On Wed, 20 Apr 2016 18:30:14 +0000 (UTC) lukep lukep@tutanota.com wrote:
Beware that the definition of newhope has changed! The authors have published a new version of this paper and some of the numbers are different. The parameter for the binomial distribution has changed from 12 to 16, the probability of failure has changed from 2^-110 to 2^-64, the core hardness of the attack has increased from 186 to 206 bits on a quantum computer, and the timings have increased slightly too.
I track the paper and reference code in the implementation I maintain. FWIW, the performance hasn't changed noticeably, unless there's something newer than 20160328.
I'm not sure that the newhope algorithm has settled down yet. There's also a new paper on IACR called "How (not) to instantiate ring-LWE" which has some ideas on how to choose the error distribution - this might mean that newhope has to change again??
Most of the changes since the paper has been released have been minor. The last major algorithmic change I'm aware of was 20151209 which altered the reconciliation mechanism (I don't particularly count the March changes that changed the on-the-wire encoding format to be major, it's just a more compact way to send the same things).
Kind of a moot point since by the time any of this will actually be used in core tor things would have settled. And my gut feeling is RingLWE will have performant, well defined implementations well before SIDH is a realistic option.
Regards,