> The addition of NTRU Prime for PQC is a little premature, because a new paper just came out which showed that many LWE schemes are weaker than was previously thought. The paper admits that it is not directly applicable to NTRU (which is not an LWE scheme), but it might be adaptable to it.
> > NTRU-based cryptosystems are among the leading candidates for lattice-based post-quantum cryptography. In this work, we propose improvements to the dual attack on LWE, and as such our attack is not immediately applicable to NTRU-based cryptosystems. It is an interesting question whether ideas from this work can be adapted to similar improvements to attacks on NTRU. Specifically, there appear to be similarities between the dual attack on LWE and the so-called “hybrid attack” [How07, Wun16] on NTRU. The hybrid attack also involves enumerating over parts of the secret, and then invoking some distinguisher to determine whether a resulting vector is close to a certain constant lattice. It seems reasonable to the writers of this paper that ideas similar to those presented here can be used to reduce the running time of such attacks as well, though anything definitive would of course require further research.
It's pretty easy for openssh to change kex ciphers-- they're not used for persistent keys, and they're negotiated every session.
How many more years should it go with no attempt at resisting future decryption by quantum computers just for the sake of potentially keeping the surface of legacy ciphers that would need to be carried around one entry shorter, should it become necessary to replace this cipher?
I think instead, it could be easily argued that it was long past due: it could have been deployed several years ago.
The security story for lattice crypto will probably remain dubious for the forseeable future (unless it gets converted to outright broken). But on desktop computers and servers lattice crypto is so cheap that most applications can just throw it in just-in-case. Unfortunately, the obvious alternatives like code base crypto have operating costs that make them harder to justify on a just-in-case basis.
I should also comment that even someone who believes QC's will never be a thread should be enthusiastic about this change: Now an attacker who has logged SSH sessions will need to break both the Ed25519 and Streamlined NTRU prime. Even if you believe we'll never see a QC large enough to break ed25519 you can't deny that we might someday find a classical way to break ed25519.
For authentication keys we can rotate them out when ed25519 looks at risk, but logged data is forever. Protecting against that by using two very different asymmetric schemes seems well justified esp when the cost is likely to be completely invisible to the user.
Reasonable people could have a debate about how far to go-- e.g. I think low volume applications like email encryption should be using ed448+McEliece but I seem to be alone there-- but just having N+1 security for the key exchange underlying assumption seems very defensible to me.
https://lwn.net/Articles/890788/
> The addition of NTRU Prime for PQC is a little premature, because a new paper just came out which showed that many LWE schemes are weaker than was previously thought. The paper admits that it is not directly applicable to NTRU (which is not an LWE scheme), but it might be adaptable to it.
> https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/Fm4c... > https://doi.org/10.5281/zenodo.6412487
> > NTRU-based cryptosystems are among the leading candidates for lattice-based post-quantum cryptography. In this work, we propose improvements to the dual attack on LWE, and as such our attack is not immediately applicable to NTRU-based cryptosystems. It is an interesting question whether ideas from this work can be adapted to similar improvements to attacks on NTRU. Specifically, there appear to be similarities between the dual attack on LWE and the so-called “hybrid attack” [How07, Wun16] on NTRU. The hybrid attack also involves enumerating over parts of the secret, and then invoking some distinguisher to determine whether a resulting vector is close to a certain constant lattice. It seems reasonable to the writers of this paper that ideas similar to those presented here can be used to reduce the running time of such attacks as well, though anything definitive would of course require further research.