A message has just appeared on pqc-forum claiming yet another attack improvement against lattices---improving what are called "dual" attacks and breaking earlier claims about those attacks not working; concretely, reducing "the security of Kyber-512/768/1024 by approximately 3.5/11.9/12.3 bits" below Kyber's security goals in the same cost model used in the round-3 Kyber submission.
For comparison, the round-3 Kyber security analysis had claimed that "primal" attacks for round-3 Kyber-512 (after patches to Kyber-512 in response to earlier security issues) were ~10 bits above the goals, and that dual attacks were "significantly more expensive" than that. The "significantly" slowdown wasn't quantified, so the reader is left not even knowing how much improvement there has been. Did these 5 years of public attack development reduce the costs of Kyber-512 dual attacks by 20 bits? 30 bits? As for the future, how much farther will the cliff crumble? We don't know. Continued excitement for researchers! Lattice attacks today are far less stable than ECC attacks were two decades ago. To be clear, I'm not opposing efforts to roll out post-quantum systems: on the contrary, we have to _try_ to stop quantum attacks. I'm simply saying that we shouldn't be ripping out seatbelts. ---D. J. Bernstein _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
