this is for holding javascript data
Scott Fluhrer edited section_Abstract_This_paper_explores__.tex
almost 9 years ago
Commit id: 0687b147c6b24be9dc3c4d049144cc6233cdd4b1
deletions | additions
diff --git a/section_Abstract_This_paper_explores__.tex b/section_Abstract_This_paper_explores__.tex
index 36f1917..8fb1c05 100644
--- a/section_Abstract_This_paper_explores__.tex
+++ b/section_Abstract_This_paper_explores__.tex
...
When we select a private key for NTRUEncrypt, we select two polynomials $F$ and $G$ with specific sets of coefficients; we also need to make sure that $F$ is invertible. Once we have that, we can compute the public polynomial $H = F^{-1}G$.
\section{Plaintext Recovery Attack}
When someone with the NTRUEncrypt public key does an public key encryption, it runs through this process: first, he examines the public key to get its security level $k$
(that is, for the parameter
set of the public key was designed to withstand attacks that use at most $O(2^k)$ operations). set. He then selects a $k$-bit random value $b$, and encodes that value (along with the plaintext $m$ and part of the public key) to form a string; it then uses that string as a seed to a random number generator to select a polynomial $R$; he then encodes the plaintext (and $b$) as a polynomial $M$, extracts the polynomial $H$ from the public key, and outputs the polynomial $HR+M$ as the ciphertext.
Now, it is slightly more complicated than that; the polynomial $R$ is subject to tests to make sure that it has sufficiently high weight; if it does not, it is rejected (and a different random value for $b$ is selected). However, it turns out that does not matter for this attack.