For everyone's convenience: https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/RsQbm_AQfzs/m/19o76lsyCwAJ
On Tue, Apr 15, 2025 at 11:55 AM D. J. Bernstein <d...@cr.yp.to> wrote: > A message has just appeared on pqc-forum claiming yet another attack > improvement against lattices---improving what are called "dual" attacks > and breaking earlier claims about those attacks not working; concretely, > reducing "the security of Kyber-512/768/1024 by approximately > 3.5/11.9/12.3 bits" below Kyber's security goals in the same cost model > used in the round-3 Kyber submission. > > For comparison, the round-3 Kyber security analysis had claimed that > "primal" attacks for round-3 Kyber-512 (after patches to Kyber-512 in > response to earlier security issues) were ~10 bits above the goals, and > that dual attacks were "significantly more expensive" than that. > > The "significantly" slowdown wasn't quantified, so the reader is left > not even knowing how much improvement there has been. Did these 5 years > of public attack development reduce the costs of Kyber-512 dual attacks > by 20 bits? 30 bits? As for the future, how much farther will the cliff > crumble? We don't know. Continued excitement for researchers! Lattice > attacks today are far less stable than ECC attacks were two decades ago. > > To be clear, I'm not opposing efforts to roll out post-quantum systems: > on the contrary, we have to _try_ to stop quantum attacks. I'm simply > saying that we shouldn't be ripping out seatbelts. > > ---D. J. Bernstein > > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-le...@ietf.org >
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
