this is for holding javascript data
Scott Fluhrer edited bb_section_Abstract_This_paper__.tex
almost 9 years ago
Commit id: 31be2e45bc5e9f1397db5ffd37cf8343ac74e662
deletions | additions
diff --git a/bb_section_Abstract_This_paper__.tex b/bb_section_Abstract_This_paper__.tex
index 9aca3d4..b89ef9a 100644
--- a/bb_section_Abstract_This_paper__.tex
+++ b/bb_section_Abstract_This_paper__.tex
...
\begin{itemize}
\item It selects a random bitstring that is the design strength of the parameter set, plus 64 bits (for example, for a 128 bit parameter set, it obtains 192 bits from the internal random number generator)
\item It hashes this random number (with SHA-1 if the parameter strength $k \le 160$ and SHA-256 if $k > 160$) giving us a hash value $h$.
\item It uses that hash value $h$ (and nothing else) to seed a random number generator, and the output of that random number generator selects a polynomial
F $F$
\item It uses a similar process to select a polynomial
G $G$
\end{itemize}
This process is similar to the process used to select the random polynomial $R$ during encryption (largely because it reuses the same code).
This key generation procedure immediately gives us a potential key recovery attack; given a public key $H$, we use Grover's algorithm to guess the hash value $h$; our verification step would seed the random number generator, selects a polynomial
F', $F'$, and then compute the product $F'H \pmod{q}$; if that consists solely of elements in the set $\{-p, 0, p\}$, then we accept. This works because if
$H $F =
F^{-1}G$, and so multiplying that by the correct value of $F$ will yield $G$ F'$, then we have $F' H = G$ (which has the special form listed).
\section{Plaintext Recovery Attack 1}
A similar approach to recover the plaintext given a ciphertext $C$ and a public key $H$ is to run Grover's algorithm, with the guess this time being $\rho$ the output of the hashed string. That is, they would use the function that takes a value for $\rho$, run it through the random number generator to generate a guess of $R$, and check if the polynomial $C-HR$ consists solely of the coefficients $\{0, 1, -1\}$; the correct guess of the hash will do that (as $C-HR$ is the encoded message $M$, which is a polynomial with those coefficients); an incorrect guess is quite unlikely to have coefficients limited to that range.
...
