this is for holding javascript data
Scott Fluhrer edited section_Abstract_This_paper_explores__.tex
almost 9 years ago
Commit id: f97ba3c331712d959e077cca83d4cb6266239f81
deletions | additions
diff --git a/section_Abstract_This_paper_explores__.tex b/section_Abstract_This_paper_explores__.tex
index 0b8d6b4..c4e3b08 100644
--- a/section_Abstract_This_paper_explores__.tex
+++ b/section_Abstract_This_paper_explores__.tex
...
When we consider the parameter set EES593EP1 (which has a design strength of 192), we find it has $N = 593$, and $dF_1 = 10$, $dF_2 = 10$ and $dF_3 = 8$. This implies that the total number of $F_3$ polynomials is $\binom{593}{16}\binom{16}{8}$ (because each $F_3$ polynomial coefficients consists of 8 $p$s, 8 $-p$'s, and 577 $0$s), and the number of $F_1F_2$ polynomials as $\binom{593}{20}\binom{20}{10}\binom{593}{20}\binom{20}{10}$. When we take into account the factor of $N$ decrease (because of the rotational symmetry) , this gives us $|F_3|/N \approx 2^{107.285}$. When we consider the number of $F_1 F_2$ polynomials, we take account of the factor $N$ decrease (because of the second rotational symmetric), this gives us $|F_1||F_2|/N \approx 2^{271.165}$. A Quantum Computer is able to search over a set of this size in approximately $2^{136}$ time, and this second step would dominate. When we account for the failure probability (and the possibility we're need to rerun this procedure), this gives us an overall time of $O(2^{137})$, which is considerably smaller than the original design goal of 192 bits.
When we consider all four product form parameter sets, we
get find that the 112 bit product form set (EES401EP2) can be attacked with an expected $O(2^{104})$ work, the 128 bit set (EES439EP1) can be attacked with an expected $O(2^{112})$ work, and the 256 bit set (EES743EP1) can be attacked with an expected $O(2^{197})$ work. In this
table: last case, it's actually the derivation of the possible values of $-F_3H$ which is the dominating factor (because $dF_3=15$ for this parameter set, which is comparitively large.
\begin{table}[ht]
\caption{Expected work effort Now, this approach has managed to recover the private key using fewer NTRU multiplications than expected. On the other hand, this approach is quite impractical (even beyond the number of operations involved); it assumes that we can practically check for
product form parameter sets}
\begin{tabular}{c c c c c c c c}
Set & N & $dF_1$ & $dF_2$ & $dF_3$ & |F3| & |F1||F2| & Expected work \\
\hline
10 & the existence of an entry in a
& $\ell$ \\
11 & b & $\ell$ \\
\end{tabular}
\end{table} table with more than $2^{65}$ entries in constant time.
This An obvious alternative approach
also has some advantage would be to search for
the EES430EP1 parameter set (which has a design strength of 128); it has $N= 439$, $dF_1 = 9$, $dF_2 = 8$, and $dF_3 = 5$. This gives us a $z = 31$, equalities between $F_1F_2N$ and
so scanning through the possible values of $G - F_3H$ takes $2^{114.173}$ time, and searching through the possible $F_1F_2$ combinations $G-F_3H$ modulo 2; this would
take $2^{110.616}$ time on a Quantum Computer, giving allow us
a total time of about $2^{115}$, which is smaller than the $2^{128}$ design strength.
Now, this approach has managed to
recover ignore the
private key using fewer NTRU multiplications than expected. On sign differences in the
other hand, $F_1, F_2, F_3$ coefficients. However, this approach
is quite impractical (even beyond the number of operations involved); it assumes that we can practically check for the existence of an entry in turns out not to work, because $G$ turns out to be relatively dense evaluated modulo 2, and so there's no good way to determine when we've detected a
table with more than $2^{100}$ entries in constant time. hit.
\section{Conclusions and Recommendations}
