The cr.yp.to microblog: 2017.12.09 02:36:42

2017.12.09 02:36:42 (939307787515031552) from Daniel J. Bernstein, replying to "Matthew Green (@matthew_d_green)" (939302301877047296):

NIST properly says that key reuse requires IND-CCA2 security. This of course is not the actual definition, but it's the only safe bottom line for users.

Context

2017.12.09 01:57:39 (939297960164241408) from Daniel J. Bernstein, replying to "Adam Langley (@agl__)" (939296562991136768):

Frodo leapt out at me as an example where the paper wasn't doing the extra work for CCA. Maybe the submission to NIST is different.

2017.12.09 02:03:15 (939299369978798080) from "Adam Langley (@agl__)":

The original Frodo paper didn’t do CCA, but I believe FrodoKEM does.

2017.12.09 02:09:49 (939301019292520449) from "Chris Peikert (@ChrisPeikert)", replying to "Adam Langley (@agl__)" (939299369978798080):

It does.

2017.12.09 02:14:54 (939302301877047296) from "Matthew Green (@matthew_d_green)", replying to "Chris Peikert (@ChrisPeikert)" (939301019292520449):

Is this actually the definition of CPA and CCA for KEMs?