In response to Dan Bernstein's FOIA request, here's some slides.
521 views
Skip to first unread message
daniel.apon
Sep 1, 2020, 7:11:44 PM9/1/20
to pqc-forum
This was a talk given to the University of Maryland Crypto Reading Group on Friday, August 28, 2020 at 1pm Eastern time over a Zoom chat.
https://www.scribd.com/document/474476570/PQC-Overview-Aug-2020-NIST
Best,
--Daniel Apon
https://www.scribd.com/document/474476570/PQC-Overview-Aug-2020-NIST
Best,
--Daniel Apon
daniel.apon
Sep 1, 2020, 7:44:58 PM9/1/20
to pqc-forum, daniel.apon
Dear Dan,
I may give further talks in the future.
Best,
--Daniel
I may give further talks in the future.
Best,
--Daniel
daniel.apon
Sep 5, 2020, 4:30:57 PM9/5/20
to pqc-forum
Hi all,
Errata for these slides (as of September 5, 2020):
1. Slide 31/57 (slide title: "5) LUOV") -- At the bottom of the slide, see reference to Ding, et al. (CRYPTO20 paper). In fact, the earlier subfield differential attack paper (at the top of the slide) is the CRYPTO20 paper, whereas the "210 minutes" paper is a separate ePrint-preprint draft.
2. Slide 51/57 (slide title: "2) BIKE decoding analysis") -- At the bottom of the slide, the comparison here between HQC vs BIKE is not intended to be speed. In fact, HQC is larger, BIKE is smaller (around a factor of 2; see ciphertexts of the schemes when implemented, etc).
3. Slide 53/57 (slide title: "4) CoreSVP vs real-world security") -- Saber (as of Round 2) is indeed significantly closer to 125 CoreSVP than 125 bits in security strength. For the very precise reader, this changes the relative ordering of the concrete security of a subset of various Finalists (as of Round 2) as expressed in these slides. (Note that the original ordering on the slides in fact matches this note..) Also, the Saber team mentions that, for Round 3, they are continuing work to debug various aspects of the underlying LWE SVP Estimator software.
Cheers,
--Daniel
Errata for these slides (as of September 5, 2020):
1. Slide 31/57 (slide title: "5) LUOV") -- At the bottom of the slide, see reference to Ding, et al. (CRYPTO20 paper). In fact, the earlier subfield differential attack paper (at the top of the slide) is the CRYPTO20 paper, whereas the "210 minutes" paper is a separate ePrint-preprint draft.
2. Slide 51/57 (slide title: "2) BIKE decoding analysis") -- At the bottom of the slide, the comparison here between HQC vs BIKE is not intended to be speed. In fact, HQC is larger, BIKE is smaller (around a factor of 2; see ciphertexts of the schemes when implemented, etc).
3. Slide 53/57 (slide title: "4) CoreSVP vs real-world security") -- Saber (as of Round 2) is indeed significantly closer to 125 CoreSVP than 125 bits in security strength. For the very precise reader, this changes the relative ordering of the concrete security of a subset of various Finalists (as of Round 2) as expressed in these slides. (Note that the original ordering on the slides in fact matches this note..) Also, the Saber team mentions that, for Round 3, they are continuing work to debug various aspects of the underlying LWE SVP Estimator software.
Cheers,
--Daniel
Reply all
Reply to author
Forward
0 new messages