Crypto long bet: ML-KEM-768 vs X25519 — who breaks first?

April 11, 2026
aisecurityhardwareopen-source
Classic vintage weighing scale with a small heap of white powder placed indoors on a wooden surface.
Photo by cottonbro studio on Pexels

The wager

A public, long-term bet has been posted on GitHub: Matthew Green is taking the “lattice cryptanalysis” side, Filippo Valsorda the “quantum computers” side. The question is simple and deliciously nerdy: what practical break comes first — ML-KEM-768 (the lattice-based KEM standardized in FIPS 203) or X25519 (RFC 7748)? The deadline is December 31, 2040. Stakes are small but symbolic: a $5,000 charitable donation for the main wager, $1,000 for a secondary wager, and — in a nice bit of human color — Filippo allegedly buys Matthew drinks if ML-KEM-512 weakens. It has been reported that The Register ran a write-up of the wager.

Terms and conditions

The bet is meticulously defined. A “break” must be a practical attack demonstrated on a real physical machine by the deadline — not just a paper algorithm with impractical resource estimates. For ML-KEM-768, extraction of shared secrets or decapsulation keys without the secret key counts. For X25519, recovering shared secrets or private scalars from public data counts. If both are broken, the earliest event wins; if neither is broken, no donation is made. The secondary wager captures a material downgrade: if ML-KEM-768 is deemed to fall below 128-bit security by NIST or a majority of appointed arbiters, that triggers the $1,000 donation.

Why anyone should care

Why does this matter? Because this is a tidy proxy fight in the broader industry scramble over post-quantum readiness. X25519 is everywhere — TLS, VPNs, messaging apps — battle-tested and deployed at scale. Lattice schemes like ML-KEM-768 are the poster children of the NIST post-quantum push. Which will crack first — a breakthrough in lattice cryptanalysis or a quirky classical/quantum attack on Curve25519? That’s the implicit bet. It’s also a bit of theater: two well-known cryptographers putting modest money and public goodwill on the line to force clarity, and inviting others to “put their money where their mouth is” via back bets on the GitHub repo. Small stakes, big symbolism. Who’s right? Time — and possibly some very clever adversaries — will tell.

Sources: github.com/filosottile, Lobsters