NIST Candidate Information with responsive charts
Maire O'Neill
Professor Máire O'Neill
Director, UK Research Institute in Secure Hardware and Embedded Systems (RISE)
Centre for Secure Information Technologies (CSIT)
Queen's University Belfast
Queens Road, Queens Island
Belfast BT3 9DT
Email: m.on...@ecit.qub.ac.uk
A. Huelsing
thanks a lot for that list. It is really helpful. I came to notice that the number 2,147,483,647 appears with a surprisingly high frequency in the cycle counts. Do you happen to have an explanation for that?
Best,
Andreas
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
Visit this group at https://groups.google.com/a/list.nist.gov/group/pqc-forum/.
Joost Rijneveld
Thanks for this comprehensive overview!
There seems to be a small error in the listed submitters, though: for
several of the schemes only one submitter (supposedly the principal
submitter?) is listed, while most entries include the full list of
submitters. Is there an intentional distinction that I'm overlooking,
or is this simply an inconsistency?
Cheers,
Joost
Alperin-Sheriff, Jacob (Fed)
Hi,
First, thank you so much for doing this. I’m sure the community (and those of us at NIST too) will find it very helpful.
Second, I think you’ve made a mistake in categorization of Ramstake. It uses Reed-Solomon codes for error correction, but you can’t really say it’s based on Reed-Solomon codes.
As to what it is based on, (at least in our view, everyone can feel free to differ), you can either go with “new problem” category that also includes Mersenne-756839, or you can fit them both into the lattice-based cryptography paradigm where everything takes place modulo a Mersenne prime instead of modulo (R_q), and where “shortness” is in terms of the binary representation of an element having low Hamming weight instead of the coefficient vector having small L_2 norm (or canonical embedding, although I don’t think any submissions did anything fancy there).
In particular, Ramstake can basically be viewed as “primal Regev” under this paradigm and Mersenne-756839 can be viewed as NTRU under this paradigm.
Kenny Herold
Hello,
Just a spectator here, from the penetration testing background with an interest in crypto. Does this mean that you have already fully vetted some of the candidates and chosen some and have thus placed them in the safecrypto category? I thought there was another round and that some of them were still under investigation?
Thanks,
Kenny
From: Maire O'Neill [mailto:m.on...@ecit.qub.ac.uk]
Sent: Wednesday, February 14, 2018 6:13 AM
To: pqc-...@list.nist.gov
Subject: [pqc-forum] NIST Candidate Information with responsive charts
We've put together a 'Post Quantum Cryptography Lounge' at: https://www.safecrypto.eu/pqclounge/
--
Todd Arnold
────────────────────────────
Todd W. Arnold
Senior Technical Staff Member (STSM), IBM Master Inventor
IBM Cryptographic Coprocessor Development
(704) 340-9091
────────────────────────────
email: arn...@us.ibm.com
Maire O'Neill
Professor Máire O'Neill
Director, UK Research Institute in Secure Hardware and Embedded Systems (RISE)
Centre for Secure Information Technologies (CSIT)
ECIT
Queen's University Belfast
Queens Road, Queens Island
Belfast BT3 9DT
Sent: 14 February 2018 12:38
To: pqc-...@list.nist.gov
Subject: Re: [pqc-forum] NIST Candidate Information with responsive charts
Todd Arnold
────────────────────────────
Todd W. Arnold
Senior Technical Staff Member (STSM), IBM Master Inventor
IBM Cryptographic Coprocessor Development
(704) 340-9091
────────────────────────────
email: arn...@us.ibm.com
Mike Hamburg
Mike Hamburg
Peter Schwabe
Dear Maire, dear all,
> We've put together a 'Post Quantum Cryptography Lounge' at:
> https://www.safecrypto.eu/pqclounge/
it be generally useful to list for KEMs and encryption schemes, whether
the submitters claim CCA or only CPA security?
All the best,
Peter
Ryo Fujita
I have made some graphs based on the data published so far about the security and efficiency of LWE-based schemes and NTRU-based schemes.
2018年2月16日金曜日 11時31分45秒 UTC+9 Mike Hamburg:
Hello everyone,It would be interesting to combine this data with estimate-all-the-{LWE,NTRU} to get a picture of the tradeoff between bandwidth and security (very roughly estimated according to various attack models).I took a look at the two data sources today, and I tried to pick out the most efficient schemes. The ones I found were, roughly in descending order of efficiency,LAC: PLWE, weighted ternary noise, many-error-correcting codeSaber: MLWR, centered binomial noiseThreeBears: I-MLWE, weighted ternary noise, 2-error-correcting codeRound2: RLWR, Hamming ternary noiseKyber: RLWE, centered binomial noiseKCL: RLWE, discrete Gaussian noise, 1-error-correcting code or E8 lattice codeI might well have missed something in this rough assessment, but it was at least reasonably stable across size metrics (ct+pk or just ct) and attack metrics.It would also be interesting to compare speed vs estimated security, but we can’t really make a fair comparison yet — we would need optimized code for all the submissions, and a SUPERCOP run on a wide array of hardware. ThreeBears does very well in the pqclounge data, but I don’t think it would top the charts if everything were vectorized and tuned.
On Feb 15, 2018, at 7:40 AM, Todd Arnold wrote:
Aha! Rene Peralta else pointed out that if you scroll down the https://www.safecrypto.eu/pqclounge/ pages far enough, you see a horizontal scroll bar that lets you get to additional columns on the right. The information I was after is in those columns. Thanks, Rene!