this is for holding javascript data
Scott Fluhrer edited section_Abstract_This_paper_explores__.tex
almost 9 years ago
Commit id: 6ae9114f3add7b62af7099f253bff57277d89e10
deletions | additions
diff --git a/section_Abstract_This_paper_explores__.tex b/section_Abstract_This_paper_explores__.tex
index 20bfd0e..0bcbdf6 100644
--- a/section_Abstract_This_paper_explores__.tex
+++ b/section_Abstract_This_paper_explores__.tex
...
The result of these two improvements reduce the number of $G - F_3H$ values we need to precompute by a factor of $N$, and the number of $F_1 F_2$ polynomials that we need the Quantum Computer to search over by a factor of N. We can also reduce $z$ somewhat (because we are checking fewer combinations).
When we consider the parameter set EES593EP1 (which has a design strength of 192), we find it has $N = 593$, and $dF_1 = 10$, $dF_2 = 10$ and $dF_3 = 8$. This implies that the total number of $F_3$ polynomials is $\binom{593}{16}\binom{16}{8}$ (because each $F_3$ polynomial coefficients consists of 8 $p$s, 8 $-p$'s, and 577 $0$s), and the number of $F_1F_2$ polynomials as $\binom{593}{20}\binom{20}{10}\binom{593}{20}\binom{20}{10}$. This gives us $z = 41$, and so (when we take into account the factor of $N$ decrease (because of the rotational symmetry) and the factor of $3^{41}$ increase (because of the values of $G$ we need to consider), this gives us $3^{40}/N|F_3| \approx 2^{172.269}$. When we consider the number of $F_1 F_2$ polynomials, we get ; when we take account of the factor $N$ decrease (because of the second rotational symmetric), this gives us $1/N|F_1||F_2| \approx 2^{271.165}$. A Quantum Computer is able to search over a set of this size in approximately $2^{136}$ time, and the first step would dominate. The time to enumerate the possibilities for $G - F_3H$ is approximately
$2^{172)$, $2^{172}$, which is strictly smaller than the $2^{192}$ time that is the design strength of this parameter set.
This approach also has some advantage for the EES430EP1 parameter set (which has a design strength of 128); it has $N= 439$, $dF_1 = 9$, $dF_2 = 8$, and $dF_3 = 5$. This gives us a $z = 31$, and so scanning for the possible values of $G - F_3H$ takes
$2^{114.173)$ $2^{114.173}$ time, and searching through the possible $F_1F_2$ combinations would take $2^{110.616}$ time on a Quantum Computer, giving us a total time of about $2^{115}$, which is smaller than the $2^{128}$ design strength.
Now, this approach has managed to recover the private key using fewer NTRU multiplications than expected. On the other hand, this approach is quite impractical (even beyond the number of operations involved); it assumes that we can practically check for the existance of an entry in a table with more than $2^{100}$ entries in constant time.
