Bas,

You’re right, I should have said “less secure” about NewHope.
The additional algebraic structure leads to more angles of attack
which for other rings (e.g., non-cyclotomic ones) has led to problems.
I believe this is why NIST preferred Kyber over NewHope.
And there HAVE been partially successful “special” and “implementation” attacks
(e.g., Security of NewHope Under Partial Key Exposure).
And now that ring-based LWE has not been selected less effort is being expended 
in that direction.

ML-KEM is delightfully simple?
Granted that it has only 3 primitives, and reuses NTT and Keccak,
but like any new protocol it has numerous pitfalls and edge conditions
and I have been told that it isn’t easy to implement efficiently while 
protecting against timing attacks.
I once implemented AES (which is trivial compared to Kyber) in FPGA
and came away with a healthy respect for getting simple things right in low 
level production code.

What would convince me?

  1.  5 years from now with no significant compromise discovered


OR


  1.  CRQCs become so prevalent that it is inexpensive to Shor ECDLP algorithms


OR a combination of


  1.  tighter (dimension preserving) reductions of ML-KEM to general SVP for 
real parameter choices
AND

  1.  analytical evidence that you can’t beat LLL/BKZ approaches to 
structureless SVP

OK, I am sure that you will say that this latter is a stricter condition than 
that applied to RSA/ECDLP -
but

  1.  this is according to Sagan’s standard

the more a claim departs from the status quo, the stronger the evidence 
required to accept it

  1.  there is strong experimental evidence that these are really subexponential
  2.  there was no previous generation with which to hybridize these
                in case of someone finding a polynomial algorithm.

Y(J)S


From: Bas Westerbaan <[email protected]>
Sent: Monday, June 29, 2026 6:02 PM
To: Yaakov Stein <[email protected]>
Cc: Antony Vennard <[email protected]>; Joseph Salowey <[email protected]>; 
[email protected]; [email protected]; [email protected]
Subject: Re: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-08 (Ends 2026-07-08)

That is a good argument, but the crux is "no attack has been demosntrated" is 
not the same as "no attack will be found"
and certainly not the same as "no attack exists".
Modular LWE (k>1) is a compromise between efficient but insecure Ring based 
(k=1) LWE, and complex but more secure LWE over the integers.

Sorry, I must've missed the memo, but could you give me a pointer why the RLWE 
scheme A New Hope is "insecure"?

I'd say MLWE is simpler to implement if you're doing more than one security 
level. Also, taken as a whole, ML-KEM is a delightfully simple algorithm.

We can't yet be sure that this compromise is as secure as it seems.

You wrote "yet". What would make you change your mind?

Best,

 Bas
This message is intended only for the designated recipient(s). It may contain 
confidential or proprietary information. If you are not the designated 
recipient, you may not review, copy or distribute this message. If you have 
mistakenly received this message, please notify the sender by a reply e-mail 
and delete this message. Thank you.
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to