[Pqc] Re: [Ext] [cfrg] China has just released "Announcement on Launching the Next-generation Commercial Cryptographic Algorithms Program (NGCC)"

"D. J. Bernstein" <djb@cr.yp.to> Wed, 12 February 2025 21:45 UTC

Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: pqc@ietfa.amsl.com
Delivered-To: pqc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45762C1D6FB3 for <pqc@ietfa.amsl.com>; Wed, 12 Feb 2025 13:45:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.203
X-Spam-Level:
X-Spam-Status: No, score=-4.203 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 35Jdj6aI7Ok3 for <pqc@ietfa.amsl.com>; Wed, 12 Feb 2025 13:45:35 -0800 (PST)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by ietfa.amsl.com (Postfix) with SMTP id 3E53AC1D6FBB for <pqc@ietf.org>; Wed, 12 Feb 2025 13:45:34 -0800 (PST)
Received: (qmail 23313 invoked by uid 1010); 12 Feb 2025 21:45:33 -0000
Received: from unknown (unknown) by unknown with QMTP; 12 Feb 2025 21:45:33 -0000
Received: (qmail 67324 invoked by uid 1000); 12 Feb 2025 21:45:22 -0000
Date: Wed, 12 Feb 2025 21:45:22 -0000
Message-ID: <20250212214522.67322.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: pqc@ietf.org
Mail-Followup-To: pqc@ietf.org
In-Reply-To: <BN0P110MB14191DA2D115D4B4C0AE07F490FCA@BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM>
Message-ID-Hash: I4AFXKLIDLKGLJUSLXRNWQW5FQSFI4BH
X-Message-ID-Hash: I4AFXKLIDLKGLJUSLXRNWQW5FQSFI4BH
X-MailFrom: djb-dsn2-1406711340.7506@cr.yp.to
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Pqc] Re: [Ext] [cfrg] China has just released "Announcement on Launching the Next-generation Commercial Cryptographic Algorithms Program (NGCC)"
List-Id: Post Quantum Cryptography discussion list <pqc.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/pqc/TXXVSLQsaSyHisFLbOUYroihwuc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pqc>
List-Help: <mailto:pqc-request@ietf.org?subject=help>
List-Owner: <mailto:pqc-owner@ietf.org>
List-Post: <mailto:pqc@ietf.org>
List-Subscribe: <mailto:pqc-join@ietf.org>
List-Unsubscribe: <mailto:pqc-leave@ietf.org>

Blumenthal, Uri - 0553 - MITLL writes:
> I find it hard to believe that this NICCS competition would result in
> an algorithm as secure as, e.g., Classic McEliece, or as efficient as,
> e.g., ML-KEM.

There are already various lattice proposals that are more efficient than
Kyber-512. See my posting

    https://mailarchive.ietf.org/arch/msg/tls/fjGGsHH0b9DOTqU710gN5PKfDJk/

for cost quantification for two examples. In short, BAT-512 costs less
than Kyber-512 as soon as a key is used a few dozen times, and smaugt1
costs less than Kyber-512 even if a key is used just once.

I should emphasize that BAT-512, smaugt1, Kyber-512, and various other
lattice proposals are bleeding-edge proposals. Lattice cryptanalysis is
unstable, and further breaks will be unsurprising. Of course, one hopes
that the cliff will stop crumbling at some point, and _maybe_ that point
will happen to be with Kyber-512 or Kyber-768 or Kyber-1024 standing
exactly at the edge while every lower-cost proposal has been broken.

---D. J. Bernstein