Oddbean new post about | logout
 @3e3ce96c Just looked into this because you pointed it out and seemed interesting. Bernstein is pointing out a math error that overestimated the strength of Kyber-512 when it is in fact weaker than AES-128, but with the corrected math Kyber-768 and Kyber-1024 are still stronger than AES-128, they just come with key size trade-offs that are much worse than Kyber alternatives

Signal has listed Kyber-1024 in their white paper, meaning they’ve already accepted the size-security trade-off to maximize security, so this shouldn’t directly effect their plans (I even checked the Wayback Machine & they listed Kyber-1024 from the start)

Regardless, this does pour cold water on PQ in general & diminishes trust in the NIST standards process, which could effect long-term support for Kyber now

https://signal.org/docs/specifications/pqxdh/#pqxdh-parameters 
 @6f64499d Thanks very much for that info - I don't have the brain to carve out cryptography nuance at the moment, so it is very appreciated.