[PATCH] Add NTRUEncrypt public key encryption algorithm

Mon Sep 14 16:16:47 CEST 2015

Hi Werner,
Hi Zhenfei,

I wanted to chime in with a two independent comments:

1) The key question is not that it is not clear *when* quantum
   computers will become available, but *if* (ever).  But, the
   secondary question is how expensive it would be to offer some
   reasonable additional protection *just in case*.  The issue
   here is that the NSA is likely to store everything that they
   cannot decrypt today for the forseeable future (i.e. 30-100
   years), and it might be really problematic for some people
   if we tell them something is fine and in 5, 10 or 30 years
   they all get rounded up and thrown into jail by some future
   regime with PQ crypto.

   Now, this hypothetical scenario doesn't justify crazy measures,
   but after quite extensive discussions here in Rennes,
   Jeff finally convinced me that with a scheme like NTRU, we
   could reinforce (!) the existing 3DH-Axolotl key exchange in
   GNUnet, so we get the best security of both schemes (modulo
   hypothetical remote-code execution 0-days in the crypto code).

   So we're actually strongly considering NTRU (and other PQ-schemes,
   but NTRU so far seems very good on the potential security
   improvement vs. performance loss/complexity front) as an
   additional (likely for a while optional) handshake within
   GNUnet (which so far uses primarily libgcrypt for
   crypto-primitives) for the future. No code yet, but plenty of
   thinking.

2) For including NTRU in libgcrypt, the GPL vs. LGPL and the
   patent issue are crucial. One of the issues that I had/have
   with NTRU is that the GPL-only exceptions to the patents
   will make it tricky for NTRU to become a widely used
   cryptographic primitive.  While I like giving free software
   an edge, this also means that it is less likely to be the
   most widely used PQ system, and thus also not the most
   analyzed/understood.  If the license were changed to LGPL
   and the patent clause broadened to cover LGPL libraries,
   that concern would disappear. (Note that GNUnet is GPL,
   so for GNUnet this does not matter too much.)

   In any case, if this integration with libgcrypt does eventually
   go ahead, I would strongly urge that the FSF also looks over
   the specific patent exemptions and that this is done in writing.

My 2 cents

Happy hacking!

Christian

On 09/14/2015 03:37 PM, Zhenfei Zhang wrote:
> 
>> - Post quantum crypto is quite young and as of now mostly an academic
>>   exercise. 
> 
> It is not clear when quantum computers will become available.  
> 
> I think those imply a valid demand of post quantum crypto in the industry.
> 
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> 
> *On licensing
> 
> There are two piece of codes in this patch that are under GPL.
> 
> - The base64 code is under GPL. We will rewrite those code so it will be
> free to use.
> 
> - The NTRU source code is under GPL. We can make patent exemptions for
> libgcrypt, if it is Okey. We have already made such an exemption for
> open source licenses, see
> https://github.com/NTRUOpenSourceProject/ntru-crypto/blob/master/FOSS%20Exception.md
> Please let me know if this kind of exemption for libgcrypt is good enough.
> 
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xE29FC3CC.asc
Type: application/pgp-keys
Size: 15198 bytes
Desc: not available
URL: </pipermail/attachments/20150914/33eb25f4/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150914/33eb25f4/attachment.sig>