[PATCH] Add NTRUEncrypt public key encryption algorithm
Christian Grothoff
grothoff at gnunet.org
Mon Sep 14 16:16:47 CEST 2015
Hi Werner,
Hi Zhenfei,
I wanted to chime in with a two independent comments:
1) The key question is not that it is not clear *when* quantum
computers will become available, but *if* (ever). But, the
secondary question is how expensive it would be to offer some
reasonable additional protection *just in case*. The issue
here is that the NSA is likely to store everything that they
cannot decrypt today for the forseeable future (i.e. 30-100
years), and it might be really problematic for some people
if we tell them something is fine and in 5, 10 or 30 years
they all get rounded up and thrown into jail by some future
regime with PQ crypto.
Now, this hypothetical scenario doesn't justify crazy measures,
but after quite extensive discussions here in Rennes,
Jeff finally convinced me that with a scheme like NTRU, we
could reinforce (!) the existing 3DH-Axolotl key exchange in
GNUnet, so we get the best security of both schemes (modulo
hypothetical remote-code execution 0-days in the crypto code).
So we're actually strongly considering NTRU (and other PQ-schemes,
but NTRU so far seems very good on the potential security
improvement vs. performance loss/complexity front) as an
additional (likely for a while optional) handshake within
GNUnet (which so far uses primarily libgcrypt for
crypto-primitives) for the future. No code yet, but plenty of
thinking.
2) For including NTRU in libgcrypt, the GPL vs. LGPL and the
patent issue are crucial. One of the issues that I had/have
with NTRU is that the GPL-only exceptions to the patents
will make it tricky for NTRU to become a widely used
cryptographic primitive. While I like giving free software
an edge, this also means that it is less likely to be the
most widely used PQ system, and thus also not the most
analyzed/understood. If the license were changed to LGPL
and the patent clause broadened to cover LGPL libraries,
that concern would disappear. (Note that GNUnet is GPL,
so for GNUnet this does not matter too much.)
In any case, if this integration with libgcrypt does eventually
go ahead, I would strongly urge that the FSF also looks over
the specific patent exemptions and that this is done in writing.
My 2 cents
Happy hacking!
Christian
On 09/14/2015 03:37 PM, Zhenfei Zhang wrote:
>
>> - Post quantum crypto is quite young and as of now mostly an academic
>> exercise.
>
> It is not clear when quantum computers will become available.
>
> I think those imply a valid demand of post quantum crypto in the industry.
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> *On licensing
>
> There are two piece of codes in this patch that are under GPL.
>
> - The base64 code is under GPL. We will rewrite those code so it will be
> free to use.
>
> - The NTRU source code is under GPL. We can make patent exemptions for
> libgcrypt, if it is Okey. We have already made such an exemption for
> open source licenses, see
> https://github.com/NTRUOpenSourceProject/ntru-crypto/blob/master/FOSS%20Exception.md
> Please let me know if this kind of exemption for libgcrypt is good enough.
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xE29FC3CC.asc
Type: application/pgp-keys
Size: 15198 bytes
Desc: not available
URL: </pipermail/attachments/20150914/33eb25f4/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150914/33eb25f4/attachment.sig>
More information about the Gcrypt-devel
mailing list