# The cr.yp.to microblog: 2017.08.18 16:52:32

2017.08.18 16:52:32 (898558234868559872) from Daniel J. Bernstein, replying to "kennyog (@kennyog)" (898533863399596033):

Best known RSA attacks don't fit this model. The model "proves hardness" of many trivial things. Burden is on model to demonstrate utility.

### Context

2017.08.18 14:57:38 (898529320884289536) from Daniel J. Bernstein, replying to "kennyog (@kennyog)" (898478085355470848):

You're asking for more than is available for, e.g., RSA. Of course one can compose key IND (the "NTRU assumption") with 1-sample Ring-LWR.

2017.08.18 15:06:59 (898531675461873664) from "kennyog (@kennyog)":

Am I? ROM proof for simple KEM built from RSA is down to RSA inversion assumption. [AM09] proved equiv with factoring for generic attacks.

2017.08.18 15:11:35 (898532832347160576) from Daniel J. Bernstein, replying to "kennyog (@kennyog)" (898531675461873664):

"Inversion assumption" = "OW-CPA", so we're talking about the same basic starting point. AM09 was entirely undermined by 2009 Jager-Schwenk.

2017.08.18 15:15:41 (898533863399596033) from "kennyog (@kennyog)":

"Entirely" is much too strong. They showed limitations of such proofs but went on to use them themselves for, e.g. hardness of QR problem.