"Remarkably, these near-hypercubic lattices cover Falcon and most concrete instances of the NTRU cryptosystem:
this is the first provable result showing that breaking NTRU lattices can be reduced to finding shortest lattice vectors in halved dimension, thereby providing a positive response to a conjecture of Gama, Howgrave-Graham and Nguyen at Eurocrypt 2006.”
iMessage quantum security arrives with iOS 17.4 - @9to5Mac
This would have been the perfect article to remind people that all of this E2EE doesn’t matter if you backup your iMessages in iCloud, where they will be backed up clear-text to Apple/NSA, unless both parties turn on Advanced Data Protection
Recursive SNARKs go post-quantum:
“we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK.”
LatticeFold supports low-degree relations (R1CS) as well as high-degree relations (CCS) and is considered as performant as Hypernova but with post-quantum security.
Neat to see some analysis of #Kyber under a kleptographic threat model in which the attacker can subvert the user's code to compromise security while remaining undetectable.
Three attacks are presented in the paper targeting the implicit rejection of Kyber.
Yesterday, Daniel J. Bernstein published a paper alleging that Kyber-512, an encryption algorithm selected as a NIST post-quantum contender, wasn't nearly as secure as its stewards say. The gist is that NIST either intentionally or unintentionally made basic math errors that inflated its security level and has spent the rest of the time since covering up the problem.
The post is 17,000 words long! Has anyone read it and if so, can you send me the cliff notes?
I have read the entire piece (I am not an academic cryptographer) and my take is this:
As I understand DJB's critique, there are problems with many aspects of the NIST PQC process and anlysis in relation to selecting the Kyber-512 (and other) encryption methods. These include how the level of security is assessed, how NIST proceeded through the review process, the apparent lack of openness and transparency of the NIST process, the involvement of agencies outside of NIST, and others issues.
These are critical points. Just taking openness and transparency as a starting point - this is critical to the acceptance and ongoing security of any cryptographic protocol. NIST sets standards for US agencies, but these standards are taken up by non-US agencies and trusted by the private sector. These standards focus the attention of the wider cryptographic and security community which helps ensure ongoing reliability and security of the encryption methods. Standardized methods get embedded in long lasting commercial solutions. It is hard to overestimate the impact in just this one area.
Any professional in the security industry would welcome sincere critiques of their work. This is the sometimes uncomfortable way that we get better at what we do. DJB is doing critical work in this regard.
NIST should not waste time in addressing these concerns in an open and transparent way. Hopefully this will lead to productive debate around these issues. And really, the nature of the participation of the NSA should also be transparent. There is enough history and baggage in this area to warrant full disclosure.
We all owe a debt of gratitude to the cryptographers who help keep us safe. We owe it to them to get this right.
While other messengers like Matrix/Element have only recently rolled out E2EE at all, Telegram continuing to pretend that encrypting only some comms, and those with proprietary algorithms is enough, and others like Mastodon just don't even try, Signal is now rolling out post-quantum cryptography with an upgrade to what they call PQXDH.
Now the rest of us would just have to trust that this time, NIST specs haven't been spiked with backdoors..