2017.08.18 14:57:38 (898529320884289536) from Daniel J. Bernstein, replying to "kennyog (@kennyog)" (898478085355470848):
You're asking for more than is available for, e.g., RSA. Of course one can compose key IND (the "NTRU assumption") with 1-sample Ring-LWR.
2017.08.17 07:07:03 (898048506681860096) from Daniel J. Bernstein:
Streamlined NTRU Prime 4591^761 Haswell-optimized software online too. Faster than New Hope and Kyber; less bandwidth; less attack surface.
2017.08.17 21:52:46 (898271404759580673) from "kennyog (@kennyog)":
any security reductions to recognised hard problems?
2017.08.18 05:48:50 (898391210456489984) from Daniel J. Bernstein, replying to "kennyog (@kennyog)" (898271404759580673):
Streamlined NTRU Prime is deterministic and avoids decryption failures, so 2003 Dent Theorem 8 proves tight RO IND-CCA2 from merely OW-CPA.
2017.08.18 11:34:03 (898478085355470848) from "kennyog (@kennyog)":
Cool. What's the reduction for OW-CPA down to?