| ▲ | tptacek 20 hours ago | |
The general C.W. I've heard is that if something happened that made MLKEM look theoretically shaky (pretty unlikely, but whatever), you fall back to something like FrodoKEM, which is plain LWE with no affordance for NTT or anything like it; no structure, no performance. | ||
| ▲ | mswphd 18 hours ago | parent [-] | |
It really depends on what the precise details of the attack look like. 1. algebraic structure: sure use frodoKEM 2. error rates smaller than those required for worst-case to average-case reductions: idk bump error rates 3. some coding theorist ruins everyone's fun and has linear time decoding for p-ary construction A codes: probably drink a lot idk fortunately there haven't been any "incremental" attacks in any of these directions, so it is really more an academic discussion. Also note the primary issue with FrodoKEM isn't performance (though that is definitely worse), but size. My impression from the following https://blog.cloudflare.com/sizing-up-post-quantum-signature... https://blog.cloudflare.com/making-protocols-post-quantum/ was that TLS w/ FrodoKEM might have some undesirable performance characteristics, though that isn't directly stated in the articles. Iirc TLS w/ FrodoKEM | ||