deletions | additions       diff --git a/section_Abstract_This_paper_explores__.tex b/section_Abstract_This_paper_explores__.tex  index 071e561..1ff3320 100644  --- a/section_Abstract_This_paper_explores__.tex  +++ b/section_Abstract_This_paper_explores__.tex 
...
Now, it is slightly more complicated than that; the polynomial $R$ is subject to tests to make sure that it has sufficiently high weight; if it does not, it is rejected (and a different random value for $b$ is selected). However, it turns out that does not matter for this attack.  The key observation is that the ciphertext is a determanistic function of the plaintext, the public key and a $k$-bit random value. If the attacker knows that the message $m$ had low entropy (e.g. there were only $2^n$ possible values for it, for $n \lll k$), what an attacker with a Quantum Computer could do is model the system as one with $2^{n+k}$ inputs (which consists of the $2^n$ possible inputs for the plaintext, paired with the $2^k$ possible values for $b$), and then apply Grover's algorithm to find a solution that generates the known  ciphertext in $O(2^{(n+k)/2})$ time, which is less than the security level $2^k$. As for the tests on $R$, this attack can ignore that. This is because any value of $b$ that gives an unacceptable $R$ will result in a different ciphertext than what wehave  see, hence it will not be selected by Grover's algorithm. Now, in practice, this attack would not generally appear to be a significant threat; in most cases, NTRUEncrypt will be used to pass symmetric keying data, and symmetric keying data has sufficiently high entropy to make this attack infeasible. However, in those cases where NTRUEncrypt is used to transmit low-entropy plaintexts or if the attacker might have a plausible guess for the plaintext (and it is important to make such verification infeasible, it would be advisable to include some extra random bits in the plaintext (to invalidate this attack).