Hello from Kudelski Security. This is super timely, because we recently had to discontinue one of the other only existing Go libraries for quantum-resistant cryptography in Go! Full story at https://research.kudelskisecurity.com/2024/02/01/the-kybersl...
To expand on this: Daniel J Bernstein (of Curve25519 etc fame) has alleged that NIST and/or NSA knows a secret weakness in Kyber and therefore pushed it instead of NTRU. While the allegations are vaguely plausible -- NSA employs some very clever people, and of course they would like to interfere -- the evidence DJB put forth hasn't convinced very many other cryptographers.
There was also an incident a few months back when someone with an NSA email address suggested significant last-minute changes to Kyber on the PQC forum mailing list. These changes had a security flaw, and they were rejected. NSA might still know a different weakness, of course.
Note also that DJB's allegations focus on Kyber-512 being too weak, and this post is about Kyber-768.
I don't think there's a single PQC cryptography researcher other than Bernstein himself (corrections welcome) that takes the claims he made seriously, and one of the basic mathematical arguments he made may have been refuted, two messages down in the mailing list thread, by Chris Peikert.
I appreciate the follow-up. I read the long DJB page but never saw any follow-up; to be fair I wasn't directly looking for any. In either case it's great to know the allegations don't apply to Kyber-768 and up (and great there's a Golang implementation now!).