> > That is a good argument, but the crux is "no attack has been demosntrated" > is not the same as "no attack will be found" > and certainly not the same as "no attack exists". > Modular LWE (k>1) is a compromise between efficient but insecure Ring > based (k=1) LWE, and complex but more secure LWE over the integers. >
Sorry, I must've missed the memo, but could you give me a pointer why the RLWE scheme A New Hope is "insecure"? I'd say MLWE is simpler to implement if you're doing more than one security level. Also, taken as a whole, ML-KEM is a delightfully simple algorithm. > We can't yet be sure that this compromise is as secure as it seems. > You wrote "yet". What would make you change your mind? Best, Bas
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
