2017.12.09 23:58:33 (939630375998980097) from Daniel J. Bernstein, replying to "Adam Langley (@agl__)" (939355510515548161):
Yet another thing: there's a big difference in speeds between, e.g., E3-1220 v2 (3.1GHz Ivy Bridge) and E3-1220 v5 (3GHz Skylake).
2017.12.09 01:57:39 (939297960164241408) from Daniel J. Bernstein, replying to "Adam Langley (@agl__)" (939296562991136768):
Frodo leapt out at me as an example where the paper wasn't doing the extra work for CCA. Maybe the submission to NIST is different.
2017.12.09 02:03:15 (939299369978798080) from "Adam Langley (@agl__)":
The original Frodo paper didn’t do CCA, but I believe FrodoKEM does.
2017.12.09 02:09:35 (939300964472905728) from Daniel J. Bernstein, replying to "Adam Langley (@agl__)" (939299369978798080):
Something else: There's a second KEM, ntrulpr4591761, in the NTRU Prime submission. 58756/94508/128316 Haswell cycles keypair/enc/dec.
2017.12.09 05:46:20 (939355510515548161) from "Adam Langley (@agl__)":
Thanks! (Had to wait to get home before I could update it.)