-
There is debate around whether Kyber-512 provides adequate security compared to the AES-128 benchmark. NIST claims it meets this level factoring in memory access costs, but others argue the analysis is uncertain.
-
NIST's analysis added 40 bits of estimated security to Kyber-512's post-quantum security level due to memory costs, bringing it above the AES-128 threshold. Critics question this calculation.
-
NTRU provides greater flexibility than Kyber in supporting a wider range of security levels. At some levels it also has better performance and security than Kyber options.
-
The security of lattice-based cryptosystems like Kyber and NTRU is not fully understood, and there is a risk of better attacks being discovered in the future.
-
Standardizing a system like Kyber-512 that may have limited security margin could be reckless given lattice cryptanalysis uncertainties.
-
Critics argue NIST has not clearly explained its security evaluations and claims about Kyber-512's margin above AES-128.
-
Memory access costs are important to lattice security but are not fully quantified in their impact on Kyber versus classical attacks on AES.
-
Removing Kyber-512 could make NTRU the strongest candidate given its flexibility at multiple security levels.
-
One paper argued multi-ciphertext attacks on Kyber may be as difficult as single-ciphertext attacks.
-
There are calls for NIST to be transparent about its analysis and decision making regarding Kyber-512.
Created
October 7, 2023 03:10
-
-
Save webframp/ee1c6be6c89becc5f0717012910fecb3 to your computer and use it in GitHub Desktop.
Kagi.com generated summary of https://blog.cr.yp.to/20231003-countcorrectly.html
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment