2017.01.27 23:07:07 (825102865123385347) from Daniel J. Bernstein, replying to "Chris Peikert (@ChrisPeikert)" (824473000594567168):
You're missing the extraction step, the large q/noise, and the definition of NIKE: i.e., every essential element of my tweet.
2017.01.17 14:52:53 (821354610480836608) from Daniel J. Bernstein:
Overheard; folklore? Lattice-based NIKE: param R, pubkeys aR+2e, Rb+2f share secret aRb mod 2; use large enough q/noise to avoid wraparound.
2017.01.26 05:24:15 (824473000594567168) from "Chris Peikert (@ChrisPeikert)":
Old, well-known. Bottom of p7 (CT-RSA'11): http://web.eecs.umich.edu/~cpeikert/pubs/lwe-analysis.pdf Also TCC'09 invited talk, slide 14: http://web.eecs.umich.edu/~cpeikert/pubs/slides-tcc09.pdf