upvote
all cryptographic risks cannot be quantified. Every cryptographer knows this. It is consistent with everything we know that oneway functions do not exist, and cryptography as a field is limited to things like Merkle Puzzles/things that are secure under physical assumptions (e.g. the wiretap channel).

The variant DJB suggests there are explicit risks. For example

1. both ECC and ML-KEM can be broken (obviously)

2. additional code complexity could increase the LoC of teh crypto implementation, making it more plausible there are implementation bugs

regardless, this is a red herring. Nearly all cryptographers still support hybrids!!! The current RFC is *not* about "use pure ML-KEM". It is instead about "if you're going to use pure ML-kem (and we explicitly recommend not doing so), here is how to do it in a standardized way".

The people arguing about this decision don't even know what the decision being made is in the first place.

reply