(*) According to NIST: http://middleware.internet2.edu/idtrust/2009/papers/07-perlner-quantum.pdf
NTRU is patented, so I'm not sure how you can claim
that you have a free implementation. Please clarify.
Scott
> NTRU is the most practical successor to RSA and ECC(*).
You forgot a few qualifiers:
of Lattice based schemes
of currently known systems
limited current deployment
limited public examination (not many have cared about it yet)
has no viable signature system (I don't consider a system that can be
broken from a
relatively small number of signatures viable)
patent encumbered (at least last time I checked)
the statement is an overview of the current state of the art, not an
endorsement
the conclusion of the paper is that designers need to be aware of
upcoming changes
the paper does NOT endorse any algorithm as "the most practical
successor"
and of course the biggest qualifier pair
assuming that quantum computers become viable
assuming no advance is made in quantum mathematics
Did I miss any of the obvious qualifiers? It should also be noted that
similarly long lists can be made for both Lamport and McEliese, the other
possibilities in the paper.
Or you could actually pay attention to the paper, and recognize that it is
balanced in its recommendation that Lamport, McEliese, and NTRU need to be
acknowledged for a post-quantum computation world.
Joe
True, my bad.
> of currently known systems
Yes, obviously!
> limited current deployment
> limited public examination (not many have cared about it yet)
It's true that NTRU isn't being used in many places, but NTRU has been
under academic scrutiny for years and papers have been published by
various cryptographers.
> has no viable signature system (I don't consider a system that can be
> broken from a
> relatively small number of signatures viable)
10 million is what you get with one perturbation, but you can always
use more than one. There is a paper that talks about how the maximum
number of signatures increases exponentially with the number of
perturbations.
> patent encumbered (at least last time I checked)
Yes, but so is MP3.
> assuming that quantum computers become viable
Yes, but aside from quantum computing, NTRU also has a performance
advantage over RSA and ECC.
Patented != non-free.
NTRU is released under the Non-Profit OSL 3.0 with the blessing of the
patent holder.
http://www.opensource.org/licenses/NPOSL-3.0
> Joe wrote:
>
>> You forgot a few qualifiers:
>> patent encumbered (at least last time I checked)
>
> Yes, but so is MP3.
What is your point? That MPEG Audio Layer III is widely used despite
being a patent minefield?
Could this be because the technology was managed like crack: give it
away for free until people become hooked, then jack the price up?
In any case, Vorbis is technologically superior and patent-free.
http://en.wikipedia.org/wiki/Vorbis
Holders of patents on mathematics are societal parasites.
Yes, and I do agree that software patents are a nuisance. But it's
something we have to deal with until sanity prevails.
> > There is a paper that talks about how the maximum
> > number of signatures increases exponentially with the number of
> >perturbations.
>
> That seems reasonable, but an exponential increase for an exponential cost
> gains you nothing.
The cost is linear because a perturbation increases signing time by a
constant amount.
> Actually it is only the processing of certain aspects of MP3 that are
> currently covers. Just glancing athttp://mp3licensing.com/patents/index.htmlshows the real truth when you
> know patents have a 20 year lifetime from date of first application.
Point taken - MP3 patents are about to expire whereas the first NTRU
patents won't expire until 2016.
> That is arguable, at best. You are forgetting the cost of moving that much
> data around. While it is typical for less experienced individuals to go "oh
> its just a couple kilobits, no big deal" look at the costs involved in
> transferring a credit card number (about 96 bytes) over an ephemeral
> connection.
That point taken, too.