The cr.yp.to microblog: 2017.06.28 17:59:35

2017.06.28 17:59:35 (880093327156273152) from Daniel J. Bernstein, replying to "Chris Peikert (@ChrisPeikert)" (880089344517844992):

The NTRU cryptosystem doesn't reveal as many samples as LPR10/New Hope/etc.; i.e., NTRU stays farther away from the Arora--Ge/Ding weakness.

Context

2017.06.28 16:13:31 (880066635293499392) from "Chris Peikert (@ChrisPeikert)":

A useful fact about Ring-LWE that should be known better: it is *at least as hard* to break as NTRU, and likely strictly harder. 1/

2017.06.28 16:17:13 (880067565334278144) from "Chris Peikert (@ChrisPeikert)", replying to "Chris Peikert (@ChrisPeikert)" (880067501794709508):

(We'll return to these n very short lattice vectors in a moment.) 10/

2017.06.28 16:17:34 (880067653443911682) from "Chris Peikert (@ChrisPeikert)", replying to "Chris Peikert (@ChrisPeikert)" (880067565334278144):

Contrary to some loose terminology out there, L_h is not a (rank-1) "ideal lattice" over R; it is a *rank-2 module* lattice over R. 11/

2017.06.28 16:18:07 (880067792317202432) from "Chris Peikert (@ChrisPeikert)", replying to "Chris Peikert (@ChrisPeikert)" (880067653443911682):

By comparison, a Ring-LWE public key is (a, b=a*s+e mod q) for short secrets s,e in R and uniformly random a in Rq. 12/

2017.06.28 17:34:22 (880086983057526784) from Daniel J. Bernstein, replying to "Chris Peikert (@ChrisPeikert)" (880066635293499392):

Peikert's "at least as hard" is bogus: e.g., the Arora-Ge/Ding attack breaks Ring-LWE for parameters where NTRU is not known to be broken.

2017.06.28 17:43:45 (880089344517844992) from "Chris Peikert (@ChrisPeikert)":

Compare apples to apples, and allow the same number of samples for both problems: https://twitter.com/ChrisPeikert/status/880067792317202432 …. Then AG breaks both or neither.