P1363.1 D8

1. P1363.1 D8 William Whyte, 2006-10-26

2. D7 to D8 • Written comments received from David Jablon (through 1363), Mark Etzel (internal to NTRU) • Numerous typo(e)s fixed • E.g. inconsistencies in index numbering for conversion primitives • Bibliography thoroughly checked • Added conformance region recommendations to all scheme operations • One major change in terminology: PRNG to SEF • Does not result in a change in outputs but is improved description of operation.

3. Encryption octL 00… b m OID BVGM r BRE2OSP mod 2 r*h MGF XOR OS2BREP m’ + e

4. BVGM • Takes m, b and OID as seed • Uses this seed to generate a blinding polynomial r • Generation method: • use seed to generate stream of pseudo-random octets • convert pseudo-random octets into integers mod N • throw away duplicates or numbers that would result in bias following mod N reduction • blinding polynomial consists of dr distinct integers • Two changes in description of BVGM: • Previously referred to first step as “PRNG” • Now refer to it as “Seed Expansion Function” (SEF) • This is under discussion in X9 as well and terminology may change one more time • Final decision will be made this week • Gave explicit means to store state to allow multiple calls after seeding • This is what distinguishes SEF from MGF – MGF is only called once.