ML-KEM Mythbusting
This title could be clearer and more informative.Try out Clickbait Shieldfor free (5 uses left this month).
A comprehensive debunking of conspiracy theories and misconceptions surrounding ML-KEM, NIST's post-quantum cryptography standard. The author, involved in the standardization process, addresses claims about NSA involvement, backdoors, security vulnerabilities, and IETF hybrid implementations. Key points include mathematical proof that ML-KEM's parameter space is too small to hide backdoors (34 bits vs required 128 bits), clarification that Kyber's transition to ML-KEM involved minimal editorial changes approved by original authors, and explanation of why fault attacks and decryption failures are either implementation issues or statistically negligible. The piece also covers the TLS hybrid debate, explaining that X25519MLKEM768 is the de facto standard used by browsers, while MLKEM1024 exists primarily for NSA requirements.
Table of contents
What is this?Did the NSA invent ML-KEM?Okay, but that was Kyber, not ML-KEM, did the NSA change Kyber?Okay but what about maybe there still being a backdoor?But didn’t NIST fail basic math when picking ML-KEM?I thought ML-KEM was broken, something about a fault attack?But what about decryption failure attacks? Those sound scary!But wasn’t there something called Kyberslash?Okay, enough about ML-KEM, what about hybrids and the IETF?But doesn’t the IETF actively discourage hybrids?Sort: