The microblog: 2019.07.04 09:52:13

2019.07.04 09:52:13 (1146688146672893952) from Daniel J. Bernstein:

Frodo round 1 assumed "IND-CPA" in its first theorem. Frodo round 2 changed "IND-CPA" to "OW-CPA" in theorem statement; changed "IND-CPA" to "OW-CPA" in separate summary; added a footnote on "IND-CPA" vs "OW-CPA". I disputed theorem. Now they claim that this change was a "typo".

2019.07.04 10:02:08 (1146690641482649601) from Daniel J. Bernstein:

"Security proofs" are supposed to be limiting and simplifying the cryptanalytic targets. "IND-CPA" is a decisional assumption like DDH. "OW-CPA" is a simpler search assumption like DH. "OW-CPA" is "falsifiable" under Naor's definitions; "IND-CPA" is only "somewhat falsifiable".