Oddbean

@3e3ce96c Just looked into this because you pointed it out and seemed interesting. Bernstein is pointing out a math error that overestimated the strength of Kyber-512 when it is in fact weaker than AES-128, but with the corrected math Kyber-768 and Kyber-1024 are still stronger than AES-128, they just come with key size trade-offs that are much worse than Kyber alternatives Signal has listed Kyber-1024 in their white paper, meaning they’ve already accepted the size-security trade-off to maximize security, so this shouldn’t directly effect their plans (I even checked the Wayback Machine & they listed Kyber-1024 from the start) Regardless, this does pour cold water on PQ in general & diminishes trust in the NIST standards process, which could effect long-term support for Kyber now https://signal.org/docs/specifications/pqxdh/#pqxdh-parameters