When someone discovers the trick necessary to decrypt ML-KEM in an hour and publishes it in the unclassified sphere, I assume your response will be “hey, I may have been wrong yet again, but at least I wasn’t impudent!”
Again, to my point: you think the subtext of this post is that someone is going to break module-LWE with a Python script, because, I guess, to you these (module-LWE and supersingular isogenies) are equivalently exotic cryptography primitives. It bothers me that the author of this post is banking on you not understanding the difference here.
You saw a similar thing in Bernstein's earlier railing against the NIST contest (which he participated in), happily whipping up a crowd of people who believed Tancrede Lepoint or Chris Peikert or Peter Schwabe might have been corrupted by NSA, because nobody in that crowd have any idea who those three researchers are.
I mean, if you're putting me in the same camp as Mark Dowd, I'm flattered.
What I think you're not seeing is that this isn't a SIKE vs. Lattice kind of debate; it's a Curve25519 vs. P-256 kind of debate. P-256 was never broken. Curve25519 made smart engineering decisions that for years foreclosed on some things that were common in-the-real-world implementation pitfalls. P-256 has closed that gap now, but for the whole run of the experience they were both sane choices.
That's a generous interpretation. Another parallel would be Rijndael vs. Serpent, where the Serpent advocates were all "I don't know about this Rijndael stuff seems dicy". Turned out: Rijndael was great.
But Bernstein wants you think that rather than a curve-selection type debate, this is more akin to a "discrete log vs. knapsack" debate. It isn't.
