[noise] Noise HFS Kyber question

Peter Schwabe peter at cryptojedi.org
Sat Feb 2 22:58:20 PST 2019


dawuud <dawuud at riseup.net> wrote:
> 
> Hi Peter, Rhys and the noise mailing list,

Hi David, hi all,

> I just got Rhys's Noise HFS Kyber extension to work on our port of the
> flynn golang Noise library:
> https://github.com/katzenpost/noise/tree/kyber.0
> 
> My question is why did you choose to use Kyber768 instead of
> Kyber1024?  Maybe this is a question for Peter Schwabe: How do these
> (Kyber768 and Kyber1024) compare with the safety margins of NewHope
> Simple?
> 
> The reason I'm asking is because the Katzenpost
> (https://github.com/katzenpost) Noise based link layer currently uses
> NewHope Simple with XX in HFS mode and I'd like to use Kyber with
> parameters that will give a comparable security margin.

The parameter set of Kyber that is closest in terms of security to
NewHope-1024 is indeed Kyber-1024. For Kyber we recommend the 768
parameter set as "default", because we believe that it offers the best
tradeoffs between conservative security margins and performance (in
particular in terms of ciphertext and public-key sizes). For NewHope,
there is no parameter set between 512 and 1024, so the recommendation is
to stay on the safe side and go with 1024.

Does that help?

Cheers,

Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20190203/afd7dca3/attachment.sig>


More information about the Noise mailing list