DJB has for years claimed anyone who disagrees with him is affiliated with the NSA. See for example this post as part of the NIST-PQC competition
https://blog.cr.yp.to/20220805-nsa.html
> Some people seem to be unable to rationally consider the possibility that NSA is sabotaging post-quantum cryptography. I've heard people saying, for example, that submissions to the NIST Post-Quantum Cryptography Standardization Project (NISTPQC) were publicly designed and evaluated by top experts, and that NSA can't have bribed the submission teams. > > Let's look at the facts.
Note that the authors of ML-KEM are overwhelming European.
DJB did not claim that there exists any weakness in ML-KEM or that NSA had anything to do with ML-KEM.
He just pointed that the predecessor of ML-KEM (SIKE) has already been broken. Because ML-KEM is also very new, there is a non-negligible probability that it will also be broken in a few years.
It is very simple to guard against this, by using both ML-KEM and the currently used elliptic-curve Diffie-Hellman algorithm.
ML-KEM is much more expensive than the current algorithm, so using both does not increase much the cost.
I do not see any flaw in his arguments, while anyone who says that ML-KEM should be used alone is making a bet for which there exists no justification, i.e. the risk is extremely high and the reward is extremely low.
In cryptography bets must be done only when the odds are extremely favorable, which is not the case for the proposal criticized by DJB.
I recommend reading this perspective
https://mailarchive.ietf.org/arch/msg/tls/SXo4iVmp0ng_vi57ce...
Also, https://keymaterial.net/2025/11/27/ml-kem-mythbusting/
ML-KEM is not "very new" compared to the age of other algorithms historically deployed.
SIKE is a completely different scheme based on completely different hardness assumptions from a completely different area of math. It is just as sensible to call elliptic curve cryptography to be a predecessor to ML-KEM. Nobody would do that.
The hardness assumption from ML-KEM is from 2005 (in teh algebraically unstructured case. The biggest speedup known due to algebraic structure is ~3 bits, e.g. 8x speed improvement). It has taken exponential time to attack since then. Instantiating a standard ~20 years after introduction is slower than what we did with RSA, or with elliptic curve cryptography.
Therea re settings where hybrids are not free, for example hardware. The standard hybrid suggestion (XWING) would require hardawre to implement both SHA2 and SHA3. See this recent TLS WG post detailing this
https://mailarchive.ietf.org/arch/msg/tls/_9i3uIVDQ3pDRswpm9...