On Thu, Dec 31, 2015 at 3:51 PM, isis isis@torproject.org wrote:
Zhenfei Zhang transcribed 22K bytes:
[...]
In addition, this is a modular design that allows us to use any quantum-safe cryptographic primitives. As a proof of concept, we instantiated the protocol with NTRUEncrypt lattice-based crypto. We implemented the the protocol with NTRU parameters that gives 128 bits security. The code is available at https://github.com/NTRUOpenSourceProject/ntru-tor
Thanks! This is great! Having an implementation to go along with the proposal makes it easier to evaluate. I've already actually looked at your code a couple months ago, but I'll take a second look after the new year and see what (if anything) changed.
However, if we were to go the route of using NTRU, we'd likely want to instead use Dan Bernstein's NTRU Prime parameters, in order to eliminate some of the inherent algebraic structure of the ideal lattice which might possibly be exploited. [0] [1]
I'd also like us to consider the Ring-LWE proposals that Yawning has been working on, but I think that this proposal forms a good basis for future work in all those directions.
(Generally, I'm a bit afraid of being the first adopter of much of anything, or the biggest user of any protocol, but I think we're soon reaching the point where we'll have to.)
Also, what is the current state of patents on NTRU? My understanding is that NTRU is dual-licenced as GPLv2+ and commercial, [2] however, Tor is currently BSD licenced. Would it be necessary to relicense Tor as GPLv2+? Will the GPL exceptions continue to be applied to further patents on optimisations and improvements/protections for NTRU?
Have a look at https://github.com/NTRUOpenSourceProject/ntru-crypto/blob/master/FOSS%20Exce... . If I'm reading that right (and Wendy has seen it too), we have their permission to use their GPL code along with BSD-licensed Tor.
peace, and a happy new year to all,