2018.02.04 22:19:56 (960261665936891904) from Daniel J. Bernstein, replying to "Paulo Barreto (@pbarreto)" (959689787853565953):
Kuwakado and Morii need the legitimate Even--Mansour user to be running a quantum computer that reveals ciphertexts for attacker-specified superpositions of plaintexts. Johansson and Larsson need the user to be screaming "Look, attacker, here's my key!" There's no threat here.
2018.02.03 07:56:28 (959681980714573825) from "Paulo Barreto (@pbarreto)":
If the recent, potential de-quantized attack proves even partially correct, it shows one must push for quantum resistant cryptographic schemes, not only because of future quantum threats, but to address immediate, purely classical concerns.
2018.02.03 08:14:53 (959686615839813632) from "Steven Galbraith (@EllipticKiwi)", replying to "Paulo Barreto (@pbarreto)" (959681980714573825):
Classical Simon's algorithm seems different to classical Shor. No evidence of classical poly time factoring or DLP.
2018.02.03 08:27:30 (959689787853565953) from "Paulo Barreto (@pbarreto)", replying to "Steven Galbraith (@EllipticKiwi)" (959686615839813632):
The threat here is against symmetric modes of operation, not public-key schemes.