Eric Rescorla writes: > It's of course worth noting that a CRQC might be very far in the > future and we might get better PQ algorithms by that point, in which > case we'd never deploy pure ML-KEM.
There are already various lattice KEMs that outperform Kyber, the most recent being https://eprint.iacr.org/2023/1298. So there are at least two obvious scenarios where deploying pure Kyber doesn't make sense: * Scenario 1: Continued advances in lattice attacks publicly break Kyber, in which case pure Kyber will (hopefully!) never have been deployed. * Scenario 2: Lattice cryptanalysis eventually stabilizes and people switch to any of the more efficient lattice KEMs, in which case pure Kyber won't be a security problem but also won't be a sensible investment of IETF time. Is there an argument that Kyber will simultaneously avoid both of these scenarios? People are supposed to trust lattice cryptanalysis enough to be sure Kyber will survive, while also being sure that all of the more efficient lattice KEMs will be broken? This sounds fragile. Another interesting scenario to consider is Scenario 3: Quantum attacks are demonstrated, but not with low enough cost to make users think that it's a good idea to give up on hybrids. Meanwhile the elephant in the room, a problem for both pure Kyber and hybrid Kyber, is Scenario 0: Kyber deployment is slow, tentative, and perhaps ultimately aborted, because Kyber is in a patent minefield. Part of the minefield is two patents where it seems that NIST's buyouts will finally activate this year, but there are further patents that threaten Kyber, as illustrated by Yunlei Zhao in https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/Fm4cDfsx65s/m/F63mixuWBAAJ saying "Kyber is covered by our patents". That was almost two years ago. I haven't heard reports of Zhao asking for money yet, but I also haven't seen an analysis explaining why Zhao is wrong. ---D. J. Bernstein _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
