This sort of thing is a recurring theme in cryptography:<p>1. Someone proposes a scheme based on Hard Problem X. X looks strong, but the resulting scheme either is too slow or has gigantic keys.<p>2. Someone else comes along and proposes a related scheme based on Hard Problem Y which, having more structure, allows for either smaller keys or faster computation.<p>3. Later turns out this extra structure also helps the attacker.<p>An example of this phenomena is the McEliece code-based cryptosystem. Many variants based on alternative codes, attempting to reduce the public key size, have been proposed over the years, and very few have survived. Another example is elliptic curves: early on speed was an issue for their practicality, so many weak curves were also proposed that tried to speed things up (one particular example was Koblitz's supersingular curve that rendered point doubling into a linear operation).<p>Ideal lattices have exacerbated this phenomena by its applications. Lattices are a key tool in fully homomorphic encryption and friends (multilinear maps, now also obfuscation), and in the frenzy to get these applications into practicality ideal lattices (as opposed to unstructured ones) seem to be the fastest shortcut into better speed and size. It remains to be seen whether they'll survive.