hannoThese "hey if this lattice quantum algorithm turns out to work, it will break fully homomorphic encryption, and maybe also we cannot fix encrypted internet connection once a quantum computer arrives" statements. Like HEY THESE PROBLEMS AREN'T EVEN IN THE SAME UNIVERSE OF ISSUES. One is "cryptographers may have to admit that their favorit hypothetical solution for nonexisting problems doesn't work", the other is "like, how do we continue with the internet?"
and yeah, I know that it would directly break FHE, and not directly break kyber/LWE, only heavily endanger it, but hey: I really don't care about FHE being broken, but I wonder what we'll do if we cannot use lattices any more for TLS. that'd be a hard problem,
Dennis Jackson@hanno Even in the worst case of "no more lattices", the three remaining candidates in NIST's 4th round are unaffected (BIKE, HQC, McEliece). We'd probably have to bring back the dial up modem noise though.
@dennisjackson I'm not super familiar how trustworthy people consider these smaller-keysize codebased schemes (BIKE, HQC both fall into that category, right?). My impression was people consider them not well analyzed, probably less than lattices. Mceliece has proposed keysizes that are hard to imagine working with TLS in practice.
@dennisjackson I mean after "these isogenies are not extremely well studied, but look super promising" turned into "nah, totally broken" in a completely unexpected twist of events, I'm more worried about unexpected surprises. I certainly hadn't seen that coming.