I think it would be very useful if you were to also issue some challenges over (the ring of integers of) some non-cyclotomic number fields as well. In particular, I would like to see it over examples of number fields that Dan Bernstein has been advocating here for a while as superior to cyclotomic rings (e.g. those generated by the roots of f(x)=x^p-x-1 ), so we can see if any algorithms that come out of it perform (significantly) better in one case or the other.
These challenges are also only for the search version of ring-LWE, whereas the security of cryptosystems is generally based on the decision version of the problem ...
Search-to-decision reductions do exist for the problem over cyclotomic fields, but they are not super tight and as published, are limited to certain moduli (although I believe they can be extended to all moduli via “modulus switching,” this comes at an additional cost in the relative magnitude of the error, and as far as I know such a reduction has not actually been published yet). Moreover, for number fields of the type proposed by Bernstein, I don’t know that any such search-to-decision reductions exist at all.
How much extra work would these additional challenges take to release?
I think it would be very useful if you were to also issue some challenges over (the ring of integers of) some non-cyclotomic number fields as well. In particular, I would like to see it over examples of number fields that Dan Bernstein has been advocating here for a while as superior to cyclotomic rings (e.g. those generated by the roots of f(x)=x^p-x-1 ), so we can see if any algorithms that come out of it perform (significantly) better in one case or the other.
These challenges are also only for the search version of ring-LWE, whereas the security of cryptosystems is generally based on the decision version of the problem ...
How much extra work would these additional challenges take to release?