I’m very confused by this whole crusade of yours. What does “defense in depth” mean formally? I can’t help but read it as “arbitrary extra steps of questionable value”. There are likely many such steps that could be added to any cryptographic protocol. It’s unclear to me the value of any of them.

Does hashing yield a tighter advantage bound anywhere? Or can we quantify the benefit of additional computation here in any way? If not, then why should we consider adding in arbitrary steps of questionable value? 

I’m also deeply confused by your references to the approx SIVP reduction. Has this been used for ML-KEM? Note that by this I mean the concrete question of whether

1. Approx SIVP has been worst-case cryptanalyzed, and then
2. The estimates from that worst-case cryptanalysis have been shoved through such a reduction, and then
3. The resulting parameters were used for ML-KEM. 

If this happened, and the reduction was highly non-tight, the resulting ML-KEM instance could be easily attacked. That would be concerning. 

Fortunately, it never happened. So I do not see why we should care. Even if we had a tight reduction, it’s not clear what the worst case hard instances of approx SIVP look like outside of the NP hard regime. So we probably would need to average case cryptanalyze it anyway. And then what’s the point?

Note that if for some reason you have a personal predilection for worst-case hardness, there are reductions of improved tightness by Aggarwal et al. 

Again, I do not think any of this discussion is relevant to this mailing list. But to the extent to which it is being discussed, it is out of date with the current literature. 

Sent from my iPhone

On Jul 13, 2026, at 4:16 PM, Jacob Appelbaum <[email protected]> wrote:

Hi Paul,

On 7/13/26 17:02, Paul Wouters wrote:
On Mon, 13 Jul 2026, Jacob Appelbaum wrote:
It is not a red herring against pure ML-KEM. ML-KEM is not broken.
I'm glad to hear you think this,

Yes. My objection is not that ML-KEM's lattice problem is broken. I have
not claimed there is a backdoor but my statements were twisted in any case.

I do worry about some of the provable security claims. For example,
Neal Koblitz, Subhabrata Samajder, Palash Sarkar, and Subhadip Singha's
2022 paper [0] says in its abstract:

 "We give a concrete analysis of this multi-step reduction. We find
  that the tightness gap in the reduction is so great as to vitiate
  any meaningful security guarantee, and we find reasons to doubt the
  feasibility in the foreseeable future of the quantum part of the
  reduction. In addition, when we make the reduction concrete it
  appears that the approximation factor in the SIVP problem is far
  larger than expected, a circumstance that causes the corresponding
  approximate-SIVP problem most likely not to be hard for proposed
  cryptosystem parameters.
  We also discuss implications for systems such as Kyber and SABER that
  are based on module-DLWE."

I would be interested to know whether the authors have changed their
minds, or whether their analysis received a published response that
addresses the core concerns of the 2022 paper. People involved with
NIST's PQC process know about this paper and I do not believe that they
have ever addressed it. Literature about this is most welcome.

Again, I am not claiming that ML-KEM lattice security is practically
broken, and I am not making a negative lattice-security claim here. I am
saying that the proof landscape does not make me _more_ comfortable with
removing a very simple defense-in-depth strategy that survived
three NIST PQC rounds, that was added to address this type of issue, and
yet the removal was not identified as a security problem.

My main issue remains the protocol consequence of NIST removing Kyber's
hash over `m`. The pushback against restoring that hash does not seem
proportional, especially when the TLS draft does not itself impose the
approved-RBG conditions that FIPS 203 used to justify removing it. The
absence of both the hash and the approved-RBG requirement is unreasonable.

I agree that both ML-KEM drafts should get equal treatment.
I'm glad to hear you say this.

I realize that you may perceive me as being difficult, so I am glad that
you are glad. My goal here is straightforward and I believe that they
are compatible with our mutual cypherpunk sensibilities as I remember
them: strong cryptography, safe defaults, and fewer avoidable footguns.
The hashing change is wire-compatible with a peer that decapsulates
normally, and no peer will know whether you are hashing it anyway unless they know something about your random bytes that you probably do not know yourself.

The equal treatment should be to restore the Kyber hash in both drafts.
I don't think that is an option in MLKEM drafts. It could be an option in a Kyber draft if you submit that.

If restoring the hash is "not an option" in an ML-KEM draft, then that
is exactly one major problem that I am raising. Who decides the options?
We don't have consensus, so why can't we change the options on the table?

A generic warning about randomness does not restore the defense-in-depth
property that Kyber had. It leaves the NIST change intact and leaves
`m` recoverable by the decapsulating peer as raw output from whatever
RBG/DRBG construction is used.

If the WG cannot or will not restore Kyber's hash while still calling
the result ML-KEM, then the draft should say that clearly. Or is
mentioning this entire line of thinking also not an option? Either way
the draft should not pretend that generic RNG advice addresses the same
issue. This is not an entropy issue; it is a hidden-structure issue.
NIST removed a hidden-structure mitigation. That is much harder to wave
away than TLS as a protocol not having defense-in-depth everywhere. One
looks like an oversight; the other was a deliberate change.

The sentence added would be about using good strong random, not about adding a hash. If as part of good strong random, an implementer feels the need to run a hash over RDRAND() or whatever OS source you are using, implementers can decide to do so on their own. It would be generic advise and apply to all parts that need randomness.

That is not sufficient.

Of course implementers should use good randomness. The specific issue is
that ML-KEM `m` is recoverable by the decapsulating peer. If `m`
preserves hidden structure from the sender's random-generator output,
then the peer may get an oracle on that state. Hashing `m` before
encapsulation destroys that structure.

Leaving this to each implementer is exactly how the defense-in-depth
property gets lost and this is how users come into harm's way. Some
implementations will restore the hash, some will not, and some will not
know about the issue at all. I understand that some implementers may
believe their entire hardware and software randomness stack is audited,
correct, and safe against this threat model. Fine. There are no protocol
police. But IETF guidance is not only for those implementers. It is also
for everyone else, right?

The lack of humility around this class of attack is not credible.
Dual_EC_DRBG is not imaginary history. Bouncy Castle's Java provider
ships and has shipped a Dual_EC_DRBG implementation with the NIST
standardized parameters in versions I have checked, and it also ships
ML-KEM. To be clear: Dual_EC_DRBG is not the default DRBG there. But its
continued presence is a reminder that "nobody would ever do that" is not
a serious security argument. It should be removed, and downstream
packages should remove it too and yet we see this:

- https://downloads.bouncycastle.org/java/docs/bcprov-jdk15to18-javadoc/
index.html?org/bouncycastle/jcajce/provider/asymmetric/MLKEM.html

- https://downloads.bouncycastle.org/java/docs/bcprov-jdk15to18-javadoc/
org/bouncycastle/crypto/prng/drbg/DualECSP800DRBG.html

- https://downloads.bouncycastle.org/java/docs/bcprov-jdk15to18-javadoc/
org/bouncycastle/crypto/prng/drbg/DualECPoints.html

Notably DualEC is it not listed in their deprecated list:
- https://downloads.bouncycastle.org/java/docs/bcprov-jdk15to18-javadoc/deprecated-list.html

This discussion also reminds me of discussions before and after MUSCULAR
[1][2]. Yahoo! and Google engineers were surprised to learn that GCHQ
and NSA were tapping internal backbones after those companies had
already appeared in PRISM reporting. The lesson was not that the public
cryptography was broken. The lesson was that large-scale adversaries
exploit whatever gap remains or as NSA phrased it: "SSL added and
removed here :-)" The right response is to close gaps
when we see them especially when they're cheap. It does not get much
cheaper than restoring Kyber's hash.

The IETF's publications gives important advice to large companies
selling FIPS-certified products to the USG, also to Free Software
projects running on hardware that users cannot meaningfully verify, and
to many kinds of systems in between. Some systems have had
serious RNG, firmware, or hardware trust issues, including examples such
as Cavium [3]. We do not need to design for the worst possible machine
in every respect. But we should not reject a cheap defense-in-depth step
when the failure mode is exactly historical cryptographic sabotage. The
Cavium story is an important one, and it is ignored almost entirely by
people pretending this isn't a real class of issues.

Should we discuss that as a case study in detail? It is pretty much the
most obvious smoking gun sitting on the table for over a decade, still
smoking, and still relevant.

So the technical question remains: what is the security reason to reject
restoring Kyber's hash over `m`?

If the answer is only "then it is no longer ML-KEM as specified by
NIST", that is a naming or conformance answer, not a security answer. We
are not discussing draft-ietf-tls-fips-certified-mlkem-08, right?

If you read one report with leaked NSA documents beyond PROJECT BULLRUN
and the black budget reporting [7][8][9], I strongly encourage you to
read about SENTRY EAGLE [4][5][6]. This is not a "conspiracy theory"
frame than an NSA term of art. It is documented history about corporate
partnerships, access, and cryptographic exploitation. That history is
why some of us insist on cheap, conservative defenses when the cost is a
hash call. The term of art by the way for the "conspiracy theory" notion
as shown in SENTRY EAGLE is Corporate Partnership. That is not even a
joke - that is just how the sausage is made.

We should discuss hardware concerns in detail, but restoring
the hash over `m` is the immediate issue.

Kind regards,
Jacob Appelbaum

P.S.

I covered some of this topic in my PhD thesis [10], Chapter 4. Check the
footnotes carefully. Thanks again to Edward Snowden for blowing the whistle on PROJECT BULLRUN and SENTRY EAGLE [4][5][6].

[0] https://eprint.iacr.org/2022/275.pdf

[1] https://www.washingtonpost.com/world/national-security/nsa-
infiltrates-links-to-yahoo-google-data-centers-worldwide-snowden-
documents-say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html

[2] https://dcssproject.net/muscular/index.html

[3] https://www.computerweekly.com/news/366552520/New-revelations-from-
the-Snowden-archive-surface

[4] https://theintercept.com/2014/10/10/core-secrets/

[5] https://snowden.xsurveillance.site/items/show/992

[6] https://www.wired.com/2014/10/nsa-may-undercover-operatives-foreign-
companies-new-documents-show/

[7] https://www.washingtonpost.com/world/national-security/black-budget-
leaked-by-edward-snowden-gives-details-of-agencies-beyond-cia-
nsa/2013/08/29/a7f20890-10f0-11e3-bdf6-e4fc677d94a1_story.html

[8] https://www.washingtonpost.com/news/wonk/wp/2013/08/29/your-cheat-
sheet-to-americas-secret-intelligence-budget/

[9] https://web.archive.org/web/20130831140612/http://
www.washingtonpost.com/world/national-security/black-budget-summary-
details-us-spy-networks-successes-failures-and-
objectives/2013/08/29/7e57bb78-10ab-11e3-8cdd-bcdc09410972_story.html

[10] https://research.tue.nl/en/publications/communication-in-a-world-
of-pervasive-surveillance-sources-and-me/

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to