2022.05.09 18:33:26 (1523702696825348097) from Daniel J. Bernstein:
2018, e.g. in https://www.imperialviolet.org/2018/04/11/pqconftls.html: Many cryptographers are blaming subtle overflow bugs on ECC carry chains. 2022, https://github.com/mupq/pqm4/issues/226: Subtle overflow bug in some Kyber code. Zero impact today, but we're about to see an explosion of lattice deployment and many more bugs.