[philodeon]

ML-KEM and SIKE were both candidates in the PQ competition which ML-KEM won. SIKE was considered such a strong contender that it was used in production TLS experiments at scale by Google and Cloudflare. (I guess you didn’t read past the second paragraph?)

You find it offensive now to compare ML-KEM and SIKE because SIKE was so thoroughly broken and demonstrated to be worse than pre-quantum crypto. But ML-KEM may already be broken this thoroughly by NSA and friends, and they’re keeping it secret because shipping bad crypto to billions of people enables SIGINT. The idea that your professional crypto acquaintances might be on the NSA’s payroll clearly disturbs you enough that you dismiss it out of hand.

Bernstein is proposing more transparency because that is what was promised after the Dual-EC debacle. Do you disagree with Bernstein because he advocates for transparency (which could prevent bad crypto shipping), or because of his rhetorical style?

[tptacek]

I find the comparison risible because SIKE is based on an entirely different and novel problem class, and the vibe I get from Bernstein is that he thinks lattice cryptography is alien enough to people who don't work in this space that they'll miss the fact that cryptosystems based on ring-LWE hardness have been worked on by giants in the field since the mid-1990s.

[philodeon]

You seem blind to the obvious corollary to that fact, which is if cryptosystems based on ring-LWE hardness have been worked on by giants for 30 years, then those same cryptosystems have been cryptanalyzed for 30 years, and a significant chunk of cryptanalytic research stays in NSA’s Classified Mathematics Library.

You’ve admitted you were “loudly wrong” when you announced Dual-EC couldn’t be an NSA cryptography backdoor. Snowden let us all know the NSA spends $250 million every year secretly convincing/bribing the private sector to use bad cryptography. Despite that history, you are still convinced there’s no way ML-KEM is an NSA cryptographic backdoor and that all the bizarre procedural errors in the PQ crypto contest are mere coincidences.

[checks my text messages] Lucy just texted me, Thomas. She’s outside waiting for you to kick her football.

[tptacek]

See, this is what I mean; this is the kind of logic Bernstein knows he's engaging with when he writes these things.

[philodeon]

When someone discovers the trick necessary to decrypt ML-KEM in an hour and publishes it in the unclassified sphere, I assume your response will be “hey, I may have been wrong yet again, but at least I wasn’t impudent!”

[tptacek]

Again, to my point: you think the subtext of this post is that someone is going to break module-LWE with a Python script, because, I guess, to you these (module-LWE and supersingular isogenies) are equivalently exotic cryptography primitives. It bothers me that the author of this post is banking on you not understanding the difference here.

You saw a similar thing in Bernstein's earlier railing against the NIST contest (which he participated in), happily whipping up a crowd of people who believed Tancrede Lepoint or Chris Peikert or Peter Schwabe might have been corrupted by NSA, because nobody in that crowd have any idea who those three researchers are.

It's really gross.

[philodeon]

“Module-LWE is not breakable within a Python script” —-Ptacek, 2025

“Apache chunked encoding is not exploitable” —- Dowd, 2002