2017.08.18 15:11:35 (898532832347160576) from Daniel J. Bernstein, replying to "kennyog (@kennyog)" (898531675461873664):
"Inversion assumption" = "OW-CPA", so we're talking about the same basic starting point. AM09 was entirely undermined by 2009 Jager-Schwenk.
2017.08.18 05:48:50 (898391210456489984) from Daniel J. Bernstein, replying to "kennyog (@kennyog)" (898271404759580673):
Streamlined NTRU Prime is deterministic and avoids decryption failures, so 2003 Dent Theorem 8 proves tight RO IND-CCA2 from merely OW-CPA.
2017.08.18 11:34:03 (898478085355470848) from "kennyog (@kennyog)":
Cool. What's the reduction for OW-CPA down to?
2017.08.18 14:57:38 (898529320884289536) from Daniel J. Bernstein, replying to "kennyog (@kennyog)" (898478085355470848):
You're asking for more than is available for, e.g., RSA. Of course one can compose key IND (the "NTRU assumption") with 1-sample Ring-LWR.
2017.08.18 15:06:59 (898531675461873664) from "kennyog (@kennyog)":
Am I? ROM proof for simple KEM built from RSA is down to RSA inversion assumption. [AM09] proved equiv with factoring for generic attacks.