[tptacek]

I find the comparison risible because SIKE is based on an entirely different and novel problem class, and the vibe I get from Bernstein is that he thinks lattice cryptography is alien enough to people who don't work in this space that they'll miss the fact that cryptosystems based on ring-LWE hardness have been worked on by giants in the field since the mid-1990s.

[philodeon]

You seem blind to the obvious corollary to that fact, which is if cryptosystems based on ring-LWE hardness have been worked on by giants for 30 years, then those same cryptosystems have been cryptanalyzed for 30 years, and a significant chunk of cryptanalytic research stays in NSA’s Classified Mathematics Library.

You’ve admitted you were “loudly wrong” when you announced Dual-EC couldn’t be an NSA cryptography backdoor. Snowden let us all know the NSA spends $250 million every year secretly convincing/bribing the private sector to use bad cryptography. Despite that history, you are still convinced there’s no way ML-KEM is an NSA cryptographic backdoor and that all the bizarre procedural errors in the PQ crypto contest are mere coincidences.

[checks my text messages] Lucy just texted me, Thomas. She’s outside waiting for you to kick her football.

[tptacek]

See, this is what I mean; this is the kind of logic Bernstein knows he's engaging with when he writes these things.

[philodeon]

When someone discovers the trick necessary to decrypt ML-KEM in an hour and publishes it in the unclassified sphere, I assume your response will be “hey, I may have been wrong yet again, but at least I wasn’t impudent!”

[tptacek]

Again, to my point: you think the subtext of this post is that someone is going to break module-LWE with a Python script, because, I guess, to you these (module-LWE and supersingular isogenies) are equivalently exotic cryptography primitives. It bothers me that the author of this post is banking on you not understanding the difference here.

You saw a similar thing in Bernstein's earlier railing against the NIST contest (which he participated in), happily whipping up a crowd of people who believed Tancrede Lepoint or Chris Peikert or Peter Schwabe might have been corrupted by NSA, because nobody in that crowd have any idea who those three researchers are.

It's really gross.

[philodeon]

“Module-LWE is not breakable within a Python script” —-Ptacek, 2025

“Apache chunked encoding is not exploitable” —- Dowd, 2002

[tptacek]

I mean, if you're putting me in the same camp as Mark Dowd, I'm flattered.

What I think you're not seeing is that this isn't a SIKE vs. Lattice kind of debate; it's a Curve25519 vs. P-256 kind of debate. P-256 was never broken. Curve25519 made smart engineering decisions that for years foreclosed on some things that were common in-the-real-world implementation pitfalls. P-256 has closed that gap now, but for the whole run of the experience they were both sane choices.

That's a generous interpretation. Another parallel would be Rijndael vs. Serpent, where the Serpent advocates were all "I don't know about this Rijndael stuff seems dicy". Turned out: Rijndael was great.

But Bernstein wants you think that rather than a curve-selection type debate, this is more akin to a "discrete log vs. knapsack" debate. It isn't.