: Thom Wiggers
<[email protected]<mailto:[email protected]>>
Sent: Wednesday, July 8, 2026 5:52 AM To: Eliot Lear
<[email protected]<mailto:[email protected]>> Cc:
<[email protected]<mailto:[email protected]>>
<[email protected]<mailto:[email protected]>> Subject: [EXTERNAL]
[TLS] Re: WG Last Call: draft-ietf-tls-mlkem-08 (Ends
2026-07-08)
Hi,
ML-KEM is arguably not backdoorable unless you break the
RNG. Bad RNG is
something that we can't really protect against anyway.
Classic cryptography is also broken if the RNG is busted.
Finally, the TLS key schedule still mixes in all messages from
both sides rendering the point moot for TLS.
On a more instructive point, ETSI's "quantum-safe
enterprise transport
security" (ETSI TS 104 145<https://
gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2F
http://www/.
etsi.org%2F&data=05%7C02%7Cquynh.dang%40nist.gov%7C8a0445ed945f
404f1a
1b08dedd2d61b4%7C2ab5d82fd8fa4797a93e054655c61dec%7C0%7C0%7
C639191384
484950857%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUs
IlYiOiIwLjA
uMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7
C%7C%7
C&sdata=EhOquPsB1E2uZKRWUnBDEZ3K0dxtG8Gg3smMDcFxIa4%3D&reser
ved=0%2Fd
eliver%2Fetsi_ts%2F104100_104199%2F104145%2F01.0
1.01_60%2Fts_104145v010101p.pdf&data=05%7C02%7Cquynh.dang%40n
ist.gov%7C27e432e9a9ac4168aad008dedce325b9%7C2ab5d82fd8fa4797a
93e054655c61dec%7C0%7C0%7C639191065341386930%7CUnknown%7C
TWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJ
XaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=g
gAnSn%2FHdBJ81j13mWw9Z%2FVAH47LG8xEjoNjarVQE0g%3D&reserved=0
, paragraph 5.3.2) relies exactly on generating the
encapsulation seed
deterministically instead of randomly sampling one. This
mainly breaks forward secrecy, which is certainly bad. But
hybrids or not are not relevant to this. In the classic
approach they simply fixed the DH public key of the server,
iirc. Friends don't let friends use ETS.
Cheers,
Thom
Op 8 jul 2026, om 11:35 heeft Eliot Lear
<[email protected]<mailto:[email protected]>>
het volgende geschreven:
Hi!
~~~~Disclaimer I'm not a cryptographer. ~~~~
Please see below. On 08.07.2026 08:04, Viktor Dukhovni
wrote:
On Tue, Jul 07, 2026 at 10:27:56PM -0700, Christian Huitema
wrote:
I just read Jacob Applebaum's message. Given his description
of the
late-standardization suspicious change that looks like a
backdoor in the
ML-KEM specification, I agree with his conclusion. The WG
should not ask for
publication of the current graph, not until the changes
requested by Jacob
are made.
The removal of whitening of the `m` random input to Encaps
is not a
plausible backdoor. If all you have is a broken RNG, you're
free to
apply whitening to obtain a new less bad RNG and use that
instead.
Nothing stops an ML-KEM implementation from hashing some
input (any
number of times, mixing in whatever additional inputs, ...)
to produce
its random values. The abstract algorithm starts from the
final output
of an adequate RNG that requires no further post-processing.
There's nothing suspicious about this simplification. The
critique in
question makes no sense to me. Don't use a broken RNG.
That sounds about right to me, but as someone who is not a
cryptographer,
perhaps someone who is could explain how this amounts to a
back door, and not a requirement for a good PRNG? And if it's
not a back door, should we really relitigate NIST's choices
here?
Eliot
* By "back door", I mean an intentionally placed
undisclosed weakness that
could be exploited by the people who placed it there.
<OpenPGP_0x87B66B46D9D27A33.asc>_______________________________
_______
_________ TLS mailing list --
[email protected]<mailto:[email protected]> To unsubscribe send an
email to [email protected]<mailto:tls- [email protected]>
_______________________________________________ TLS mailing
list -- [email protected] To unsubscribe send an email to tls-
[email protected]
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]