2006's NSA is not 2026's NSA

The NSA isn't DJB's oppositiom here. It's the majority of the international community of cryptography experts.

Your claim does not match the reality, because at the previous IETF meeting most have voted like DJB.

I cannot see how any true "expert" would have the courage to claim that in a cryptography standard it is admissible to accept risks that cannot be quantified.

For the variant supported by DJB there are no risks, while for the variant supported by NSA nobody can estimate the risks.

It is as simple as this, so it is weird that there are people arguing about a decision that should have been non-controversial.

all cryptographic risks cannot be quantified. Every cryptographer knows this. It is consistent with everything we know that oneway functions do not exist, and cryptography as a field is limited to things like Merkle Puzzles/things that are secure under physical assumptions (e.g. the wiretap channel).

The variant DJB suggests there are explicit risks. For example

1. both ECC and ML-KEM can be broken (obviously)

2. additional code complexity could increase the LoC of teh crypto implementation, making it more plausible there are implementation bugs

regardless, this is a red herring. Nearly all cryptographers still support hybrids!!! The current RFC is *not* about "use pure ML-KEM". It is instead about "if you're going to use pure ML-kem (and we explicitly recommend not doing so), here is how to do it in a standardized way".

The people arguing about this decision don't even know what the decision being made is in the first place.

it is easy to point to ghosts in the corner. Random fearmongering is not a technical argument though. There have been no technical arguments to justify the random fearmongering. Pointing to prior behavior in a way that is inconsistent with the current situation is especially annoying fearmongering.

The “technical arguments” are documented here: https://blog.cr.yp.to/20260221-structure.html

And those technical arguments are quite thorough, covering both the pro and the contra arguments.

That document is nonsense? The current RFC is not to say

> use pure ML-KEM > hybrid ML-KEM.

the current document is instead to say

> If you are in a setting where you REALLY want to use pure ML-KEM (though we explicitly recommend you do not do it), this is the standard you would implement against.

It is also technically inaccurate. The whole argument hinges on it being negligible cost in all environments to do hybrids. This is explicitly false. See this message on the TLS-WG on explicitly this point

https://mailarchive.ietf.org/arch/msg/tls/_9i3uIVDQ3pDRswpm9...

A large list of pros/cons detailing a question that isn't being debated that is technically inaccurate is what I would expect from an LLM, not from a competent cryptographer. I am unsurprised to see it from DJB given his behavior in the last decade regarding PQC.