The cr.yp.to microblog: 2018.08.25 08:54:32

2018.08.25 08:54:32 (1033246229587783681) from Daniel J. Bernstein, replying to "mjos\dwez (@mjos_crypto)" (1033235643705511938):

I'd like to know the status of the IND-CCA2 security claims that the Round5 team issued for the initial version of Round5 published earlier this month. Is the Round5 team withdrawing the claims given Hamburg's attack? Your tweets seem to suggest that the answer is no. #NISTPQC

Context

2018.08.24 21:07:41 (1033068345116028928) from Daniel J. Bernstein:

PKE/KEM decryption failures strike again: https://groups.google.com/a/list.nist.gov/d/msg/pqc-forum/YsGkKEJTt5c/V0eivEroAAAJ Looks like Hamburg has broken the new (patented?) Round5 proposal to #NISTPQC. Round5 is a semi-merge of HILA5 with the (patented) Round2 proposal; by "semi-merge" I mean that it has some new design elements in it.

2018.08.25 01:00:53 (1033127033231081478) from "mjos\dwez (@mjos_crypto)":

Usually a "break" means that there is something wrong in the cryptographic strength of the algorithm. This is just a decryption failure.

2018.08.25 07:47:23 (1033229331500281856) from Daniel J. Bernstein, replying to "mjos\dwez (@mjos_crypto)" (1033127033231081478):

Let me see if I understand. You're agreeing with Mike that it's feasible for the attacker to find occasional Round5 ciphertexts that fail (contrary to the failure rates claimed in the Round5 specification), but you're nevertheless continuing to claim IND-CCA2 security for Round5?

2018.08.25 08:12:28 (1033235643705511938) from "mjos\dwez (@mjos_crypto)":

What I was just saying is that failure is a failure. I didn't make any IND-CCA2 claims for that version. Note that Round5 has not been submitted to NIST or published yet, so we'll just address this problem and move on.