Kagi.com generated summary of https://blog.cr.yp.to/20231003-countcorrectly.html

Kyber-512.md

• There is debate around whether Kyber-512 provides adequate security compared to the AES-128 benchmark. NIST claims it meets this level factoring in memory access costs, but others argue the analysis is uncertain.

• NIST's analysis added 40 bits of estimated security to Kyber-512's post-quantum security level due to memory costs, bringing it above the AES-128 threshold. Critics question this calculation.

• NTRU provides greater flexibility than Kyber in supporting a wider range of security levels. At some levels it also has better performance and security than Kyber options.

• The security of lattice-based cryptosystems like Kyber and NTRU is not fully understood, and there is a risk of better attacks being discovered in the future.

• Standardizing a system like Kyber-512 that may have limited security margin could be reckless given lattice cryptanalysis uncertainties.

• Critics argue NIST has not clearly explained its security evaluations and claims about Kyber-512's margin above AES-128.

• Memory access costs are important to lattice security but are not fully quantified in their impact on Kyber versus classical attacks on AES.

• Removing Kyber-512 could make NTRU the strongest candidate given its flexibility at multiple security levels.

• One paper argued multi-ciphertext attacks on Kyber may be as difficult as single-ciphertext attacks.

• There are calls for NIST to be transparent about its analysis and decision making regarding Kyber-512.