FRESH

Hacker News

Home

ML-KEM Mythbusting

41 points by durumcrustulum

by ysleepy

1 subcomments

Still, why endorse and practically make everyone implement an algorithm that only the NSA wants, while there is a superset already standardised.
This is about the known bad actor NSA forcing through their own special version of a crypto building block they might downgrade-attack me to.
I pay like 1% overhead to also do ecc, and the renegotiation to the non-hybrid costs 2x and a round-trip extra. This makes no sense apart from downgrade attacks.
If it turns out ecc is completely broken, we can add the PQ only suite then.

by digitalPhonix

0 subcomment

> Well it turns out there is one customer who really really hates hybrids, and only wants to use ML-KEM1024 for all their systems. And that customer happens to be the NSA. And honestly, I do not see a problem with that.
Isn’t the problem (having only read a little about the controversy) that the non-hybrid appears to be strictly worse, except for the (~10%) decrease in transmission size; and that no one has articulated why that’s a desirable tradeoff?
On the face of it, I don’t see a problem with the tradeoff (both ways, that is) choice existing. I expect smarter people than me to have reasons one way or the other but I haven’t seen a reason for saving bandwidth that could articulate the concrete use case that it makes a difference.
> There is no backdoor in ML-KEM, and I can prove it. For something to be a backdoor, specifically a “Nobody but us backdoor” (NOBUS), you need some way to ensure that nobody else can exploit it, otherwise it is not a backdoor, but a broken algorithm
Isn’t a broken algorithm also a valid thing for NSA/whoever to want?
Them saying they want to use it themselves doesn’t actually mean much?

by sebstefan

0 subcomment

>much in line with my reasoning, 0x11EC is the default key exchange algorithm used by Chrome, Firefox, and pretty much all other TLS clients that currently support PQC. So what’s the point of MLKEM1024? Well it turns out there is one customer who really really hates hybrids, and only wants to use ML-KEM1024 for all their systems. *And that customer happens to be the NSA.* And honestly, I do not see a problem with that.
...Really, you don't? I can hardly imagine anything more suspicious
>the US plans to use ML-KEM themselves, [a “Nobody but us backdoor”] would be the only backdoor they could reasonably insert into a standard.
Is that really convincing
And secondly, would we really know in advance? They can say that and then just use X25519MLKEM768 exclusively for stuff that matters.
I'm convinced they would love a broken algorithm in the IETF standard.

by contact9879

0 subcomment

thanks sophie. now if only this would get as many eyeballs as the inciting one
sigh

by westurner

1 subcomments

From https://news.ycombinator.com/item?id=45743372 re: the Cloudflare Merkle Tree draft:
> Problem is PQ signatures are large. If certificate chain is small that could be acceptable, but if the chain is large, then it can be expensive in terms of bandwidth and computation during TLS handshake. That is the exchange sends many certificates which embed a signature and a large (PQ) public key.
> Merkle Tree Certificates ensures that an up to date client only needs 1 signature, 1 public key, 1 merkle tree witness.
> Looking at an MTC generated certificate they've replaced the traditional signing algorithm and signature with a witness.
> That means all a client needs is a signed merkle root which comes from an expanding Merkle Tree signed by the MTCA (Merkle Tree CA), which is delivered somehow out of band.
From "Keeping the Internet fast and secure: introducing Merkle Tree Certificates" (2025-10) https://blog.cloudflare.com/bootstrap-mtc/ :
> The central problem is the sheer size of these new algorithms: signatures for ML-DSA-44, one of the most performant PQ algorithms standardized by NIST, are 2,420 bytes long, compared to just 64 bytes for ECDSA-P256, the most popular non-PQ signature in use today; and its public keys are 1,312 bytes long, compared to just 64 bytes for ECDSA. That's a roughly 20-fold increase in size. Worse yet, the average TLS handshake includes a number of public keys and signatures, adding up to 10s of kilobytes of overhead per handshake. This is enough to have a noticeable impact on the performance of TLS.
Are ML-KEM certs impractically large too?