2017.01.27 23:11:11 (825103888642605059) from Daniel J. Bernstein, replying to "Chris Peikert (@ChrisPeikert)" (824475132802584576):
You're missing the extraction step, the large q/noise, and the definition of NIKE: i.e., every essential element of my tweet. @ChrisPeikert
2017.01.17 14:52:53 (821354610480836608) from Daniel J. Bernstein:
Overheard; folklore? Lattice-based NIKE: param R, pubkeys aR+2e, Rb+2f share secret aRb mod 2; use large enough q/noise to avoid wraparound.
2017.01.26 05:32:44 (824475132802584576) from "Chris Peikert (@ChrisPeikert)":
Folklore? Even better: published! End of p7 (CT-RSA'11): https://eprint.iacr.org/2010/613.pdf Also TCC'09 invited talk, slide 14: https://web.eecs.umich.edu/~cpeikert/pubs/slides-tcc09.pdf https://twitter.com/hashbreaker/status/821354610480836608