| ▲ | mswphd 21 hours ago | |||||||
NTRU based schemes are not the most conservative. NTRU is an old design from the 90s, that had some shocking structural attacks against it appear ~2016. These attacks so far are only relevant for moduli q ~ (1/100) n^{2.3...}. This makes them worse than conventional attacks against NTRU-based PKE. But they completely killed roughly half of all NTRU-based fully homomorphic encryption schemes, and are a (major) structural issue with NTRU that RLWE/MLWE does not have. In other words, Bernstein proposed a NTRU-based scheme under his theory it was the most conservative. The only major attacks on lattice-based schemes since his proposal have been on the hardness assumption his scheme uses. I would personally suggest this means that Bernstein is not an accurate predictor of the security of lattice-based schemes. So far his track record (with this notable example, but also many others) is remarkably bad. | ||||||||
| ▲ | tptacek 20 hours ago | parent | next [-] | |||||||
The general C.W. I've heard is that if something happened that made MLKEM look theoretically shaky (pretty unlikely, but whatever), you fall back to something like FrodoKEM, which is plain LWE with no affordance for NTT or anything like it; no structure, no performance. | ||||||||
| ||||||||
| ▲ | nullc 17 hours ago | parent | prev [-] | |||||||
> In other words, Bernstein proposed a NTRU-based scheme under his theory it was the most conservative. This is in fact that what I meant, and should have said: thanks. | ||||||||