2018.05.26 13:50:07 (1000343319346589696) from Daniel J. Bernstein:
Sounds like yet another attack exploiting PKE/KEM decryption failures: https://groups.google.com/a/list.nist.gov/forum/#!topic/pqc-forum/Hr2mTEW0nRo Certainly won't be the last decryption-failure attack. This attack is an example of decryption-failure question #2 from the original version of the NTRU Prime paper posted in 2016.
2018.05.26 14:07:56 (1000347803418230784) from Daniel J. Bernstein:
It's fascinating to look back at some dangerously overconfident responses to the paper, such as "There is abundant literature on CCA2-secure encryption/KEM from LWE problems, which in particular prevents attackers from triggering decryption failures in the sense described here".