I appreciate the follow-up. I read the long DJB page but never saw any follow-up; to be fair I wasn't directly looking for any. In either case it's great to know the allegations don't apply to Kyber-768 and up (and great there's a Golang implementation now!).
I'm sure he's alleged something about the other variants. Like a few years ago he had this theory about "S-Unit attacks" on Kyber and NewHope, but it hasn't gone anywhere.
IMHO the lattice finalists -- Kyber, Saber and NTRU -- are all basically good, each having advantages over the others but no decisive advantages, and Kyber was the community favorite. So that whole rant about NIST picking Kyber for unconvincing reasons is like ... yeah, that's just what happens when all remaining choices are fine.
There is also the issue that cryptanalysis has advanced. There haven't been any fundamental breakthroughs yet, but there have been significant optimizations. If this trend continues, Kyber-512 might become certificationally weak (i.e. it might be considered weaker than AES-128), but unless there is a deeper breakthrough, it probably will not become feasible to break it in practice. This threat is why the Kyber team recommends Kyber-768 for mainstream use. The same threat applies to Saber and NTRU, with NTRU having (IIUC) the weakest security at a given dimension, but the most freedom in choosing how many dimensions to use.
