2023.10.06 11:02:01 (Mastodon 111187730179118875, Twitter 1710248940484890938) from Daniel J. Bernstein:
For people who haven't had time to read the full analysis, here's something much shorter: I sent a message https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/W2VOzy0wz_E/m/iLA0ErnMAwAJ to NIST's mailing list spelling out how NIST's "40 bits of security more than would be suggested by the RAM model" claim fails a simple sanity check.