2017.06.28 17:34:22 (880086983057526784) from Daniel J. Bernstein, replying to "Chris Peikert (@ChrisPeikert)" (880066635293499392):
Peikert's "at least as hard" is bogus: e.g., the Arora-Ge/Ding attack breaks Ring-LWE for parameters where NTRU is not known to be broken.
2017.06.28 17:36:31 (880087523330056192) from Daniel J. Bernstein:
"Ring-LWE-based" cryptosystems such as New Hope move towards the attacked parameter space, revealing more Ring-LWE "samples" than NTRU does.
2017.06.28 17:38:16 (880087965522812929) from Daniel J. Bernstein:
Ring-LWE is defined to allow any number of samples, and yet typical "Ring-LWE-based" cryptosystems ignore this fact in choosing parameters.
2017.06.28 17:44:45 (880089596071206912) from Daniel J. Bernstein:
Even worse bait+switch: theorems relating _huge_ Ring-LWE keys to lattice problems are used to sell _small_ keys not covered by theorems.
2017.06.28 17:49:11 (880090712532021248) from Daniel J. Bernstein:
The bottom line is that New Hope could be weaker than NTRU, or vice versa. Peikert is overstating the theorems when he claims guarantees.
2017.06.28 16:13:31 (880066635293499392) from "Chris Peikert (@ChrisPeikert)":
A useful fact about Ring-LWE that should be known better: it is *at least as hard* to break as NTRU, and likely strictly harder. 1/