2020.02.03 22:03:15 (1224438219212607489) from Daniel J. Bernstein, replying to "John Schanck (@susurrusus)" (1224355757438722048):
That slide claims to be able to extract "10 certified random bits" in "a few seconds", whereas I'm saying that the obvious attack completely breaks the protocol for every n that's feasible to verify. Seems clear that the slide is based on a worse attack. Why do you claim better?
2020.02.03 16:35:34 (1224355757438722048) from "John Schanck (@susurrusus)":
A much better version of this attack, using classical simulation of cost exp(tree width), is credited to Brandão on slide 17. Same slide mentions that the attack significantly reduces min-entropy per round.