2022.07.16 19:30:35 (1548359451752640520) from Daniel J. Bernstein:
NIST's latest report (1) says NIST is confident in the security of Kyber; (2) says Kyber-512 >= AES-128; (3) says Kyber-768 >= AES-192. But attack advances keep reducing lattice security levels! It will be completely unsurprising if the next round of attacks falsifies #2 and #3.
2022.07.16 19:41:58 (1548362317766598660) from Daniel J. Bernstein:
Do large-scale attackers (think: years of secret work by Coppersmith et al.) have _feasible_ attacks against Kyber-512? Maybe, maybe not. This is safer than the 100% security failure (assuming big quantum computers are built) of not rolling out _anything_. But "confident"? Yikes.
2022.07.16 19:45:59 (1548363327536910339) from Daniel J. Bernstein:
_Public_ lattice attacks are super-complicated and keep getting more complicated. The 17 bullet items on pages 3-4 of https://ntruprime.cr.yp.to/latticerisks-20211031.pdf are surveying attack advances between 2018 and 2021, and we've seen more in 2022. This is completely different from the stability of ECDL.
2022.07.16 19:50:55 (1548364569638162437) from Daniel J. Bernstein:
Here's the really weird part: https://spectrum.ieee.org/post-quantum-cryptography-nist quotes NIST's Dustin Moody as now saying "Because this is a new research field, we don’t want to put all our eggs in one basket and only have lattice algorithms, and then an attack comes along and we don’t have anything else."
2022.07.16 19:57:26 (1548366210936422401) from Daniel J. Bernstein:
It seems that NIST _does_ see at least some of the risks in these bleeding-edge structured-lattice systems. But NIST says that "NIST is confident in the security that each provides." Confident? NIST keeps using that word. I do not think that word means what NIST thinks it means.