The cr.yp.to microblog: 2017.08.18 15:11:35

2017.08.18 15:11:35 (898532832347160576) from Daniel J. Bernstein, replying to "kennyog (@kennyog)" (898531675461873664):

"Inversion assumption" = "OW-CPA", so we're talking about the same basic starting point. AM09 was entirely undermined by 2009 Jager-Schwenk.

Context

2017.08.18 05:48:50 (898391210456489984) from Daniel J. Bernstein, replying to "kennyog (@kennyog)" (898271404759580673):

Streamlined NTRU Prime is deterministic and avoids decryption failures, so 2003 Dent Theorem 8 proves tight RO IND-CCA2 from merely OW-CPA.

2017.08.18 11:34:03 (898478085355470848) from "kennyog (@kennyog)":

Cool. What's the reduction for OW-CPA down to?

2017.08.18 14:57:38 (898529320884289536) from Daniel J. Bernstein, replying to "kennyog (@kennyog)" (898478085355470848):

You're asking for more than is available for, e.g., RSA. Of course one can compose key IND (the "NTRU assumption") with 1-sample Ring-LWR.

2017.08.18 15:06:59 (898531675461873664) from "kennyog (@kennyog)":

Am I? ROM proof for simple KEM built from RSA is down to RSA inversion assumption. [AM09] proved equiv with factoring for generic attacks.