Bas,
You’re right, I should have said “less secure” about NewHope.
The additional algebraic structure leads to more angles of attack
which for other rings (e.g., non-cyclotomic ones) has led to problems.
I believe this is why NIST preferred Kyber over NewHope.
And there HAVE been partially successful “special” and “implementation” attacks
(e.g., Security of NewHope Under Partial Key Exposure).
And now that ring-based LWE has not been selected less effort is being expended
in that direction.
ML-KEM is delightfully simple?
Granted that it has only 3 primitives, and reuses NTT and Keccak,
but like any new protocol it has numerous pitfalls and edge conditions
and I have been told that it isn’t easy to implement efficiently while
protecting against timing attacks.
I once implemented AES (which is trivial compared to Kyber) in FPGA
and came away with a healthy respect for getting simple things right in low
level production code.
What would convince me?
1. 5 years from now with no significant compromise discovered
OR
1. CRQCs become so prevalent that it is inexpensive to Shor ECDLP algorithms
OR a combination of
1. tighter (dimension preserving) reductions of ML-KEM to general SVP for
real parameter choices
AND
1. analytical evidence that you can’t beat LLL/BKZ approaches to
structureless SVP
OK, I am sure that you will say that this latter is a stricter condition than
that applied to RSA/ECDLP -
but
1. this is according to Sagan’s standard
the more a claim departs from the status quo, the stronger the evidence
required to accept it
1. there is strong experimental evidence that these are really subexponential
2. there was no previous generation with which to hybridize these
in case of someone finding a polynomial algorithm.
Y(J)S
From: Bas Westerbaan <[email protected]>
Sent: Monday, June 29, 2026 6:02 PM
To: Yaakov Stein <[email protected]>
Cc: Antony Vennard <[email protected]>; Joseph Salowey <[email protected]>;
[email protected]; [email protected]; [email protected]
Subject: Re: [TLS] Re: WG Last Call: draft-ietf-tls-mlkem-08 (Ends 2026-07-08)
That is a good argument, but the crux is "no attack has been demosntrated" is
not the same as "no attack will be found"
and certainly not the same as "no attack exists".
Modular LWE (k>1) is a compromise between efficient but insecure Ring based
(k=1) LWE, and complex but more secure LWE over the integers.
Sorry, I must've missed the memo, but could you give me a pointer why the RLWE
scheme A New Hope is "insecure"?
I'd say MLWE is simpler to implement if you're doing more than one security
level. Also, taken as a whole, ML-KEM is a delightfully simple algorithm.
We can't yet be sure that this compromise is as secure as it seems.
You wrote "yet". What would make you change your mind?
Best,
Bas
This message is intended only for the designated recipient(s). It may contain
confidential or proprietary information. If you are not the designated
recipient, you may not review, copy or distribute this message. If you have
mistakenly received this message, please notify the sender by a reply e-mail
and delete this message. Thank you.
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]