2017.06.03 13:19:49 (870963227886321664) from Daniel J. Bernstein:

Interesting new public-key cryptosystem in https://eprint.iacr.org/2017/481. Obviously can use any sparse prime 2^b-2^c-..., not just Mersenne prime.

2017.06.03 13:22:53 (870963996245069824) from Daniel J. Bernstein:

Encrypting only a single bit is annoying. Users really want to recover A,B from AF+BG mod p for sparse A,B,F,G. Backtracking? Coppersmith?

2017.06.03 13:39:19 (870968135058436096) from Daniel J. Bernstein:

Try to choose B deterministically to compress AH+B, as in Streamlined NTRU Prime? Is it safe to, e.g., force each byte of AH+B to be odd?

2017.06.03 13:40:52 (870968524424007683) from Daniel J. Bernstein:

Assuming A,B can be quickly recovered from AF+BG, build a standard KEM by hashing (A,B) etc. Particularly clean (Dent) for deterministic B.

2017.06.03 13:49:18 (870970647517831168) from Daniel J. Bernstein:

Can also try to imitate other code-based/lattice-based constructions, e.g. LPR. An error-correcting code for M allows correcting M+AF-BG.

2017.06.03 13:51:58 (870971317608226816) from Daniel J. Bernstein:

Can also try to prove that F/G mod p is indistinguishable from uniform, as in Stehle--Steinfeld, assuming that F and G have enough bits set.

2017.06.03 13:54:54 (870972055486955521) from Daniel J. Bernstein:

Needless to say, nobody should be relying on any of this for security unless and until parameters survive years of thorough cryptanalysis.