>
> That is a good argument, but the crux is "no attack has been demosntrated"
> is not the same as "no attack will be found"
> and certainly not the same as "no attack exists".
> Modular LWE (k>1) is a compromise between efficient but insecure Ring
> based (k=1) LWE, and complex but more secure LWE over the integers.
>

Sorry, I must've missed the memo, but could you give me a pointer why the
RLWE scheme A New Hope is "insecure"?

I'd say MLWE is simpler to implement if you're doing more than one security
level. Also, taken as a whole, ML-KEM is a delightfully simple algorithm.


> We can't yet be sure that this compromise is as secure as it seems.
>

You wrote "yet". What would make you change your mind?

Best,

 Bas
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to