2017.08.18 16:52:32 (898558234868559872) from Daniel J. Bernstein, replying to "kennyog (@kennyog)" (898533863399596033):
Best known RSA attacks don't fit this model. The model "proves hardness" of many trivial things. Burden is on model to demonstrate utility.
2017.08.18 14:57:38 (898529320884289536) from Daniel J. Bernstein, replying to "kennyog (@kennyog)" (898478085355470848):
You're asking for more than is available for, e.g., RSA. Of course one can compose key IND (the "NTRU assumption") with 1-sample Ring-LWR.
2017.08.18 15:06:59 (898531675461873664) from "kennyog (@kennyog)":
Am I? ROM proof for simple KEM built from RSA is down to RSA inversion assumption. [AM09] proved equiv with factoring for generic attacks.
2017.08.18 15:11:35 (898532832347160576) from Daniel J. Bernstein, replying to "kennyog (@kennyog)" (898531675461873664):
"Inversion assumption" = "OW-CPA", so we're talking about the same basic starting point. AM09 was entirely undermined by 2009 Jager-Schwenk.
2017.08.18 15:15:41 (898533863399596033) from "kennyog (@kennyog)":
"Entirely" is much too strong. They showed limitations of such proofs but went on to use them themselves for, e.g. hardness of QR problem.