Graphs of Estimate all the {LWE, NTRU} schemes! indexed to the PQC Lounge data.

Note well: The “estimates” here are not runtimes of actual attacks. They are calculations used in the proposals' papers to justify their security claims. Most of them are intentional underestimates for particular attack strategies, under assumptions that are favorable to the attacker. For example, the sieving estimates are much faster than enumeration, but last I heard sieving is slower in practice. We don't know if sieving can use less resources than enumeration on problems this size even on classical machines, much less on quantum ones. Likewise, the quantum enumeration techniques assume a Grover speedup, but none is currently known. Thanks to DJB for pointing out how this could be confusing.

Also, the speed benchmarks for these systems were preliminary benchmarks on unevenly-optimized code, so they're probably mostly noise. But the bandwidth estimates should be exact.

I hope that these plots will nonetheless be useful to highlight trends in the security vs performance (esp. bandwidth) characteristics of the proposals, and to show discrepancies between the different security estimates.

x-axis:
sk bytes: pk bytes: ct/sig bytes:
Warning: timing information is so inaccurate that it's probably worthless.
keypair kcy: enc kcy: dec kcy:
y-axis:
sk bytes: pk bytes: ct/sig bytes:
Warning: timing information is so inaccurate that it's probably worthless.
keypair kcy: enc kcy: dec kcy:
Estimates by Martin R. Albrecht, Benjamin R. Curtis, Amit Deo, Alex Davidson, Rachel Player, Eamonn Postlethwaite, Fernando Virdia, Thomas Wunderer. Data extracted by Safe Crypto project. Graphs by Mike Hamburg using chart.js.