Understanding lattice risks: Many differences between marketing and reality
2 days ago
- #cryptography
- #post-quantum
- #risk-analysis
- The text criticizes a justification for using solo ML-KEM over ECC+ML-KEM by pointing out multiple flaws, including narrowing risk analysis to 'known' cryptanalysis, ignoring software vulnerabilities like timing attacks (e.g., KyberSlash), and excluding issues like tightness gaps in reductions.
- It highlights jargon misuse, such as 'cryptanalysis' excluding software bugs, 'module structure' ignoring other attack surfaces, and 'rank >=2' overlooking ideal-lattice attacks, while noting that claims about no known attacks better than generic lattice reduction have been disproven by recent research.
- The author argues that worst-case-to-average-case reductions for lattice problems are asymptotic and irrelevant to current parameters, while similar reductions exist for RSA and ECDLP, and emphasizes the need for ECC+PQ as a safety layer against PQ failures, criticizing IETF's procedural mishandling of the standardization vote.