6

So I read parts of the following article: https://blog.cr.yp.to/20231003-countcorrectly.html

But I quite dont understand it. NIST assumes Kyber 512 is just as hard as AES128 nowadays, in presence of quantum computers. The error they mention is that Kyber has the security level of 2^41 bits, instead of 2^80 bits, but does that make any difference? Isnt 2^80 still not sufficient security level? What is the problem about, the general recommendation to use Kyber 512?

user112982
  • 61
  • 1

2 Answers2

6

That post spawned a 1.5 month flame war on the NIST pqc google group. You can read through that for some elaboration by Dan on what he meant, but my understanding is that not everyone agrees with him, even after more elaboration on his part.

A reply post by Sophie Schmieg is available here and the follow-up by Dan (djb) is here

You can also read the associated reddit thread

ddddavidee
  • 3,324
  • 2
  • 23
  • 34
Mark Schultz-Wu
  • 12,944
  • 19
  • 41
  • 2
    FYI, I think you posted the wrong link – Mikero Dec 06 '23 at 01:09
  • 1
    https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/W2VOzy0wz_E seems to be it – kodlu Dec 06 '23 at 02:28
  • Thanks, definitely the wrong link. – Mark Schultz-Wu Dec 06 '23 at 03:55
  • @Mark but what is the outcome? I think this is not a topic of preference, where there can be different opinions? Who is right? Even having 2^80 bit security on a PQC scheme, is it considered secure? – user112982 Dec 06 '23 at 12:53
  • 1
    Nobody thinks Kyber has a bit security level of $2^{80}$. The fact that you think that’s what Dan wrote is an indication that Dans writing was bad (hence the 1.5 month long argument). His actual claim was something like “it is possible Kyber’s security level has dropped an unaccounted for 4 bits if you use a weird cost model it’s unclear if people care about”. If you see a $2^{80}$ as the total complexity of attacking a crypto system (and people don’t care about it), it is possible you are looking at the (quantum) gate count/depth to break the algorithm. These can be smaller. – Mark Schultz-Wu Dec 06 '23 at 19:13
  • 1
    That all being said, while the above email thread is mostly a fight between Dan Bernstein (the author of the blog you read) and Daniel Apon (another cryptographer), the way I remember the technical side of things is that Bernstein was unable to convince any other cryptographers that the issue he claimed had any merit. Perhaps I misremember, but Dan has a decade-long history of bringing up speculative worries about lattice-based cryptography (power of two cyclotomics being too structured, tightness gap in worst case to avg case reduction, S units stuff). I don’t recall it ever panning – Mark Schultz-Wu Dec 06 '23 at 19:17
  • 1
    Out to improved attacks. – Mark Schultz-Wu Dec 06 '23 at 19:17
0

The error they mention is that Kyber has the security level of 2^41 bits, instead of 2^80 bits, but does that make any difference? Isnt 2^80 still not sufficient security level?

I don't see a mention of error with these specific numbers. The 2^80 value is only used in the introduction of the article linked. The actual problems in the NIST analysis are more complex, though similar in nature.

The security level also depends on how you measure it (number of ASIC gates, number of CPU operations), but later in the article values are 2^118 to 2^140 and higher, depending on model and analysis. We know that they are "close" to AES-128 security level, but due to "known unknowns" the estimates could easily be wrong by 2^10 = 1000 times.

What is the problem about, the general recommendation to use Kyber 512?

The author of that article feels that NIST is not fairly comparing the alternatives, particularly NTRU vs. Kyber.

The claim is that in fair analysis, NTRU-509 would be as secure as Kyber-512, while being faster and requiring less bytes for keys and ciphertexts. And NTRU-677 would be more secure than Kyber-512, while being slower and having larger signatures and ciphertexts.

NISTs evaluation omits NTRU-509 on the basis that it wouldn't have sufficient security level. After that, some hand-waving is done to explain how Kyber-512 does meet the security level needed, despite some analysis results to the contrary. Yet, had the same hand-waving been applied to NTRU-509, it would meet the security level also.

jpa
  • 328
  • 1
  • 5