The microblog: 2017.06.28 17:34:22

2017.06.28 17:34:22 (880086983057526784) from Daniel J. Bernstein, replying to "Chris Peikert (@ChrisPeikert)" (880066635293499392):

Peikert's "at least as hard" is bogus: e.g., the Arora-Ge/Ding attack breaks Ring-LWE for parameters where NTRU is not known to be broken.

2017.06.28 17:36:31 (880087523330056192) from Daniel J. Bernstein:

"Ring-LWE-based" cryptosystems such as New Hope move towards the attacked parameter space, revealing more Ring-LWE "samples" than NTRU does.

2017.06.28 17:38:16 (880087965522812929) from Daniel J. Bernstein:

Ring-LWE is defined to allow any number of samples, and yet typical "Ring-LWE-based" cryptosystems ignore this fact in choosing parameters.

2017.06.28 17:44:45 (880089596071206912) from Daniel J. Bernstein:

Even worse bait+switch: theorems relating _huge_ Ring-LWE keys to lattice problems are used to sell _small_ keys not covered by theorems.

2017.06.28 17:49:11 (880090712532021248) from Daniel J. Bernstein:

The bottom line is that New Hope could be weaker than NTRU, or vice versa. Peikert is overstating the theorems when he claims guarantees.


2017.06.28 16:13:31 (880066635293499392) from "Chris Peikert (@ChrisPeikert)":

A useful fact about Ring-LWE that should be known better: it is *at least as hard* to break as NTRU, and likely strictly harder. 1/