Paper 2020/1370

A discretization attack

Daniel J. Bernstein


This paper presents an attack against common procedures for comparing the size-security tradeoffs of proposed cryptosystems. The attack begins with size-security tradeoff data, and then manipulates the presentation of the data in a way that favors a proposal selected by the attacker, while maintaining plausible deniability for the attacker. As concrete examples, this paper shows two manipulated comparisons of size-security tradeoffs of lattice-based encryption proposals submitted to the NIST Post-Quantum Cryptography Standardization Project. One of these manipulated comparisons appears to match public claims made by NIST, while the other does not, and the underlying facts do not. This raises the question of whether NIST has been subjected to this attack. This paper also considers a weak defense and a strong defense that can be applied by standards-development organizations and by other people comparing cryptographic algorithms. The weak defense does not protect the integrity of comparisons, although it does force this type of attack to begin early. The strong defense stops this attack.

Available format(s)
Publication info
Preprint. MINOR revision.
back doorsNSANISTNISTPQCcategory theory
Contact author(s)
authorcontact-categories @ box cr yp to
2020-11-02: received
Short URL
Creative Commons Attribution


      author = {Daniel J.  Bernstein},
      title = {A discretization attack},
      howpublished = {Cryptology ePrint Archive, Paper 2020/1370},
      year = {2020},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.