On Thu, 2026-07-02 at 15:11 +0200, Bas Westerbaan wrote:
> > You’re right, I should have said “less secure” about NewHope.
> > The additional algebraic structure leads to more angles of attack
> > which for other rings (e.g., non-cyclotomic ones) has led to
> > problems.
> > I believe this is why NIST preferred Kyber over NewHope.
> > 
> 
> Less attack surface, more flexibility and still great performance.
> The choice makes a lot of sense.

Indeed, and NIST actually documented their rationale. NIST IR 8309,
section 3.12 NewHope: https://doi.org/10.6028/NIST.IR.8309

> > And there HAVE been partially successful “special” and
> > “implementation” attacks
> > (e.g., Security of NewHope Under Partial Key Exposure).
> > And now that ring-based LWE has not been selected less effort is
> > being expended in that direction.
> > 
> 
> As you hint at, attacks often develop from special / simpler cases.
> It still makes sense to look at ring-LWE if you want to attack
> module-LWE. And even though ring-LWE is not deployed today, it surely
> still is a career-defining achievement.

Yes. My argument wasn't quite as well-worded as it could have been -
the asymptotic argument while nice doesn't apply at the parameters in
question and I should have said "to a more fundamental problem" so I
guess I earned Scott's reply, fair point. I'm stealing pedants'R'us
though for future use.

Discussing with people who know better, I'm technically wrong about
there being no improvement over generic lattices - but 2026/279 gives
you 2-3 bits for MLWE so for all practical purposes this isn't a major
issue.

I usually refer to https://eprint.iacr.org/2025/304.pdf for an overview
of the current state of things - see in particular 8.3, which is what I
was getting at and I don't think is meaningfully changed by 2026/279. 

Mark's points about attack cost being exponentially stable here:
 https://mailarchive.ietf.org/arch/msg/tls/HznE1IcCjstEjhh4M1p59qX1JlQ/
and history of the field are excellent and a better argument than I
wrote.

> No, I think your list is defensible. I don't see a need to move to
> pure ML-KEM anytime soon as we have X25519MLKEM768 already. And if we
> move away from X25519MLKEM768, it'll probably be a better PQ KEM. I
> do see a need to move to ML-DSA, for which there is no agreement on
> which hybrid to use. There it's the spectre of your point (2)
> together with migration timelines that weighs heavily for me.

Hopefully indeed there will be better KEMs, and better signatures.

Thanks,

Antony

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to