The attack in the last link is on lattices over an ideal, which are related to but not the same as NTRU lattices. It's not clear how to extend it to the NTRU lattice. It's also not clear that, if extended, it would significantly improve on the best currently known attack on NTRU: that attack combines some lattice reduction on a sublattice with a meet-in-the-middle search on the unreduced space, allowing the attacker to carry out k bits of reduction plus k bits of search. This means that even if the ideal attack can be extended to the NTRU module, and even if it effectively halves the dimension of the lattice (thereby roughly square-rooting the attack time), the best currently known attack also approximately square-roots the running time relative to simply reducing the lattice, and it's not clear that a successfully extended ideal attack would end up being faster.
Anyway, right at the moment it simply isn't applicable, so it's hard to usefully factor it into the security estimates. Link to the hybrid attack description is on https://www.securityinnovation.com/products/encryption-libraries/ntru-crypto/ntru-resources.html#abstracts, under "A Hybrid Lattice-Reduction and Meet-in-the-Middle Attack Against NTRU" Cheers, William -----Original Message----- From: ntru-cry...@securityinnovation.com [mailto:ntru-cry...@securityinnovation.com] On Behalf Of Daniel Cegielka Sent: Saturday, September 13, 2014 4:25 PM To: why not Cc: tech@openbsd.org; m...@openbsd.org; dera...@cvs.openbsd.org; t...@tedunangst.com; b...@openbsd.org; i...@resilientmachines.com; i...@henningbrauer.com; ntru-cry...@securityinnovation.com Subject: [ntru-crypto] Re: LibreSSL & Post-Quantum World, NTRU 2014-09-13 19:27 GMT+02:00 why not <whynot1...@safe-mail.net>: > hello > > Besides NTRU is having a GPL licence, https://github.com/NTRUOpenSourceProject/ntru-crypto/issues/4 https://github.com/tbuktu/libntru but: http://blog.cr.yp.to/20140213-ideal.html Daniel
smime.p7s
Description: S/MIME cryptographic signature