A Cryptographic Long Bet: X25519 vs ML-KEM-768 and the Future of Security

In the evolving landscape of cryptographic security, few public debates capture the tension between classical and quantum threats as vividly as the long bet established between renowned cryptographer Matthew Green and Filippo Valsorda. This wager, hosted on GitHub, represents not merely a financial wager but a profound statement about the future of cryptographic security.

The Core of the Wager

At its heart, this long bet addresses a fundamental question in modern cryptography: which cryptographic primitive will succumb first to practical attacks? The two systems in question represent different cryptographic paradigms:

• ML-KEM-768: A post-quantum cryptographic algorithm from the CRYSTALS-KEM family, standardized as part of FIPS 203. It belongs to the lattice-based cryptography category, which is currently considered one of the most promising approaches for resisting quantum attacks.

• X25519: A classic elliptic curve Diffie-Hellman key exchange protocol specified in RFC 7748. It represents the current state-of-the-art in classical public-key cryptography and is widely deployed across the internet.

The main wager of $5,000 asks which system will be practically broken first by December 31, 2040. Matthew Green bets that lattice cryptanalysis will find weaknesses in ML-KEM-768 first, while Filippo Valsorda wagers that quantum computers will eventually break X25519.

Technical Significance

The bet's technical specifications reveal a sophisticated understanding of cryptographic security. For ML-KEM-768 to be considered "broken," the wager requires a practical demonstration of recovering the shared secret from a public key and ciphertext, or recovering the decapsulation key from the encapsulation key. For X25519, the threshold is recovery of the shared secret from public keys or a party's private scalar from its public key.

These definitions deliberately exclude side-channel attacks, implementation flaws, and protocol misuse, focusing instead on fundamental cryptographic weaknesses in the underlying primitives. This distinction is crucial—it separates theoretical cryptographic concerns from practical engineering challenges.

The Secondary Wager: Security Degradation

Beyond the main wager, a secondary $1,000 bet addresses a more nuanced question: will ML-KEM-768's security level fall below 128 bits by the deadline? This secondary wager acknowledges that cryptographic systems rarely transition from secure to broken in a binary fashion. Instead, security often degrades gradually as new attack methods are discovered.

The secondary wager has three possible outcomes:

1. ML-KEM-768 falls below 128-bit security (Matthew wins)
2. ML-KEM-768 falls below 192-bit but stays at or above 128-bit security (draw)
3. ML-KEM-768 stays at or above 192-bit security (Filippo wins)

This structure reflects a more sophisticated understanding of cryptographic security, recognizing that security levels exist on a spectrum rather than as binary states.

The Moral Stake: ML-KEM-512

Separate from the monetary wagers, the bet includes a "moral win" component where Filippo Valsorda will buy Matthew Green drinks if ML-KEM-512 is no longer considered secure for new deployments. This adds an interesting dimension to the bet, focusing on the smaller parameter set that might be more vulnerable to attacks.

Why This Bet Matters

This wager transcends a simple intellectual disagreement between experts. It represents a significant moment in the cryptographic community's transition to post-quantum cryptography. The bet's structure acknowledges the uncertainty inherent in predicting cryptographic breakthroughs while providing a framework for resolving the disagreement through concrete evidence rather than theoretical arguments.

The charitable donation mechanism adds another layer of significance, with funds going to either the Electronic Frontier Foundation or Internet Archive depending on the outcome. This aligns the wager with broader values of supporting digital freedom and preservation.

Broader Implications

The bet reflects several important trends in cryptography:

1. The Quantum Threat: The ongoing development of quantum computing continues to loom over classical cryptographic systems. While large-scale quantum computers capable of breaking practical cryptosystems like X25519 remain theoretical, the bet acknowledges that this could change within the next two decades.

2. Post-Quantum Cryptography: The inclusion of ML-KEM-768 represents the maturation of post-quantum cryptography. In 2022, NIST selected CRYSTALS-KEM (which includes ML-KEM-768) as one of the first standards for post-quantum cryptography, marking a significant milestone in the field.

3. Cryptographic Agility: The bet implicitly supports the principle of cryptographic agility—the ability to transition to new cryptographic primitives when needed. Rather than betting on specific protocols or implementations, the wager focuses on the underlying primitives, acknowledging that cryptographic systems must evolve to address new threats.

Community Participation

Perhaps most interesting is the open nature of the bet. The repository explicitly invites others to join by submitting pull requests with their own wagers. This community aspect transforms what could have been a private disagreement into a public conversation about cryptographic security.

Current participants include:

• David Adrian (Quantum Computers side / $10,000 on main wager / $2,000 on secondary wager)
• sanketh (Lattice Cryptanalysis side / $1,000 on main wager / $200 on secondary wager)

This community engagement reflects the collaborative nature of cryptographic research and the importance of diverse perspectives in addressing security challenges.

The Role of Arbitration

The bet establishes a three-person arbitration panel with one arbiter selected by each participant and one jointly selected:

• Sophie Schmieg (selected by Filippo Valsorda)
• Madars Virza (selected by Matthew Green)
• Thomas H. Ptacek (selected jointly)

This structure ensures that any disagreements about the interpretation of results or the sufficiency of proof will be resolved through a neutral process, adding credibility to the wager's outcome.

Conclusion

This long bet represents more than just a wager between two experts—it's a public conversation about the future of cryptographic security. By December 31, 2040, we will know whether lattice-based cryptanalysis or quantum computing will pose the more immediate threat to our cryptographic infrastructure.

Regardless of the outcome, the bet serves as a valuable reminder that cryptographic security is not static. The systems we rely on today will face new challenges in the future, and the cryptographic community must remain vigilant and adaptable.

For those interested in following this bet or participating themselves, the GitHub repository provides all the necessary details and a framework for joining the discussion. As we navigate the transition to a post-quantum world, such public engagements help clarify the challenges ahead and guide the development of more secure cryptographic systems.