November 28, 2025
Backdoors, Bandwidth, and Big Feelings
ML-KEM Mythbusting
Mythbust: No secret lock, commenters shout 'NSA sus' & 'too slow'
TLDR: The author says ML-KEM isn’t an NSA creation and explains why a secret backdoor doesn’t fit the math. Commenters split between performance worries about big post‑quantum signatures and distrust of NSA influence, turning a crypto explainer into a showdown of speed, trust, and internet safety.
The mythbuster drops a nerd-bomb: ML-KEM (a new way to lock your data against future quantum hacks) wasn’t invented by the NSA, and the tweaks from the original Kyber design were tiny—basically removing an extra key-stretch step to speed things up. The punchline: there’s no hidden “NOBUS” backdoor (“Nobody But Us”), because the knobs you could secretly tune don’t have enough randomness. The author even quips that a 34-bit “public key” would be weekend-brute-force material for a laptop. Cue the comments, and the mood is split. One user sighs that truth gets fewer clicks than conspiracy: “where’s the drama?” Meanwhile, performance hawks wave the Cloudflare TLS draft, complaining that post‑quantum signatures are chunky and could slow the web during the handshake, spawning memes like “quantum is coming, but my CPU is crying.”
Then the spice kicks in: skeptics accuse a “known bad actor” (the NSA) of pushing their pet version and worry about forced adoption and downgrade attacks. Others counter: the US plans to use ML-KEM themselves—why booby‑trap your own locks? The thread devolves into Team Math vs Team Suspicion: trust the open process and the cryptographers, or trust no one and keep ECC (old-school crypto) around “for 1% overhead.” The vibes: less cloak‑and‑dagger, more bandwidth‑and‑battery
Key Points
- •ML-KEM originates from Kyber, developed by European cryptographers; the NSA did not invent it.
- •Differences between Kyber and ML-KEM are minor editorial changes, with a notable removal of Kyber’s KDF step.
- •The KDF removal was suggested by Kyber co-author Peter Schwabe to avoid redundant KDF usage and improve performance without impacting security.
- •A NOBUS backdoor would require embedded high-entropy public parameters (≥128 bits); ML-KEM’s parameter space totals about 34 bits.
- •Given the low parameter entropy, ML-KEM cannot feasibly include a NOBUS-style backdoor; at worst it would be an openly breakable algorithm.