The cr.yp.to microblog: 2020.06.30 15:38:36

2020.06.30 15:38:36 (1277959726140018689) from Daniel J. Bernstein:

The Crypto 2020 paper https://eprint.iacr.org/2020/812, unaware of known algorithms using more hardware to reduce latency of x |-> x^2^T mod N, asks the "ambitious" question of whether reducing latency is equivalent to factoring, and excitedly proves yes in a limited model of computation.

2020.06.30 15:48:28 (1277962208719200269) from Daniel J. Bernstein:

In response to hype of older results in essentially the same model, Jager and Schwenk showed a decade ago that computing Jacobi symbols, which is doable in polynomial time, is as hard as factoring in this model. All results in this model need to preceded by huge security alerts.

2020.06.30 15:55:17 (1277963925405876225) from Daniel J. Bernstein:

Similarly, the Crypto 2011 paper https://link.springer.com/chapter/10.1007%2F978-3-642-22792-9_43, unaware of Sendrier's support-splitting algorithm S, proved that the problem solved by S is hard in a model of quantum computation, and claimed this was evidence of McEliece hardness. The same model says sorting is hard!

2020.06.30 16:05:38 (1277966530332864515) from Daniel J. Bernstein:

Sometimes proofs in limited models of computation are useful guidance for cryptanalysts, but for these papers the state-of-the-art attacks against the same problems were already beyond the proof models. We need to actively stamp out these dangerous "evidence of hardness" claims.