frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

Open in hackernews

Debunking NIST's calculation of the Kyber-512 security level (2023)

https://blog.cr.yp.to/20231003-countcorrectly.html
36•RA2lover•2d ago

Comments

perching_aix•2d ago
That's pretty messed up, guess that's another sombering fact to the pile. I'd have expected that serious security stuff always involves mechanized math proofs every step of the way, making such silly mischaracterizations impossible. Not a fun thing to learn that this is not what happens.
I_dream_of_Geni•2d ago
Not only messed up, but I am guessing that there are either politics involved (personal gain, friends of friends, etc), or somebody paid somebody to push Kyber over NTRU. Which is difficult or impossible to prove, ESPECIALLY if that "person" is senator or "other". (Since I failed civics, I have no idea what forces are involved in something like this, but it all sounds really fishy).
drob518•4h ago
Senators can’t even spell crypto.
kragen•3h ago
Historically the NSA has sabotaged public cryptography standards so that it could crack them, while adversaries hopefully couldn't. It pays its employees to do this. It seems plausible that that's what's going on here, but even if so, whether that's because they know of a fatal weakness in NTRU they fear adversaries will exploit, or know of one in Kyber that they hope to exploit themselves, is anybody's guess.
bigfatkitten•34m ago
NSA makes public their own policy for national security systems.

https://media.defense.gov/2025/May/30/2003728741/-1/-1/0/CSA...

If the U.S. Government is willing to bet the SECRET-and-above farm on particular cryptography standards and implementations, it’s probably safe for you to use them too.

wahern•1d ago
This stood out to me:

> For comparison, Bitcoin mining did only about 2^111 bit operations in 2022. ("Only"!)

Anyone have a source for this? Google results suggest in 2022 Bitcoin miners reached ~209 quintillion hashes (209 exahashes) per second. I don't know how many bit operations SHA-1 takes, but dividing 2^111 by 209 * 10^18 * 86400 * 365 gives 393891, which doesn't sound unreasonable for number of bit operations per SHA-1 hash.

Basically, it's fascinating that global compute is reaching those kinds of numbers. Even more fascinating is that it's just Bitcoin mining, so global total computations must be some multiple of that (3x? 10x? 100x?). These are numbers once considered (still considered?) unfathomable, let alone a quantity applicable to human endeavor. And that's 2022. Today the Bitcoin hash rate is 4.5x greater.

kragen•3h ago
It's hard to know what to count as "global compute". How many bit operations do we count for the clock propagation across your CPU? Two for each clock cycle per buffer? Even though the bit operation is just identity, or do we omit that? Does it change if you use inverting buffers, since NOT is a nontrivial operation? Did you know that in CMOS a normal buffer is made out of two inverters? Can you do twice as many bit operations just by using buffers that are half as big, so that you have to use twice as many? How about DRAM destructive read and refresh cycles? Do you count the bit operations in the TLB CAM and the caches to test if entries are already present? Then going to a higher associativity, like from two-way to four-way, doubles the bit operation count.

For power consumption I think the answer to all of these is "yes", except for the one where you split the clock buffers in half.

How about DNA replication in bacterial cells? Is that two bit operations per base? My pot of yogurt is 4 kg of mostly Lactobacillus casei, with a genome of about 2 million base pairs, 4 megabits, and a generation time of about 30 minutes, 2 kilobits per second of reproductive copying per bacterium, plus presumably a much higher transcription rate into mRNA. Each bacterium is about 5 cubic microns, so there are about 10¹⁴ bacteria in the pot, so about 10¹⁷ bit operations per second for reproduction, and maybe 10¹⁹ for mRNA, wildly guessing. That would make the pot of yogurt millions of times more computationally powerful than my CPU, though only for a few hours. Fortunately, the bacteria are more energy-efficient than AMD, or the yogurt would be exploding.

But none of those operations can be used directly for cracking a key, because they aren't programmable. What the paper says is sensible, because it's comparing two things that are very much alike. Even though you can't use Bitcoin mining ASICs for key cracking, you can build very similar key cracking ASICs for a very similar cost and energy consumption. But things get very vague when you start trying to quantify all compute.

pbsd•3h ago
This circuit [1] puts it at <=135k bit operations. Bitcoin uses SHA-256, not SHA-1.

[1] https://nigelsmart.github.io/MPC-Circuits/sha256.txt

nullc•24m ago
Bitcoin's proof of work uses SHA-256(SHA-256(x)). Combining that with your figures reduces the differences to well within minutia of how you count bit operations and exactly which tradeoff the circuits make.
omoikane•4h ago
Previously:

https://news.ycombinator.com/item?id=37756656 - Debunking NIST's calculation of the Kyber-512 security level (2023-10-03, 201 comments)

ggm•3h ago
You would expect a decent rebuttal if wrong, and an acknowledgement if correct.

I'm not aware of either. I'd love to know if NIST has formally accepted their arithmetic flaw. It's possible they did, and believe they are north of need supporting Kyber-512 irrespective.

zzo38computer•50m ago
I can see they say many problems with what NIST is doing. One question is: Does someone bribe (or otherwise coerce) them? If so, is that why they are being deceptive, and why they would not respond to (or explain) some things?

If a system has parameters, another issue is whether or not a different implementation is required due to the parameters being different. There are some reasons why a separate implementation might be desirable anyways in some cases, but sometimes it would be possible to change the parameters at run time.

Another consideration is patents; they should not recommend patented or secret algorithms. Cryptanalysis will be difficult if the specification is not freely available to anyone who wants to read it, and implementation can be a problem if patent licensing is required. Wikipedia says that NTRU is patented but "Security Innovation exempted open-source projects from having to get a patent license"; that might be good enough.

Wikipedia also says that Kyber is a key encapsulation mechanism but NTRU is a public key cryptosystem, so they would not be the same kind of things, anyways. However, you could also use a public key cryptosystem like a key encapsulation mechanism if you have another method of making up a key securely at random. But, Wikipedia says "it is easier to design and analyze a secure KEM than to design a secure public-key encryption scheme as a basis" (I do not know the details of the quoted part to judge this, but the unquoted part seems obvious to me).

Another alternative might be using multiple algorithms with independent keys (to be secure, the keys will have to be independent; however, you might have to be careful that they really will be independent), e.g. by using Kyber first and then encrypting the result with NTRU. But, that depends on what your requirements are.

As another comments (https://news.ycombinator.com/item?id=37756656) had mention, they may have different requirements than yours, such as hardware, so that is another issue.

None of that is an excuse for what NIST seems to be doing though (according to the article); they are additional concerns than those ones.

TPU (Tensor Processing Unit) Deep Dive

https://henryhmko.github.io/posts/tpu/tpu.html
104•transpute•4h ago•6 comments

Sound As Pure Form: Music Language Inspired by Supercollider, APL, and Forth

https://github.com/lfnoise/sapf
64•mindcrime•4h ago•17 comments

P-Hacking in Startups

https://briefer.cloud/blog/posts/p-hacking/
132•thaisstein•3d ago•60 comments

LaborBerlin: State-of-the-Art 16mm Projector

https://www.filmlabs.org/wiki/en/meetings_projects/spectral/laborberlin16mmprojector/start
167•audionerd•10h ago•33 comments

The bad boy of bar charts: William Playfair (2023)

https://blog.engora.com/2023/05/the-bad-boy-of-bar-charts-william.html
46•bryanrasmussen•3d ago•5 comments

Remote MCP Support in Claude Code

https://www.anthropic.com/news/claude-code-remote-mcp?campaignId=13926158&source=i_email&medium=email&content=Oct2024AnalysisTool&messageTypeId=140367
23•surprisetalk•3d ago•4 comments

Denmark's Archaeology Experiment Is Paying Off in Gold and Knowledge

https://www.scientificamerican.com/article/denmark-let-amateurs-dig-for-treasure-and-it-paid-off/
127•sohkamyung•3d ago•63 comments

Type Inference Zoo

https://zoo.cuichen.cc/
68•mpweiher•3d ago•2 comments

U.S. bombs Iranian nuclear sites

https://www.bbc.co.uk/news/live/ckg3rzj8emjt
610•mattcollins•7h ago•1647 comments

Airpass – easily overcome WiFi time limits

https://airpass.tiagoalves.me/
296•herbertl•3d ago•199 comments

Samsung embeds IronSource spyware app on phones across WANA

https://smex.org/open-letter-to-samsung-end-forced-israeli-app-installations-in-the-wana-region/
737•the-anarchist•1d ago•426 comments

Linux on the Behringer X32 [video]

https://www.youtube.com/watch?v=6CfLC5xVy90
18•birdman3131•2h ago•3 comments

P2piano: A P2P collaboration space for the musically inclined

https://p2piano.com/
14•giulianopz•3d ago•1 comments

Show HN: Luna Rail – treating night trains as a spatial optimization problem

https://luna-rail.com/en/home-2
65•ant6n•3d ago•18 comments

AllTracker: Efficient Dense Point Tracking at High Resolution

https://alltracker.github.io/
75•lnyan•13h ago•8 comments

Phoenix.new – Remote AI Runtime for Phoenix

https://fly.io/blog/phoenix-new-the-remote-ai-runtime/
556•wut42•1d ago•245 comments

Finally, a Makefile formatter (50 years overdue)

https://github.com/EbodShojaei/bake
8•rainmans•2d ago•0 comments

Compact Representations for Arrays in Lua [pdf]

https://sol.sbc.org.br/index.php/sblp/article/view/30252/30059
58•tkhattra•3d ago•11 comments

Scaling our observability platform by embracing wide events and replacing OTel

https://clickhouse.com/blog/scaling-observability-beyond-100pb-wide-events-replacing-otel
179•valyala•21h ago•76 comments

Compiler for the B Programming Language

https://github.com/tsoding/b
41•ycuser2•3d ago•6 comments

Tell HN: Beware confidentiality agreements that act as lifetime non competes

296•throwarayes•15h ago•178 comments

Using Microsoft's New CLI Text Editor on Ubuntu

https://www.omgubuntu.co.uk/2025/06/microsoft-edit-text-editor-ubuntu
246•jandeboevrie•4d ago•247 comments

uBlock Origin Lite Beta for Safari iOS

https://testflight.apple.com/join/JjTcThrV
217•Squarex•22h ago•46 comments

Axolotls May Hold the Key to Regrowing Limbs

https://www.smithsonianmag.com/smart-news/axolotls-may-hold-the-key-to-regrowing-limbs-and-scientists-are-unraveling-their-secrets-to-help-humans-do-the-same-180986781/
60•noleary•2d ago•30 comments

Debunking NIST's calculation of the Kyber-512 security level (2023)

https://blog.cr.yp.to/20231003-countcorrectly.html
36•RA2lover•2d ago•12 comments

Unexpected security footguns in Go's parsers

https://blog.trailofbits.com/2025/06/17/unexpected-security-footguns-in-gos-parsers/
185•ingve•3d ago•97 comments

Delta Chat is a decentralized and secure messenger app

https://delta.chat/en/
251•Bluestein•1d ago•140 comments

'Gwada negative': French scientists find new blood type in woman

https://www.lemonde.fr/en/science/article/2025/06/21/gwada-negative-french-scientists-find-new-blood-type-in-woman_6742577_10.html
148•spidersouris•23h ago•60 comments

AI is ushering in a 'tiny team' era

https://www.bloomberg.com/news/articles/2025-06-20/ai-is-ushering-in-the-tiny-team-era-in-silicon-valley
153•kjhughes•12h ago•135 comments

The Nyanja new PC-Engine/TurboGrafx 16-bit console game in development

https://sarupro.itch.io/thenyanja
48•retro_guy•3d ago•1 comments