Skip to content

Instantly share code, notes, and snippets.

@webframp
Created October 7, 2023 03:10
Show Gist options
  • Save webframp/ee1c6be6c89becc5f0717012910fecb3 to your computer and use it in GitHub Desktop.
Save webframp/ee1c6be6c89becc5f0717012910fecb3 to your computer and use it in GitHub Desktop.
  • There is debate around whether Kyber-512 provides adequate security compared to the AES-128 benchmark. NIST claims it meets this level factoring in memory access costs, but others argue the analysis is uncertain.

  • NIST's analysis added 40 bits of estimated security to Kyber-512's post-quantum security level due to memory costs, bringing it above the AES-128 threshold. Critics question this calculation.

  • NTRU provides greater flexibility than Kyber in supporting a wider range of security levels. At some levels it also has better performance and security than Kyber options.

  • The security of lattice-based cryptosystems like Kyber and NTRU is not fully understood, and there is a risk of better attacks being discovered in the future.

  • Standardizing a system like Kyber-512 that may have limited security margin could be reckless given lattice cryptanalysis uncertainties.

  • Critics argue NIST has not clearly explained its security evaluations and claims about Kyber-512's margin above AES-128.

  • Memory access costs are important to lattice security but are not fully quantified in their impact on Kyber versus classical attacks on AES.

  • Removing Kyber-512 could make NTRU the strongest candidate given its flexibility at multiple security levels.

  • One paper argued multi-ciphertext attacks on Kyber may be as difficult as single-ciphertext attacks.

  • There are calls for NIST to be transparent about its analysis and decision making regarding Kyber-512.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment