NTRU 1.0 released

[der_be...@hotmail.com]

NTRU is the most practical successor to RSA and ECC(*). A free and
open implementation has been under development and just went out of
beta in the 1.0 release.

(*) According to NIST: http://middleware.internet2.edu/idtrust/2009/papers/07-perlner-quantum.pdf

[Scott Contini]

On Sep 6, 11:08 am, "der_benut...@hotmail.com"

> (*) According to NIST:http://middleware.internet2.edu/idtrust/2009/papers/07-perlner-quantu...

NTRU is patented, so I'm not sure how you can claim
that you have a free implementation. Please clarify.

Scott

[ash...@msn.com]

wrote in message
news:7e784485-fbef-41b2...@m4g2000pri.googlegroups.com...

> NTRU is the most practical successor to RSA and ECC(*).

You forgot a few qualifiers:
of Lattice based schemes
of currently known systems
limited current deployment
limited public examination (not many have cared about it yet)
has no viable signature system (I don't consider a system that can be
broken from a
relatively small number of signatures viable)
patent encumbered (at least last time I checked)
the statement is an overview of the current state of the art, not an
endorsement
the conclusion of the paper is that designers need to be aware of
upcoming changes
the paper does NOT endorse any algorithm as "the most practical
successor"

and of course the biggest qualifier pair
assuming that quantum computers become viable
assuming no advance is made in quantum mathematics

Did I miss any of the obvious qualifiers? It should also be noted that
similarly long lists can be made for both Lamport and McEliese, the other
possibilities in the paper.

Or you could actually pay attention to the paper, and recognize that it is
balanced in its recommendation that Lamport, McEliese, and NTRU need to be
acknowledged for a post-quantum computation world.
Joe

[der_be...@hotmail.com]

On Sep 5, 9:10 pm, <ashw...@msn.com> wrote:
> You forgot a few qualifiers:
>     of Lattice based schemes

True, my bad.

>     of currently known systems

Yes, obviously!

>     limited current deployment
>     limited public examination (not many have cared about it yet)

It's true that NTRU isn't being used in many places, but NTRU has been
under academic scrutiny for years and papers have been published by
various cryptographers.

>     has no viable signature system (I don't consider a system that can be
> broken from a
>         relatively small number of signatures viable)

10 million is what you get with one perturbation, but you can always
use more than one. There is a paper that talks about how the maximum
number of signatures increases exponentially with the number of
perturbations.

> patent encumbered (at least last time I checked)

Yes, but so is MP3.

>     assuming that quantum computers become viable

Yes, but aside from quantum computing, NTRU also has a performance
advantage over RSA and ECC.

[der_be...@hotmail.com]

On Sep 5, 9:00 pm, Scott Contini <the_great_cont...@yahoo.com> wrote:
> NTRU is patented, so I'm not sure how you can claim
> that you have a free implementation.  Please clarify.

Patented != non-free.

NTRU is released under the Non-Profit OSL 3.0 with the blessing of the
patent holder.
http://www.opensource.org/licenses/NPOSL-3.0

[Noob]

der_benutzer wrote:

> Joe wrote:
>
>> You forgot a few qualifiers:

>> patent encumbered (at least last time I checked)
>
> Yes, but so is MP3.

What is your point? That MPEG Audio Layer III is widely used despite
being a patent minefield?

Could this be because the technology was managed like crack: give it
away for free until people become hooked, then jack the price up?

In any case, Vorbis is technologically superior and patent-free.

http://en.wikipedia.org/wiki/Vorbis

Holders of patents on mathematics are societal parasites.

[der_be...@hotmail.com]

On Sep 6, 1:58 am, Noob <r...@127.0.0.1> wrote:
> What is your point? That MPEG Audio Layer III is widely used despite
> being a patent minefield?

Yes, and I do agree that software patents are a nuisance. But it's
something we have to deal with until sanity prevails.

[ash...@msn.com]

wrote in message
news:a79a626d-9042-40ce...@a10g2000prn.googlegroups.com...

> On Sep 5, 9:10 pm, <ashw...@msn.com> wrote:
> > limited current deployment
> > limited public examination (not many have cared about it yet)

> It's true that NTRU isn't being used in many places, but NTRU has been
> under academic scrutiny for years and papers have been published by
> various cryptographers.

And factorization has been under academic analysis for couple thousand
years. The real truth is that NTRU has not received the scrutiny necessary
for me to be comfortable with it. If you look at the papers on NTRU you will
see a repetition of the broken/patched process, almost every new paper is
one of these two. Now compare this to RSA where (barring formatting changes)
the attacks don't scale to the performance. ECC where the attacks don't
scale to performance. McEliese where the attacks don't scale to performance.
One of these is not like the others. This is not to say that the process
will necessarily continue in the future, just that the histories have been
different.

> > has no viable signature system (I don't consider a system that can
> > be
> > broken from a
> > relatively small number of signatures viable)

> 10 million is what you get with one perturbation, but you can always
> use more than one.

10 million is an extremely short lifetime. Compare this again against the
others. RSA has no such limitations. ECDSA has no such limitation. McEliese
has no such limitation. Again, one of these is not like the others.

> There is a paper that talks about how the maximum
> number of signatures increases exponentially with the number of
>perturbations.

That seems reasonable, but an exponential increase for an exponential cost
gains you nothing.

> > patent encumbered (at least last time I checked)

> Yes, but so is MP3.

Actually it is only the processing of certain aspects of MP3 that are
currently covers. Just glancing at
http://mp3licensing.com/patents/index.html shows the real truth when you
know patents have a 20 year lifetime from date of first application. Section
1 is all expired. Section 2 expires in a few weeks. Section 3 is expired.
Section 4 expires in 2 months. Section 5 expired. Section 6 expired. Section
7 expired. Section 8 expires in 2 months. Section 9 expired. Section 10
expired. Section 11 expired. Section 12 is not applicable mp3 (dated too
long after publication). Section 13 has about a year and may be applicable.
Section 14 expired. Section 15 not mp3. Section 16 expired. Section 17 not
mp3. Section 18 expired. I stopped there, you get the idea.

Of course going back to out theme. NTRU is patented. RSA patent expired long
ago. ECC core patent expired long ago (there are some patents on
optimizations). McEliese does not immediately appear patented. Again, one of
these is not like the others.

> > assuming that quantum computers become viable

> Yes, but aside from quantum computing, NTRU also has a performance
> advantage over RSA and ECC.

That is arguable, at best. You are forgetting the cost of moving that much
data around. While it is typical for less experienced individuals to go "oh
its just a couple kilobits, no big deal" look at the costs involved in
transferring a credit card number (about 96 bytes) over an ephemeral
connection. This is not an uncommon event. Using NTRU the minimum data
transferred is 608 bytes (public key, encrypted data, credit card), for an
overhead of 533%. Using RSA the minimum data transferred is 352 bytes an
overhead of 267%. ECC the minimum data transferred is 178 bytes, an overhead
of 85%. Which one will be faster depends on your constraints. Very often the
restriction factor is the data transfer rate, it is cheap to get a
computation system that can handle 1000 ops/sec of any of them, but
bandwidth is often more expensive. Even within the same system, a fully
utilized system will be swapping data in and out at a phenomenal rate,
moving 178 bytes takes less time than moving 608.

Determining which one has the highest performance is a much more complicated
process than just counting opcodes.

To summarize anyway. Most of NTRU's limitations are not limitations of the
competition (one of these is not like the others), and the alleged
performance advantage may not actually exist in the real world.
Joe

[der_be...@hotmail.com]

On Sep 6, 10:18 pm, <ashw...@msn.com> wrote:

> > There is a paper that talks about how the maximum
> > number of signatures increases exponentially with the number of
> >perturbations.
>
> That seems reasonable, but an exponential increase for an exponential cost
> gains you nothing.

The cost is linear because a perturbation increases signing time by a
constant amount.

> Actually it is only the processing of certain aspects of MP3 that are

> currently covers. Just glancing athttp://mp3licensing.com/patents/index.htmlshows the real truth when you

> know patents have a 20 year lifetime from date of first application.

Point taken - MP3 patents are about to expire whereas the first NTRU
patents won't expire until 2016.

> That is arguable, at best. You are forgetting the cost of moving that much
> data around. While it is typical for less experienced individuals to go "oh
> its just a couple kilobits, no big deal" look at the costs involved in
> transferring a credit card number (about 96 bytes) over an ephemeral
> connection.

That point taken, too.

[Jean-Marc Desperrier]

ash...@msn.com wrote:
> only the processing of certain aspects of MP3 that are currently covers.
> Just glancing at http://mp3licensing.com/patents/index.html shows the
> real truth when you know patents have a 20 year lifetime from date of
> first application

Not true for US patents filed before 1995 which will stay valid 17 years
after being *issued*, if this comes later than the 20 years after
application.

This makes at least US 5 559 834 annoying until sept. 2013 and US 5 812
672 until sept 2015.