[less_less]

To expand on this: Daniel J Bernstein (of Curve25519 etc fame) has alleged that NIST and/or NSA knows a secret weakness in Kyber and therefore pushed it instead of NTRU. While the allegations are vaguely plausible -- NSA employs some very clever people, and of course they would like to interfere -- the evidence DJB put forth hasn't convinced very many other cryptographers.

There was also an incident a few months back when someone with an NSA email address suggested significant last-minute changes to Kyber on the PQC forum mailing list. These changes had a security flaw, and they were rejected. NSA might still know a different weakness, of course.

Note also that DJB's allegations focus on Kyber-512 being too weak, and this post is about Kyber-768.

[tptacek]

I don't think there's a single PQC cryptography researcher other than Bernstein himself (corrections welcome) that takes the claims he made seriously, and one of the basic mathematical arguments he made may have been refuted, two messages down in the mailing list thread, by Chris Peikert.

[less_less]

Yeah, sorry, "hasn't convinced very many other cryptographers" was probably too much of an understatement.

[client4]

I appreciate the follow-up. I read the long DJB page but never saw any follow-up; to be fair I wasn't directly looking for any. In either case it's great to know the allegations don't apply to Kyber-768 and up (and great there's a Golang implementation now!).

[less_less]

I'm sure he's alleged something about the other variants. Like a few years ago he had this theory about "S-Unit attacks" on Kyber and NewHope, but it hasn't gone anywhere.

IMHO the lattice finalists -- Kyber, Saber and NTRU -- are all basically good, each having advantages over the others but no decisive advantages, and Kyber was the community favorite. So that whole rant about NIST picking Kyber for unconvincing reasons is like ... yeah, that's just what happens when all remaining choices are fine.

There is also the issue that cryptanalysis has advanced. There haven't been any fundamental breakthroughs yet, but there have been significant optimizations. If this trend continues, Kyber-512 might become certificationally weak (i.e. it might be considered weaker than AES-128), but unless there is a deeper breakthrough, it probably will not become feasible to break it in practice. This threat is why the Kyber team recommends Kyber-768 for mainstream use. The same threat applies to Saber and NTRU, with NTRU having (IIUC) the weakest security at a given dimension, but the most freedom in choosing how many dimensions to use.