The cr.yp.to microblog: 2020.07.28 11:10:31

2020.07.28 11:10:31 (1288039119805747200) from Daniel J. Bernstein:

Misrepresentations of security proofs are starting to cause serious damage. The embarrassingly wrong idea that there's a proof that the "security of NewHope is never better than that of KYBER" is the centerpiece of NIST removing NewHope from #NISTPQC. See https://doi.org/10.6028/NIST.IR.8309.

2020.07.28 11:14:58 (1288040240712622080) from Daniel J. Bernstein:

Known hybrid attacks are faster against Kyber than against NewHope. (Kyber missed this because its security analysis was oversimplified; I'm writing a paper on this.) More to the point, it's clear that there isn't and won't be a proof that Kyber is at least as secure as NewHope.

2020.07.28 11:26:26 (1288043124120408064) from Daniel J. Bernstein:

Cryptographers who condone exaggerations of what has been proven share responsibility for any resulting security failures. We cannot simply ignore the increased influence of dangerously oversimplified "provable security" claims upon standards and deployment. This is not a game.