this is for holding javascript data
Scott Fluhrer edited bb_section_Abstract_This_paper__.tex
almost 9 years ago
Commit id: abea2d39a319437e50320e5148934ec685dfbc1a
deletions | additions
diff --git a/bb_section_Abstract_This_paper__.tex b/bb_section_Abstract_This_paper__.tex
index d84b836..edf4fc0 100644
--- a/bb_section_Abstract_This_paper__.tex
+++ b/bb_section_Abstract_This_paper__.tex
...
\section{Key Recovery Attack 1}
The NTRU public key $H$ is the polynomial $F^{-1}G$ (computed over $\mod q$), where $F$ and $G$ are sparse polynomials; the polynomial $F$ is the private key. One way to try to recover the private key is to search for an $F$ such the product polynomial $FH$ is sparse (which, in this case, means
considers consists of $dG+1$ coefficients of the value $p$, $dG$ coefficients of the value $-p$, and the rest
0). 0, where $dG$ is a constant from the parameter set).
Now, the defined NTRU parameter sets work in one of two ways; in the straight-forward method, the key generation process selects a random polynomial whose coefficients consists of $dF$ 1's, $dF$ -1's, and the rest 0 (where $dF$ is a parameter from the parameter set). The other method, known as the product form, has the key generation process select three polynomials $F_1, F_2, F_3$, and effectively sets $F = F_1F_2 + F_3$. Each of these polynomials $F_1, F_2, F_3$ is sparser than the target $F$ polynomial; and computing $F_1(F_2H) + F_3H$ is faster than computing $FH$ directly.
To use Grover's algorithm, we could search for the polynomial $F$ for which $FH$ is sparse.
Now, if we do that However, doing this in
the this straight-forward
manner, that manner doesn't work (as for all defined parameter sets, there are more than $2^{2k}$ possible values of $F$).
If we are working with a parameter set that uses the product form, one way to rewrite the equation $FH = G$ is in the form $F_1F_2H = G - F_3H$, where we know that each coefficient of $G$ is either $0, p$ or $-p$.
...
When the NTRU library generates a key, it goes through this procedure:
\begin{itemize}
\item It selects a random bitstring that is the design strength
$k$ of the parameter set, plus 64 bits (for example, for a 128 bit parameter set, it obtains 192 bits from the internal random number generator)
\item It hashes this random number (with SHA-1 if the parameter strength $k \le 160$ and SHA-256 if $k > 160$) giving us a hash value $h$.
\item It uses that hash value $h$ (and nothing else) to seed a random number generator, and the output of that random number generator selects a polynomial $F$
\item It uses a similar process to select a polynomial $G$
...
