I did the same. Something that helped me get my head around it was realising that NTT is mostly a performance optimization, a bit like montgomery form in RSA. You can conceptually implement ML-KEM without it, it'll just be slower (it also won't be interoperable because the wire format involves the NTT'd form - I think, it's been a while since I looked at it in detail).
Good stuff to know, just in case the life extension tech explodes and we're all alive by the time cryptographically relevant quantum computers actually hit the scene.
Yes, but it exists because it was deemed better to be cautious and implement PQC despite the uncertainty and different points of view around the time scale to have cryptographically relevant quantum computers (or, from a different point of view, precisely due to the uncertainties). Their comment was in the wrong tone, but the doubts are there. BTW, PQC can be interesting to learn regardless of the discussion around quantum computers.
"will we have a CRQC soon" is the subject of much debate but "will we have a CRQC ever" is pretty uncontroversially a possibility, and so it is worth defending against harvest-now-decrypt-later attacks in the present - which is why X25519MLKEM768 is widely deployed already.
* [Enough Polynomials and Linear Algebra to Implement Kyber](https://words.filippo.io/kyber-math/)
* [Basic Lattice Cryptography. The concepts behind Kyber (ML-KEM) and Dilithium (ML-DSA)](https://eprint.iacr.org/2024/1287.pdf)
* [A Complete Beginner Guide to the Number Theoretic Transform (NTT)](https://eprint.iacr.org/2024/585.pdf)
Seems to me that these lattices and error-correcting codes are very close to each other, but for some reason they are discussed separately.
I'd wager that there will be some reductions between those problems - maybe I could dig more around that.
https://www.reddit.com/r/VXJunkies/