Hasty Briefsbeta

Bilingual

Understanding lattice risks: Many differences between marketing and reality

2 days ago
  • #cryptography
  • #post-quantum
  • #risk-analysis
  • The text criticizes a justification for using solo ML-KEM over ECC+ML-KEM by pointing out multiple flaws, including narrowing risk analysis to 'known' cryptanalysis, ignoring software vulnerabilities like timing attacks (e.g., KyberSlash), and excluding issues like tightness gaps in reductions.
  • It highlights jargon misuse, such as 'cryptanalysis' excluding software bugs, 'module structure' ignoring other attack surfaces, and 'rank >=2' overlooking ideal-lattice attacks, while noting that claims about no known attacks better than generic lattice reduction have been disproven by recent research.
  • The author argues that worst-case-to-average-case reductions for lattice problems are asymptotic and irrelevant to current parameters, while similar reductions exist for RSA and ECDLP, and emphasizes the need for ECC+PQ as a safety layer against PQ failures, criticizing IETF's procedural mishandling of the standardization vote.