2023.10.06 11:37:32 (Mastodon 111187869855508448, Twitter 1710257884658036847) from Daniel J. Bernstein:
For obsolete attacks from 2020, https://web.archive.org/web/20230310174959/https://pq-crystals.org/kyber/data/kyber-specification-round3-20210804.pdf estimates "2^151 gates" in "RAM model" break Kyber-512. NIST says memory adds "40 bits": 2^191. NIST waves at https://ntruprime.cr.yp.to/nist/ntruprime-20201007.pdf, but Table 2 there estimates that if you scale up to sntrup653 then memory costs 2^169.