2018.08.25 07:47:23 (1033229331500281856) from Daniel J. Bernstein, replying to "mjos\dwez (@mjos_crypto)" (1033127033231081478):
Let me see if I understand. You're agreeing with Mike that it's feasible for the attacker to find occasional Round5 ciphertexts that fail (contrary to the failure rates claimed in the Round5 specification), but you're nevertheless continuing to claim IND-CCA2 security for Round5?
2018.08.24 21:07:41 (1033068345116028928) from Daniel J. Bernstein:
PKE/KEM decryption failures strike again: https://groups.google.com/a/list.nist.gov/d/msg/pqc-forum/YsGkKEJTt5c/V0eivEroAAAJ Looks like Hamburg has broken the new (patented?) Round5 proposal to #NISTPQC. Round5 is a semi-merge of HILA5 with the (patented) Round2 proposal; by "semi-merge" I mean that it has some new design elements in it.
2018.08.25 01:00:53 (1033127033231081478) from "mjos\dwez (@mjos_crypto)":
Usually a "break" means that there is something wrong in the cryptographic strength of the algorithm. This is just a decryption failure.