2020.05.07 04:58:17 (1258229638372843521) from Daniel J. Bernstein, replying to "Gautam Goel (@gautamcgoel)" (1257436239592030224):
There's already a quantum polynomial-time key-recovery algorithm breaking the cyclotomic case of Gentry's original STOC 2009 FHE system using ideal lattices (assuming h^+=1, the normal situation). Same for the original Eurocrypt 2013 Garg--Gentry--Halevi multilinear-map system.
2020.05.04 22:25:59 (1257406137558642689) from Daniel J. Bernstein:
Understanding various approaches to risk management for post-quantum encryption: Classic McEliece = stay at home full time, for people who can afford it. NTRU Prime = go out when necessary, but with distancing and masks. Typical lattice-based cryptosystem = party like it's 2019.
2020.05.05 00:25:36 (1257436239592030224) from "Gautam Goel (@gautamcgoel)":
Would it be fair to say that you believe many lattice-based cryptosystems will eventually be shown to be vulnerable to quantum attacks?