List security strength of each composite

[ounsworth]

From the LAMPS mail list:

Hi Piotr,

“In addition, it might be appropriate to add a column, for example, in Table 6 (or even better, in a new table in Section 11.1) indicating the "overall" Security strength, which would take into account the weakest element.”

While I agree that this will be useful to a reader, I think that coming up with a single “overall security strength” for a composite will be difficult. For example, are you considering before or after your adversary has a CRQC? Perhaps the best we could do is to have two columns for “Classical security” and “PQ Security” and list different numbers in each column. Is this worth doing?

[johngray-dev]

It is hard to quantify the overall strength at any given point it time, because it changes based on cryptanalysis. Therefore, we don't think this table would add value. We have added a strong security considerations section that talks about the strength of the algorithms in terms of their underlying notions.