| ▲ | some_furry an hour ago | |
The international standardization effort that led to ML-KEM and ML-DSA focused both on classical attacks (regular computers) and quantum attacks. There were 5 levels being considered for each submission. Level 1 - at least as difficult to attack as AES-128 (block cipher) Level 2 - at least as difficult to attack as SHA-256 (hash function) Level 3 - at least as difficult to attack as AES-192 (block cipher) Level 4 - at least as difficult to attack as SHA-384 (hash function) Level 5 - at least as difficult to attack as AES-256 (block cipher) The security of attacking an N-bit block cipher is morally congruent to a birthday collision against a {2N}-bit hash function. With some caveats: https://soatok.blog/2024/07/01/blowing-out-the-candles-on-th... ML-DSA-44 (smallest parameter set) targets Level 2 for signatures. ML-KEM-768 targets Level 3 for KEMs. | ||