[tor-dev] Quantum-safe Hybrid handshake for Tor

Nick Mathewson nickm at alum.mit.edu
Thu Dec 31 21:41:20 UTC 2015


On Thu, Dec 31, 2015 at 3:51 PM, isis <isis at torproject.org> wrote:
> Zhenfei Zhang transcribed 22K bytes:

 [...]
>> In addition, this is a modular design that allows us to use any quantum-safe
>> cryptographic primitives. As a proof of concept, we instantiated the
>> protocol with NTRUEncrypt lattice-based crypto. We implemented the the
>> protocol with NTRU parameters that gives 128 bits security. The code is
>> available at https://github.com/NTRUOpenSourceProject/ntru-tor
>
> Thanks!  This is great!  Having an implementation to go along with the
> proposal makes it easier to evaluate.  I've already actually looked at your
> code a couple months ago, but I'll take a second look after the new year and
> see what (if anything) changed.
>
> However, if we were to go the route of using NTRU, we'd likely want to instead
> use Dan Bernstein's NTRU Prime parameters, in order to eliminate some of the
> inherent algebraic structure of the ideal lattice which might possibly be
> exploited. [0] [1]

I'd also like us to consider the Ring-LWE proposals that Yawning has
been working on, but I think that this proposal forms a good basis for
future work in all those directions.

(Generally, I'm a bit afraid of being the first adopter of much of
anything, or the biggest user of any protocol, but I think we're soon
reaching the point where we'll have to.)

> Also, what is the current state of patents on NTRU?  My understanding is that
> NTRU is dual-licenced as GPLv2+ and commercial, [2] however, Tor is currently
> BSD licenced.  Would it be necessary to relicense Tor as GPLv2+?  Will the GPL
> exceptions continue to be applied to further patents on optimisations and
> improvements/protections for NTRU?

Have a look at https://github.com/NTRUOpenSourceProject/ntru-crypto/blob/master/FOSS%20Exception.md
.  If I'm reading that right (and Wendy has seen it too), we have
their permission to use their GPL code along with BSD-licensed Tor.

peace, and a happy new year to all,
-- 
Nick


More information about the tor-dev mailing list