2017.06.28 19:15:27 (880112420412432385) from Daniel J. Bernstein, replying to "Chris Peikert (@ChrisPeikert)" (880092625164009477):
You ignore RLWE-2 (2 samples) being maybe weaker than RLWE-1, while you complain about NTRU-1 being maybe weaker than RLWE-1. Incoherent.
2017.06.28 17:34:22 (880086983057526784) from Daniel J. Bernstein, replying to "Chris Peikert (@ChrisPeikert)" (880066635293499392):
Peikert's "at least as hard" is bogus: e.g., the Arora-Ge/Ding attack breaks Ring-LWE for parameters where NTRU is not known to be broken.
2017.06.28 17:36:31 (880087523330056192) from Daniel J. Bernstein:
"Ring-LWE-based" cryptosystems such as New Hope move towards the attacked parameter space, revealing more Ring-LWE "samples" than NTRU does.
2017.06.28 17:38:16 (880087965522812929) from Daniel J. Bernstein:
Ring-LWE is defined to allow any number of samples, and yet typical "Ring-LWE-based" cryptosystems ignore this fact in choosing parameters.
2017.06.28 17:56:47 (880092625164009477) from "Chris Peikert (@ChrisPeikert)":
Ring-LWE has been parameterized by number of samples since its inception, and concrete proposals absolutely do pay attention to this.