2017.12.09 01:57:39 (939297960164241408) from Daniel J. Bernstein, replying to "Adam Langley (@agl__)" (939296562991136768):
Frodo leapt out at me as an example where the paper wasn't doing the extra work for CCA. Maybe the submission to NIST is different.
2017.12.09 01:43:34 (939294417281798144) from Daniel J. Bernstein, replying to "Adam Langley (@agl__)" (939290748192567296):
It's critical to distinguish CCA security (can reuse one key to receive many ciphertexts) from CPA security (need new keygen for every ciphertext).
2017.12.09 01:46:08 (939295059853287424) from "Adam Langley (@agl__)":
Agreed. I was just going to throw out the CPA ones. Did I mistakenly include some CPA-only?
2017.12.09 01:52:06 (939296562991136768) from "Adam Langley (@agl__)", replying to "Adam Langley (@agl__)" (939295059853287424):
(Added a note to that effect, thanks.)