|
|
|
|
|
|
by nullc
1448 days ago
|
|
|
The security story for lattices hasn't been very stable. Consider the graph in the Classic McEliece marketing materials, showing the exponent in the attack costs for lattice-based crypto: https://classic.mceliece.org/comparison.html Because of communication cost considerations the lattice candidates use problems small enough that another substantial improvement in attacks could leave them vulnerable (no shock that they use small problems: if you're really not communication cost constrained use McEliece and don't worry about it). If you do use lattice key agreement, be sure to use it in a hybrid configuration (combined with ECC like ed25519 or Curve448) to avoid the (small but hard to assess) risk that your security upgrade could actually be a security downgrade. |
|
|