The microblog: 2017.06.28 19:02:14

2017.06.28 19:02:14 (880109096854269952) from Daniel J. Bernstein, replying to "Chris Peikert (@ChrisPeikert)" (880097757788295168):

"What sort of cryptosystem do you think I am?" --- "We've already established that. Now we're just haggling about the number of samples."


2017.06.28 16:18:07 (880067792317202432) from "Chris Peikert (@ChrisPeikert)", replying to "Chris Peikert (@ChrisPeikert)" (880067653443911682):

By comparison, a Ring-LWE public key is (a, b=a*s+e mod q) for short secrets s,e in R and uniformly random a in Rq. 12/

2017.06.28 17:34:22 (880086983057526784) from Daniel J. Bernstein, replying to "Chris Peikert (@ChrisPeikert)" (880066635293499392):

Peikert's "at least as hard" is bogus: e.g., the Arora-Ge/Ding attack breaks Ring-LWE for parameters where NTRU is not known to be broken.

2017.06.28 17:43:45 (880089344517844992) from "Chris Peikert (@ChrisPeikert)":

Compare apples to apples, and allow the same number of samples for both problems: …. Then AG breaks both or neither.

2017.06.28 17:59:35 (880093327156273152) from Daniel J. Bernstein, replying to "Chris Peikert (@ChrisPeikert)" (880089344517844992):

The NTRU cryptosystem doesn't reveal as many samples as LPR10/New Hope/etc.; i.e., NTRU stays farther away from the Arora--Ge/Ding weakness.

2017.06.28 18:17:11 (880097757788295168) from "Chris Peikert (@ChrisPeikert)":

LPR reveals 2 samples vs. NTRU's 1. The AG/Ding attack requires >= n^(noise support-1) samples. Does not support initial (apples^2) claim.