2021.04.29 16:44:02 (1387779717370048518) from Daniel J. Bernstein:
Agreeing with main points in 3, 4, 6, 10 in https://eprint.iacr.org/2021/543. More objections to 2, 5, 7, 9. Most important dispute is regarding risk management, 1+8. Recent advances in torsion-point attacks have killed a huge part of the SIKE parameter space, far worse than MOV vs ECDLP.
2021.04.29 16:57:33 (1387783116664688651) from Daniel J. Bernstein:
The "failure" comments inside 9 are a smaller-scale risk-management issue. Here the paper is correct in saying that decryption failures increase the post-quantum attack surface, but is wrong in claiming that SIKE is the only #NISTPQC encryption option without decryption failures.