On Thu, 2026-07-02 at 15:11 +0200, Bas Westerbaan wrote: > > You’re right, I should have said “less secure” about NewHope. > > The additional algebraic structure leads to more angles of attack > > which for other rings (e.g., non-cyclotomic ones) has led to > > problems. > > I believe this is why NIST preferred Kyber over NewHope. > > > > Less attack surface, more flexibility and still great performance. > The choice makes a lot of sense.
Indeed, and NIST actually documented their rationale. NIST IR 8309, section 3.12 NewHope: https://doi.org/10.6028/NIST.IR.8309 > > And there HAVE been partially successful “special” and > > “implementation” attacks > > (e.g., Security of NewHope Under Partial Key Exposure). > > And now that ring-based LWE has not been selected less effort is > > being expended in that direction. > > > > As you hint at, attacks often develop from special / simpler cases. > It still makes sense to look at ring-LWE if you want to attack > module-LWE. And even though ring-LWE is not deployed today, it surely > still is a career-defining achievement. Yes. My argument wasn't quite as well-worded as it could have been - the asymptotic argument while nice doesn't apply at the parameters in question and I should have said "to a more fundamental problem" so I guess I earned Scott's reply, fair point. I'm stealing pedants'R'us though for future use. Discussing with people who know better, I'm technically wrong about there being no improvement over generic lattices - but 2026/279 gives you 2-3 bits for MLWE so for all practical purposes this isn't a major issue. I usually refer to https://eprint.iacr.org/2025/304.pdf for an overview of the current state of things - see in particular 8.3, which is what I was getting at and I don't think is meaningfully changed by 2026/279. Mark's points about attack cost being exponentially stable here: https://mailarchive.ietf.org/arch/msg/tls/HznE1IcCjstEjhh4M1p59qX1JlQ/ and history of the field are excellent and a better argument than I wrote. > No, I think your list is defensible. I don't see a need to move to > pure ML-KEM anytime soon as we have X25519MLKEM768 already. And if we > move away from X25519MLKEM768, it'll probably be a better PQ KEM. I > do see a need to move to ML-DSA, for which there is no agreement on > which hybrid to use. There it's the spectre of your point (2) > together with migration timelines that weighs heavily for me. Hopefully indeed there will be better KEMs, and better signatures. Thanks, Antony _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
