I do not support the publication of this document.
I remember well that security standards get broken: when they have been
well-reviewed, but especially when they're new. Bugs show up in the
math, but also in implementations. Lattice cryptography seems to me to
be a very active field of research, when quite fundamental results (and
bugs!) are still being discovered, both in the math and in the
implementations. From a risk-management perspective alone, I believe
that it's too risky to standardise, even as "informational", a mode of
encryption that relies only on these new methods.
Cheers
Stephan
PS: Full disclosure: I have just joined the TLS mailing list, mainly to
say just this. I also have no standing in the cryptographic community,
except that I have published a paper last year together with Peter
Gutmann of this parish, about how all of the published quantum
factorisation records are bogus [1]. What kind of standing this gives
me, if any, is anybody's guess.
[1] https://eprint.iacr.org/2025/1237
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]