Hello! I'm a developer on the Tor Project. We're thinking of adding a new cryptographic algorithm to Tor in order to improve our security against possible advances in quantum computation.
Many Tor servers run on Debian, and we'd like to make sure that everything we do in Tor can be distributed under the DFSG. One of the leading algorithms in this area, NTRU [1], is currently covered by a patent. The patent holders [2] have made free (libre and gratis) implementations available [3], along with some relatively permissive patent licenses [4] permitting the use of their patents in freely licensed software. Would there be any issues with including one or more of the NTRU libraries in Debian, with the patent licenses in [4] below? If there are no issues, great! How should we move forward? Are there more steps we should follow? But if there are issues, what can we do to solve them? The patent holders are enthusiastic about allowing free software to use their patents, and I believe they would be amenable to hearing what steps are needed. (I've cc'd them here.) [1] NTRU: https://en.wikipedia.org/wiki/NTRU [2] patent holders: https://www.securityinnovation.com/ Patents: https://github.com/NTRUOpenSourceProject/ntru-crypto/blob/master/PATENTS.md [3] Libre implementations: https://github.com/NTRUOpenSourceProject/ntru-crypto [4] Patent licenses: https://github.com/NTRUOpenSourceProject/ntru-crypto/blob/master/LICENSE.md https://github.com/NTRUOpenSourceProject/ntru-crypto/blob/master/FOSS%20Exception.md best wishes, -- Nick
