mswphd's comments

mswphd · 2026-04-08T19:07:59 1775675279

you could do something like rent GPU time yourself, and use it to run a higher-quality local model (e.g. one of the Chinese "close to frontier" ones). Not guaranteed to preserve privacy of course, but it at least avoids directly sending the data to OpenAI/Anthropic.

embedding-shape · 2026-04-09T14:30:41 1775745041

I couldn't, as this is essentially handing over the most private I have, to 3rd parties. Don't really care about what country they're based in, it's not a possibility.

mswphd · 2026-04-07T20:46:17 1775594777

there are no meaningful questions. The only way there are meaningful questions is if you think global cryptographers + governments are part of a cabal to build insecure schemes. The new schemes use

1. cryptography developed across the world, 2. the actual schemes were overwhelmingly by European authors 3. standardized by the US 4. other countries standardizations have been substantially similar (e.g. the ongoing Korean one, the German BSI's recommendations. China's CACR [had one with substantially similar schemes](https://www.sdxcentral.com/analysis/china-russia-to-adopt-sl...). Note that this is separate from a "standardization", which sounds like it is starting soon).

In particular, given that China + the US ended up with (essentially the same) underlying math, you'd have to have a very weird hypothetical scenario for the conclusion to not be "these seem secure", and instead "there is a global cabal pushing insecure schemes".

mswphd · 2026-04-07T20:40:48 1775594448

you don't really need that tbh. you can get pretty good speedups using standard (vector) intrinsics. the new algorithms are (mostly) modular linear algebra (+ some concept of "noise").

mswphd · 2026-04-07T20:38:23 1775594303

they are much more thoroughly vetted than other schemes. They're more thoroughly vetted than elliptic curves were before we deployed them. Much more vetted than RSA was ever.

Practically though, there are some downsides. Elliptic curves tend to have smaller ciphertexts/keys/signatures/so are better on bandwidth. If you do everything right with elliptic curves, we're also more confident in the hardness of the underlying problems (cf "generic group lower bounds", and other extensions of this model).

The new algorithms tend to be easier to implement (important, as a big source of practical insecurity is implementation issues. historically much more than the underlying assumption breaking). This isn't uniformly, e.g. I still think that the FN-DSA algorithm will have issues of this type, but ML-DSA and ML-KEM are fine. They're also easier to "specify", meaning it is much harder to accidentally choose a "weak" instance of them (in several senses. the "weak curve" attacks are not really possible. there isn't really a way to hide a NOBUS backdoor like there was for DUAL_EC_DRBG). They also tend to be faster.

mswphd · 2026-04-07T20:33:58 1775594038

they're almost assuredly talking about two things (maybe 3 if they really know what they're talking about, but the third is something that people making this argument like to pretend doesn't exist).

1. the main "eye catching" attack was the [attack on SIDH](https://eprint.iacr.org/2022/975.pdf). it was very much a "thought to be entirely secure" to "broken in 5 minutes with a Sage (python variant) implementation" within ~1 week. Degradation from "thought to be (sub-)exp time" to "poly time". very bad.

2. the other main other "big break" was the [RAINBOW attack](https://eprint.iacr.org/2022/214.pdf). this was a big attack, but it did not break all parameter sets, e.g. it didn't suddenly reduce a problem from exp-time to poly-time. instead, it was a (large) speedup for existing attacks.

anyway, someone popular among some people in tech (the cryptographer Dan Bernstein) has been trying (successfully) to slow the PQC transition for ~10 years. His strategy throughout has been complaining that a very particular class of scheme ("structured LWE-based schemes") are suspect. He has had several complaints that have shifted throughout the years (galois automorphism structure for a while, then whatever his "spherical models" stuff was lmao). There have been no appreciable better attacks (nothing like the above) on them since then. But he still complains, saying that instead people should use

1. NTRU, a separate structured lattice scheme (that he coincidentally submitted a scheme for standardization with). Incidentally, it had [a very bad attack](https://eprint.iacr.org/2016/127) ~ 2016. Didn't kill PQC, but killed a broad class of other schemes (NTRU-based fully homomorphic encryption, at least using tensor-based multiplication)

2. McCliece, a scheme from the late 70s (that has horrendously large public keys --- people avoid it for a reason). He also submitted a version of this for standardization. It also had a [greatly improved attack recently](https://eprint.iacr.org/2024/1193).

Of course, none of those are relevant to improved attacks on the math behind ML-KEM (algebraically structured variants on ring LWE). there have been some progress on these, but not really. It's really just "shaving bits", e.g. going from 2^140 to 2^135 type things. The rainbow attack (of the first two, the "mild" one) reduced things by a factor ~2^50, which is clearly unacceptable.

Unfortunately, because adherents of Dan Bernstein will pop up, and start saying a bunch of stuff confidently that is much too annoying to refute, as they have no clue what the actual conversation is. So the conversation becomes

1. people who know things, who tend to not bother saying anything (with rare exceptions), and 2. people who parrot Dan's (very wrong at this point honestly, but they've shifted over time, so it's more of 'wrong' and 'unwilling to admit it was wrong') opinions.

the dynamic is similar to how when discussions of vaccines on the internet occur, many medical professionals may not bother engaging, so you'll get a bunch of insane anti-vax conspiracies spread.

tptacek · 2026-04-07T22:48:17 1775602097

For whatever it's worth I think I cosign all of this.

sophacles · 2026-04-08T02:11:58 1775614318

In the context of: a green username offering some salacious/conspiratorial things about djb around a topic I'm only a little familiar with... Its worth a lot. Its the difference between me writing it off as (at best) a poorly informed misunderstanding of a complex topic, and me choosing to spend some time learning more. Ty

tptacek · 2026-04-08T02:17:55 1775614675

None of this is really salacious or conspiratorial. I don't know how big a deal the attacks they're citing are. But this is directionally mostly stuff I've heard from lots of cryptography engineers over the last couple years. I know the comment is off comparing attacks on classical NTRU to SNTRUP though!

sophacles · 2026-04-08T02:35:47 1775615747

As someone way out of the loop on pqc, this bit:

> anyway, someone popular among some people in tech (the cryptographer Dan Bernstein) has been trying (successfully) to slow the PQC transition for ~10 years

Sounds enough like throwing shade to make me doubt it's value, in absence of other signals.

My point was your history of posting knowledgeably about security and cryptography provides the credibility for me to go do more reading about the stuff in mswphd's post.

tptacek · 2026-04-08T02:37:43 1775615863

Oh, Bernstein is a vocal and relentless opponent of MLKEM. Both the industry and research cryptography have settled on MLKEM. That's the subtext. You could word it differently and more charitably, but I wouldn't.

sophacles · 2026-04-08T02:03:51 1775613831

Ty for the info. This is interesting and provides a lot of things I can go down rabbit holes looking into.