deletions | additions       diff --git a/untitled.tex b/untitled.tex  index c92df0e..5d3fde0 100644  --- a/untitled.tex  +++ b/untitled.tex 
...
We can further refine potential $s'$ values by probing how a $s'$ value works with several $i$ values; by fixing an $i$ value, and trying several $j$ values, and for each such value, to a binary search for the $k$ value such that $j\delta + ks[i]$ is one sign, and $j\delta + (k+1)s[i]$ is the other; this gives us the approximate value of $s[i]/\delta$ value, and we can use this to deduce whether $\delta = \pm 1$. We can also deduce the sign of $\delta$.  Once we have such an $s'$ value, then the attack is easy. We can set $k=\delta$, and for any $i$, query the sign $j + s[i]$, or in other words, whether $j >= \ge  s[i]$. Binary search will quickly (with a handful of probes) give us the exact value of $s[i]$. We query $s[i]$ for each $i$, that gives us the entire value of $s$, and the attack has succeeded. 
...
\section{Conclusions and Recommendations}  ... The above shows how ring-LWE based key exchange can practically be broken if the same key share is reused.  We have presented four attacks One place  where an adversary with a Quantum Computer this can potentially come up  is able to attempt against NTRUEncrpyt (as implemented by in  the current NTRU library). One of the key recovery attacks actually attacks the key generation process that the NTRU library uses; it would be easy to modify the library to foil this approach (for example, both to use stronger hash functions when generating the hashed value $h$, and by extending the entropy extracted from the random number generator from $k+64$ bits to at least $2k$ bits to prevent someone using Grover's algorithm to guess the preimage value). Because of the ease of this modification, and because the modified library would continue to interoperate with existing NTRU implementations, we recommend that such a change be made (even if it is not clear if this attack is actually practical). TLS 1.3 draft.  We These results  have also presented another key recovery attack that uses fewer operations than expected been specific  to recover the private key (assuming one of the four standardized parameter sets); ring-LWE,  however this attack is thoroughly impractical. We don't recommend any change it would appear likely that these results would also extend  to cover this attack. similar LWE-based protocols.  Neither of the two plaintext recovery attacks we have presented actually attack the NTRU primitive itself; instead, they attack the NAEP padding method, and take advantage of the fact that the internal primitives selected for the parameter sets are scaled to withstand attacks by a classical computer, and are not sufficient if the attacker has a Quantum Computer.  These attacks may have some practical impact. For example, in 'A quantum-safe circuit-extension handshake for Tor\cite{Schanck_2015}', they suggest using the NTRUEncrypt parameter set EES439EP1 (a 128 bit parameter set) to protect Tor traffic; do these results mean that someone with a Quantum Computer could reconstruct the original sender of a message with $O(2^{80})$ work?  There are three obvious ways to address the issues here. The first strategy would be to use a stronger parameter set; if your target is 128 bits security, use an NTRU parameter set targeted towards 256 bit security; such a parameter set would provide at least 128 bits security against all known attacks, even if the attacker has a Quantum Computer. The costs here are that the ciphertext and public key sizes increases, as well as a small increase in the encryption and decryption time.  The second strategy would be to define alternative parameter sets that are designed to be Quantum-Resistant. These alternative parameter sets might use the same polynomials as the current sets; however we would modify the primitives used using the NAEP padding method; they would use wider hash functions, and larger $b$ values. The costs here would be that the new parameter sets would be incompatible with libraries that only understood the old sets, plus a minor decrease in the amount of plaintext that NTRU could encrypt in a single message (because $b$ is now larger).  The third way of addressing this is to question whether this is actually a threat after all. $O(2^{64})$ work (as the worse case plaintext recovery attack) may sound like a conceivable amount of work; however that notation conceals a constant of proportionality, and that constant might be of significant size. In both of these attacks, the amount of work involves is actually $O(2^{64})$ encryption operations; in addition, each operation is done on a Quantum Computer (using entangled states, and using some Quantum Error Correction logic). It would appear plausible that such an operation may be considerably more expensive than the corresponding operation on a classical computer. However, we don't have a working Quantum Computer, and so we can't be certain how much more expensive these operations would be. Because of this uncertainty, while this line of argument may sound promising, our opinion is that we shouldn't rely only on that; we recommend one of the previous two strategies (especially given their relatively low cost).