[This is an official comment regarding all of the lattice KEMs, but to
avoid repetition is being filed just once.]
The attached document "Risks of lattice KEMs" (also available from
https://ntruprime.cr.yp.to/warnings.html)
* surveys recent attack advances;
* classifies ongoing risks, fully defining the risk table shown in
https://ntruprime.cr.yp.to/warnings.html;
* reviews incorrect claims that proofs control these risks;
* analyzes performance, since performance issues can exacerbate
security risks; and
* compares the KEMs according to the official NISTPQC evaluation
criteria.
The document is authored by the NTRU Prime Risk-Management Team and is
hereby added to the NTRU Prime submission. The document has the
following abstract:
Lattice-based KEMs under consideration within the NIST Post-Quantum
Cryptography Standardization Project (NISTPQC) are much more risky
than commonly acknowledged. In applications where performance
constraints force the use of a lattice-based KEM, the least risky
option available is NTRU Prime, specifically Streamlined NTRU Prime
(sntrup) at the largest size that fits those performance constraints.
---Dan