The cr.yp.to microblog: 2017.01.27 23:11:11

2017.01.27 23:11:11 (825103888642605059) from Daniel J. Bernstein, replying to "Chris Peikert (@ChrisPeikert)" (824475132802584576):

You're missing the extraction step, the large q/noise, and the definition of NIKE: i.e., every essential element of my tweet. @ChrisPeikert

Context

2017.01.17 14:52:53 (821354610480836608) from Daniel J. Bernstein:

Overheard; folklore? Lattice-based NIKE: param R, pubkeys aR+2e, Rb+2f share secret aRb mod 2; use large enough q/noise to avoid wraparound.

2017.01.26 05:32:44 (824475132802584576) from "Chris Peikert (@ChrisPeikert)":

Folklore? Even better: published! End of p7 (CT-RSA'11): https://eprint.iacr.org/2010/613.pdf Also TCC'09 invited talk, slide 14: https://web.eecs.umich.edu/~cpeikert/pubs/slides-tcc09.pdf https://twitter.com/hashbreaker/status/821354610480836608