deletions | additions       diff --git a/section_Abstract_This_paper_shows__.tex b/section_Abstract_This_paper_shows__.tex  index 2f8df18..a7f3076 100644  --- a/section_Abstract_This_paper_shows__.tex  +++ b/section_Abstract_This_paper_shows__.tex 
...
NTRU does appear to be immune to Shor's algorithm (which allows the attack to quickly factor numbers and compute discrete logarithms). However, a Quanum Computer also allows an attacker to run Grover's algorithm, which is able to find a $n$ bit solution to a problem in $2^{n/2}$ time. The question we would like to look at is 'can Grover's algorithm be used to advantage in attacking NTRU?'  \section{Plaintext Recovery Attack}  During NTRU encryption, the encryptor examines the public key to get its security level $k$ (that is, the parameter set of the public key was designed to withstand attacks that use at most $O(2^k)$ operations). The encryptor then selects a $k$-bit random value $r$, $b$,  and uses that value $r$, $b$,  the plaintext $M$ and the public key to generate the ciphertext $C$. If the attacker knows that the message $M$ had low entropy (e.g. there were only $2^n$ possible values for it, for $n \lll k$), what an attacker with a Quantum Computer could do is model the system as one with $2^{n+k}$ inputs (which consists of the $2^n$ possible inputs for the plaintext, paired with the $2^k$ possible values for $r$), $b$),  and then apply Grover's algorithm to find a solution that generates the ciphertext in $2^{(n+k)/2}$ time, which is less than the security level $2^k$. Now, in practice, this attack would not generally appear to be a significant threat; in most cases, NTRUEncrypt will be used to pass symmetric keying data, and symmetric keying data has high entropy, making this attack infeasible. However, in those cases where NTRUEncrypt is used to transmit low-entropy plaintexts, it would be advisable to include some extra random bits in the plaintext (to avoid this attack).