The cr.yp.to microblog: 2017.06.28 23:59:38

2017.06.28 23:59:38 (880183938878025728) from Daniel J. Bernstein, replying to "Chris Peikert (@ChrisPeikert)" (880134859284467712):

KF attacks NTRU-1-tinyfg. SS proves NTRU-1-hugefg is as strong as RLWE-1. NTRU-1-normalfg _may be_ weaker, just like RLWE-2 _may be_ weaker.

2017.06.29 00:05:44 (880185472802328576) from Daniel J. Bernstein:

New Hope, Kyber, etc. could be above NTRU in strength, or equal, OR BELOW. You keep falsely claiming that the last possibility can't exist.

Context

2017.06.28 17:38:16 (880087965522812929) from Daniel J. Bernstein:

Ring-LWE is defined to allow any number of samples, and yet typical "Ring-LWE-based" cryptosystems ignore this fact in choosing parameters.

2017.06.28 17:56:47 (880092625164009477) from "Chris Peikert (@ChrisPeikert)":

Ring-LWE has been parameterized by number of samples since its inception, and concrete proposals absolutely do pay attention to this.

2017.06.28 19:15:27 (880112420412432385) from Daniel J. Bernstein, replying to "Chris Peikert (@ChrisPeikert)" (880092625164009477):

You ignore RLWE-2 (2 samples) being maybe weaker than RLWE-1, while you complain about NTRU-1 being maybe weaker than RLWE-1. Incoherent.

2017.06.28 20:44:37 (880134859284467712) from "Chris Peikert (@ChrisPeikert)":

RLWE-2 could be easier than 1, though we have no evidence of this. We *do* have evidence that NTRU-1 is easier than both: the KF attack.