oberstet
commented
9 months ago maybe Kyber, maybe not (and then, Dilithium, FALCON or SPHINCS+):
"I am thus deeply sceptical of claims that Kyber-{512,768,1024} are as hard to break as AES-{128,192,256} by known attacks, never mind the risks from future attacks. I recommend that NIST withdraw those claims. Furthermore, given the considerable risk of Kyber-512 being weaker than AES-128, I recommend terminating the standardization of Kyber-512"
-- D. J. Bernstein
https://medium.com/asecuritysite-when-bob-met-alice/the-inability-to-count-correctly-d1f07741e7e7
currently, we only support (and set by default) curve25519 / ed25519. adding kyber would make sense:
https://www.ietf.org/archive/id/draft-tls-westerbaan-xyber768d00-02.html https://blog.cloudflare.com/post-quantum-to-origins/ https://blog.chromium.org/2023/08/protecting-chrome-traffic-with-hybrid.html https://asecuritysite.com/pqc/circl_hybrid