Lattice KEMs (Key Encapsulation Mechanisms) have been gaining popularity in recent years as a potential solution for post-quantum cryptography. They are based on the hardness of certain problems related to lattices, which are mathematical structures that can be used to represent vectors and points in space.
But here’s the thing: lattice KEMs are risky business. Let me explain why.
First, the math behind them. Lattice KEMs rely on a problem called the Shortest Independent Vector (SIV) problem, which is believed to be hard for certain classes of lattices. However, as we all know in cryptography, “believed” and “proven” are two very different things.
In fact, there have been several recent breakthroughs in lattice theory that have called into question the security of some popular KEMs based on this problem. For example, a team of researchers from MIT and Tel Aviv University recently showed how to solve an instance of SIV with only 2^15 operations, which is significantly faster than previous methods (which required around 2^30).
But that’s not the worst part. The real problem with lattice KEMs is their implementation. As we all know in cryptography, implementing a secure algorithm is much harder than designing one on paper. And when it comes to lattices, there are many subtle details that can make or break your security.
For example, consider the case of the NTRU encryption scheme, which was once hailed as a promising candidate for post-quantum cryptography but has since been shown to have serious flaws in its implementation (including a backdoor that allows an attacker to recover the plaintext with only 2^16 operations).
But don’t worry, we can always rely on standardization bodies like NIST to save us from ourselves. After all, they have a rigorous process for selecting post-quantum algorithms based on their security and efficiency. Right?
Well… not exactly. In fact, the recent draft of NIST’s PQC Standardization Process has been met with criticism from many in the cryptography community due to its lack of transparency and openness (not to mention some questionable decisions regarding which algorithms should be included).
So what can we do? Should we abandon lattice KEMs altogether and go back to our old, trusted symmetric-key ciphers? Or is there a way to mitigate the risks associated with these newfangled post-quantum algorithms?
The answer, my friends, lies in due diligence. We need to carefully evaluate each algorithm on its own merits (or lack thereof) and make informed decisions based on our best understanding of the math and implementation details. And we need to be willing to admit when we’re wrong and adjust course accordingly.
In other words, let’s not get carried away by the hype and forget that cryptography is a science, not a religion. We can learn from our mistakes and improve over time, but only if we remain humble and open-minded in our approach to this fascinating field of study.