@rachelplusplus fixed

I added a few more questions at the end of the blog post, to address some things that people asked about: what about downgrade attacks, what are the motivations of the NSA to buck the trend, and more on backdoors, how would you add them and are these really the only options for a backdoor.

@catsalad you are really leaning into that Fae thing today, aren't you?

@michael_w_busch but what if they are – hear me out – weather balloons launched by aliens?

/s (in case it wasn't obvious)

@catsalad I always suspected you of being Fae, now I have confirmation.

I can't believe we're starting a new oil war in the decade of solar and EVs. We really are stuck in the 1950s, unable to evolve to tomorrow.

It would be funny if real people weren't going to be hurt over this.

All war is bad. Civilians get hurt the most. Mostly children.

And don't bother coming in my mentions on some "Support our troops!🤡" Jingoistic nonsense. I'm immune to that.

I hire more veterans than you do. I support more unhoused vets than you do. I destigmatize vets getting mental health support, and advocate for suicide prevention more than you do.

https://hachyderm.io/@mekkaokereke/109817991979921397

@raito thank you for asking with curiosity!

2 min

Brewing school of Chicago moving to Canada because international students can’t get in the US

https://youtu.be/AboUY5BTsOQ

@raito the idea is, that once you have cryptographically relevant quantum computers, the elliptic curve part is just dead weight. Now it's a question of when that will be, but in the end, an industry standard is just the industry aligning on how to do a certain thing, so if enough industry wants it, they need to align on a standard, and enough of the industry wants to sell to the US military.

One point that I didn't make in the blog post is going more deeply into the reasoning of the NSA insistence against hybrids, at least their public reasoning which cites basically two concerns:
A) they are afraid of the combinatorial explosion that happens when every key exchange algorithm can be combined with every other key exchange algorithm. We've managed to avoid this in TLS, but looking at LAMPS and PGP WG drafts/RFCs, this is definitely a reasonable concern
B) and this is the one more important here, the NSA wants to project confidence in lattice based cryptography. In a sense they want to say that they trust lattice cryptography so completely that they do not need the additional defense in depth coming from hybrids, in order to hasten the adoption of PQC.
Those two motivations pretty much explain all of the NSA's actions and guidance, from their dislike of hybrids to their dislike of SLH-DSA.

Basically, hybrids are a really good defense in depth mechanism, unless you have an army of mathematicians that have analysed lattice cryptography and you want to signal to the world that you trust it, then hybrids make it sound like you doubt lattices.

@raito mostly because it is not an unreasonable choice, and will be needed sooner or later anyways, might as well do it right.
In the end, several companies want to sell to the US military, which has to follow NSA recommendations, and they need a standard, whether it's written down or not.

Sometimes I hate living on the West Coast. Should have stayed up until after midnight, I guess.

@david_chisnall @rsalz power side channels for ML-KEM is a pretty big problem, as far as I know, and it's not clear we have the right tools to prevent those yet. Timing is straightforward to deal with with standard techniques, thankfully.

@EverydayMoggie @mekkaokereke Yeah, right on. My family doesn’t know how to not talk politics. But it doesn’t drive us apart because we all hate racism and sexism and all that shit and we all try to live our values.

Today is the special day when all of y'all that pretend that you don't know how many Trump voters are in states like California and New York, do everything that you possibly can to "not talk politics at Thanksgiving," so that you can get back on here on Monday and try to lie to me again! 🤡

@skinnylatte literally the most obvious thing to celebrate if you have a society based on farming. In German it's called Erntedankfest – Harvest Gratitude Festival.

@m and that has to do with cryptographic algorithms exactly what?

My only rule of cryptography is “If @sophieschmieg says an algorithm is ok then it’s ok” and ML-KEM is OK: https://keymaterial.net/2025/11/27/ml-kem-mythbusting/

(Yes, yes, fine, I have *two* rules of cryptography, but the other rule is “never implement cryptographic algorithms, you’ll screw it up” but that’s a freebie because it should be pretty much everyone’s First Rule Of Cryptography)

@m What other types of backdoor do you want? Everything that isn't NOBUS is just known as a broken algorithm, not a backdoor.

From @sophieschmieg@infosec.exchange: keymaterial.net/2025/11/27/m...

ML-KEM Mythbusting

The longer, better explained version by @sophieschmieg.

https://keymaterial.net/2025/11/27/ml-kem-mythbusting/