this is for holding javascript data
Scott Fluhrer edited section_Abstract_This_paper_explores__.tex
almost 9 years ago
Commit id: 464fc7dbf52dfdf36d3de45c641719f350dd4586
deletions | additions
diff --git a/section_Abstract_This_paper_explores__.tex b/section_Abstract_This_paper_explores__.tex
index 013e426..2c66e6f 100644
--- a/section_Abstract_This_paper_explores__.tex
+++ b/section_Abstract_This_paper_explores__.tex
...
\section{Abstract}
This paper explores some attacks that someone with a Quantum Computer may be able to perform against NTRUEncrypt, and in particular NTRUEncrypt as implemented by the publicly available library from Security Innovation. We show two ways where
the an attacker
with a Quantum Computer is able to recover plaintext from the ciphertext and public key with less than expected effort; in particular, against the parameter sets that are designed to be secure at the 128 bit level, we can decrypt a ciphertext with $O(2^{80})$ effort, and test that the ciphertext corresponds to a specific plaintext with $O(2^{64})$ effort.
\section{Introduction}
NTRUEncrypt\cite{Hoffstein_1998} is a public key encryption system designed by Jeffrey Hoffstein, Jill Pipher and Joseph Silverman. It has several attractive features, one of which is that it is immune to attacks by Shor's algorithm (as it does not rely on a factorization or discrete log hard problem). Hence, it looks to be a logical component as a part of a Quantum-Resistant cryptosystem.
...
The third way of addressing this is to question whether this is actually a threat after all. $O(2^{80})$ work may sound like a conceivable amount of work; however that notation conceals a constant of proportionality, and that constant might be of significant size. In both of these attacks, the amount of work involves is actually $O(2^{80})$ encryption operations; in addition, each operation is done on a Quantum Computer (using entangled states, and using some Quantum Error Correction algorithm). It would appear plausible that such an operation may be considerably more expensive than the corresponding operation on a classical computer. However, we don't have a working Quantum Computer, and so we can't be certain how much more expensive these operations would be. Because of this uncertainty, while this line of argument may sound promising, our opinion is that we shouldn't rely only on that; we recommend one of the previous two strategies (especially given their relatively low cost).
