Internet Draft Ari Singer, NTRU Document:draft-ietf-pkix-pkalgs-supp-00.txtdraft-ietf-pkix-pkalgs-supp-01.txt William Whyte, NTRU Expires:JanuarySeptember 2002 March 2002July 2001Supplemental Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and CRL Profile<draft-ietf-pkix-pkalgs-supp-00.txt><draft-ietf-pkix-pkalgs-supp-01.txt> Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC 2026 [RFC2026]. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. Abstract This document specifies algorithm identifiers and ASN.1 encoding formats for digital signatures and subject public keys, includingNSSNTRUSign digital signatures andNTRUNTRUEncrypt andNSSNTRUSign subject public keys used in the Internet X.509 Public Key Infrastructure (PKI). Digital signatures are used to sign certificates and certificate revocation lists (CRLs). Certificates include the public key of the named subject. This document is intended to be a companion todraft-ietf- pkix-ipki-pkalgs-03.txtdraft-ietf-pkix-ipki-pkalgs-05.txt [PKIX-ALGS] and may be merged with that document in future revisions if approved by the PKIX working group. Table of Contents Status of this Memo................................................1 Conventions used in this document..................................1 Abstract...........................................................1 1. Overview........................................................3 2. Algorithm Support...............................................3 2.1 Signature Algorithms...........................................4 2.1.1NSSNTRUSign SignatureAlgorithm......................................4Algorithm.................................4 2.2 Subject Public Key Algorithms..................................6 2.2.1NTRU Keys....................................................6NTRUEncrypt Keys.............................................6 2.2.2NSS Keys....................................................11NTRUSign Keys...............................................12 3. ASN.1Module...................................................16Module...................................................15 4. SecurityConsiderations........................................22Considerations........................................21 5. Intellectual PropertyRights...................................22Rights...................................21 6. Acknowledgements...............................................21 7. References.....................................................22 Authors' Addresses................................................23 1. Overview This document specifies algorithm identifiers and ASN.1 encoding formats for digital signatures and subject public keys used in the Internet X.509 Public Key Infrastructure (PKI). This specification supplements RFC 2459 [RFC2459], "Internet Public Key Infrastructure: X.509 Certificate and CRL Profile". Implementations of this specification must also conform to RFC 2459 [RFC2459]. This document is being written concurrently with the PKIX public key algorithms Internet Draft [PKIX-ALGS] (the latest version as of this writing isdraft-ietf-pkix-ipki-pkalgs-03.txt).draft-ietf-pkix-ipki-pkalgs-05.txt). It is intended that when this document is completed and approved by the PKIX working group that it be merged with that document. The format of this document is written to approximately match the format of that Internet Draft. This specification defines the contents of the signatureAlgorithm, signatureValue, signature and subjectPubliKeyInfo fields within Internet X.509 certificates and CRLs. This document does not currently introduce any new one-way hash functions,howeverbut it specifies the use of SHA-256, SHA-384 andSHA- 512SHA-512 hash algorithms as defined in the draft of FIPS 180-2[FIPS180- 2][FIPS180-2] as well as the SHA-1 hash algorithm as defined in FIPS 180-1[FIPS180-1][FIPS180- 1] with theNSSNTRUSign signature algorithm. It is anticipated that future revisions will include the algorithm identifiers and ASN.1 encoding of the FIPS 180-2 hash algorithms. This specification describes the encoding of digital signatures generated with the following cryptographic algorithms; *NTRUNTRUSign Signature Scheme(NSS).(NTRUSign). It is anticipated that future revisions of this document will include the extended version of the Digital Signature Algorithm (DSA) [FIPS186-2], which has not yet been published. In addition, it is anticipated that the document will include the algorithm identifiers and ASN.1 encoding of pre-existing algorithms (e.g. RSA) when used in conjunction with the FIPS 180-2 hash algorithms. This document specifies the contents of the subjectPublicKeyInfo field in Internet X.509 certificates. For each algorithm, the appropriate alternatives for the keyUsage extension are provided. This specification describes encoding formats for public keys used with the following cryptographic algorithms: *NTRUNTRUEncrypt Encryption Scheme(NTRU)(NTRUEncrypt) *NTRUNTRUSign Signature Scheme(NSS)(NTRUSign) 2. Algorithm Support This section describes cryptographic algorithms that may be used with the Internet X.509 Certificate and CRL Profile.ItIn particular, it describes theNSSNTRUSign digital signature algorithm, which may be used to sign certificates andCRLs, andCRLs. In addition, this section identifies OIDs and ASN.1 encoding for NTRUSign and NTRUEncrypt public keys contained in a certificate. It is anticipated that additional algorithms, such as the extended version of DSA, will be included in future revisions. Conforming CAs and application are not required to support the algorithms or algorithm identifiers described in this section. However, conforming CAs and applications that use the algorithms identified here MUST support them as specified. 2.1 Signature Algorithms Certificates and CRLs conforming to RFC 2459 [RFC2459] may be signed with any public key signature algorithm. The certificate or CRL indicates the algorithm through an algorithm identifier, which appears in the signatureAlgorithm field within the Certificate or CertificateList.ThisAn algorithm identifierisconsists of an OID andhas optionally(optionally) associated parameters. This sectionidentifies algorithm identifiersdescribes OIDs andparameters that MUST be used in the signatureAlgorithm field in a Certificate or CertificateList.parameter encoding for NTRUSign. Signature algorithms are always used in conjunction with a one-way hash function.This section identifies OIDs for NSS. Details for the contents of the parameters component for NSS are provided.The data to be signed(e.g.,(e.g. the one-way hash function output value) is formatted for the signature algorithm to be used. Then, a private key operation (e.g.NSSNTRUSign signature primitive) is performed to generate the signature value. This signature value is then ASN.1 encoded as a BIT STRING and included in the Certificate or CertificateList in the signature field. 2.1.1NSSNTRUSign Signature Algorithm TheNSSNTRUSign signature algorithm was invented by Hoffstein,PipherHowgrave-Graham, Pipher, Silverman andSilverman.Whyte. It is defined in Efficient Embedded Security Standard (EESS) #1 [EESS#1]. This profile defines a single signature algorithm,NSSthe NTRUSign signature algorithm with the SHA-1, SHA-256, SHA-384 or SHA-512 one-way hash function. The signature algorithm is implemented using the padding and encoding conventions described in EESS #1 [EESS#1]. The message digest is computed using the SHA-1 Hash Algorithm [FIPS180-1] or any of the SHA-2 algorithms [FIPS180-2] and the message digest is encoded using the MGF1 mask generation function as specified in Std IEEE 1363-2000 [IEEE1363]. Unlike previously defined public-key signature algorithms, the object identifier for theNSSNTRUSign signature algorithm does not specify the hash function. Rather, the parameter field in the AlgorithmIdentifier contains an indication of the hash function as well as the encoding methods that are to be used. The ASN.1 object identifier used to identify this signature algorithmis: id-ntru-EESS1v1-SVSSAis named id-ntru-EESS1v1-NTRUSign and is given by the following ASN.1: ntru OBJECT IDENTIFIER ::={ iso(1) ISO Identified Organization(3) US Department of Defense(6) Internet(1) Private(4) Enterprises(1) NTRU Cryptosystems(8342){iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprises(1) ntruCryptosystems (8342) } id-eess1 OBJECT IDENTIFIER ::= {ntru eess(1)eess-1(1) eess1- algs(1) 2}1} id-eess1-algs OBJECT IDENTIFIER ::= {id-eess1 1} id-ntru-EESS1v1-NTRUSign OBJECT IDENTIFIER ::= {id-eess1-algs 3} When this OID appears in the signatureAlgorithm field or the signature field of an X.509 certificate, the encoding SHALL omit the parameters field. That is, the AlgorithmIdentifier shall be a SEQUENCE of one component: the OBJECT IDENTIFIER id-ntru-EESS1v1- SVSSA. TheNSSNTRUSign parameters in the subjectPublicKeyInfo field of the certificate of the issuer shall apply to the verification of the signature. When signing, theNSSNTRUSign algorithm generates a signature polynomial. This polynomial SHALL be encoded as an OCTET STRING as described in EESS #1 [EESS#1]. The signature SHALL be ASN.1 encoded using the following ASN.1 structure:NSSSignedDataNTRUSignSignedData ::= NTRUPublicVector NTRUPublicVector ::= CHOICE { modQVector [0] IMPLICIT ModQVector, packedModQVector [1] IMPLICITPackedModQVectorPackedModQVector, ...} ModQVector ::= OCTET STRING PackedModQVector ::= OCTET STRING The field choices of type NTRUPublicVector have the following meanings: modQVector is the representation of the NTRUPublicVector in unpacked form. For a polynomial of degree N-1 with coefficients reduced mod q, each of the N bytes of the OCTET STRING represent integers x in the range 0 <= x < q corresponding to the coefficient values of the polynomial from lowest degree to highest. packedModQVector is the representation of the NTRUPublicVector in packed form. For a polynomial of degree N-1 with coefficients reduced mod q, each log_2(q) bits of the OCTET STRING represent integers x in the range 0 <= x < q corresponding to the coefficient values of the polynomial from lowest degree to highest. The values arepacked starting from the left,concatenated bitwise, without any intermediate padding, and irrespective of the byteboundaries and the final byte ofboundaries. If necessary, zero bits are appended to theOCTET STRING is padded onpacked data in order to make theright with zeros (if necessary).length a multiple of 8 bits. Implementations that sign certificates usingNSSNTRUSign SHOULD encode the signature as a ModQVector. 2.2 Subject Public Key Algorithms Certificates conforming to RFC 2459 [RFC2459] may convey a public key for any public key algorithm. The certificate indicates the algorithm through an algorithm identifier. This algorithm identifierisconsists of an OID and optionally associated parameters. This section identifies preferred OIDs and parameters for theNTRUNTRUEncrypt andNSSNTRUSign algorithms. Conforming CAs MUST use the identified OIDs when issuing certificates containing public keys for these algorithms. Conforming applications supporting any of these algorithms MUST, at a minimum, recognize the OIDs identified in this section. 2.2.1NTRUNTRUEncrypt Keys This section identifies the preferred OID and parameter encoding for the inclusion of anNTRUNTRUEncrypt public key in a certificate. TheNTRUNTRUEncrypt encryption algorithm is defined in EESS #1 [EESS#1]. The OID id-ntru-EESS1v1-SVES identifiesNTRUNTRUEncrypt public keys.id-eess1 OBJECT IDENTIFIER ::= { iso(1) ISO Identified Organization(3) US Department of Defense(6) Internet(1) Private(4) Enterprises(1) NTRU Cryptosystems(8342) eess(1) 1} id-eess1-algs OBJECT IDENTIFIER ::= {id-eess1 1}id-ntru-EESS1v1-SVES OBJECT IDENTIFIER ::= {id-eess1-algs 1} The id-ntru-EESS1v1-SVES OID is intended to be used in the algorithm field of a value of type AlgorithmIdentifier.NTRUNTRUEncrypt requires use of certain parameters with the public key. The parameters may be implied by context, implicitly included through reference of a degree, implicitly included through reference of a standard parameter set or explicitly included in the certificate. The parameters associated with id-ntru-EESS1v1-SVES are EESS1v1-SVES- Parameters. EESS1v1-SVES-Parameters ::= CHOICE { degreeINTEGER (CONSTRAINED BY {--must be 251, 347 or 503}),Degree, standardNTRUParametersOBJECT IDENTIFIER {{NTRUParameters}},StandardNTRUParameters, explicitNTRUParameters ExplicitNTRUParameters, externalParameters NULL } When the parameters are implied by context, the parameters field SHALL contain externalParameters, which is a value of the ASN.1valuetype NULL. When the parameters are specified by degree, the values are restricted to 251, 347 and 503. For the three permitted choices, the parameters are defined to be ees251ep1, ees347ep1 and ees503ep1 respectively as defined in EESS #1 [EESS#1]. Specifying the degree is the preferred way for transmitting parameter information for the scheme when the parameters are not implied by context. Degree ::= INTEGER (251 | 347 | 503, ...) When the parameters are specified by reference of a standard, the parameters shall consist of an OID chosen from the list NTRUParameters. The current list of NTRUParameters OIDs is: StandardNTRUParameters ::= OIDS.&id({NTRUParameters}) NTRUParametersOBJECT IDENTIFIEROIDS ::= {id-ees251ep1| id-ees347ep1| id-ees503ep1|{ OID id-ees251ep1 }| { OID id-ees347ep1 }| { OID id-ees503ep1 }, ...} The above object identifiers are specified by: id-eess1-params OBJECT IDENTIFIER ::= {id-eess1 2} id-ees251ep1 OBJECT IDENTIFIER ::= {id-eess1-params 1} id-ees347ep1 OBJECT IDENTIFIER ::= {id-eess1-params 2} id-ees503ep1 OBJECT IDENTIFIER ::= {id-eess1-params 3} When the parameters are explicitly included, they SHALL be encoded in the ASN.1 structure ExplicitNTRUParameters: ExplicitNTRUParameters ::= SEQUENCE { versionINTEGER,Version, degree INTEGER, bigModulus INTEGER, smallModulus SmallModulus, mrgmAlgorithmIdentifier {{ntruEESS1v1MRGMs}},NTRUMRGMAlgorithmIdentifier, db INTEGER, bvgmAlgorithmIdentifier {{ntruEESS1v1BVGMs}},NTRUBVGMAlgorithmIdentifier, ...} Version ::= INTEGER { v0(0) } (v0, ...) SmallModulus ::= CHOICE { integerValue INTEGER, polynomialValue NTRUGeneralPolynomial } NTRUGeneralPolynomial ::= SEQUENCE {degreenumberOfEntries INTEGER,qmodulus INTEGER, coefficientsTruncatedModQVectorGeneralVector }TruncatedModQVectorGeneralVector ::= OCTET STRING The fields of type NTRUGeneralPolynomial have the following meanings:degreenumberOfEntries is thedegreenumber of coefficients used to represent thepolynomial. qpolynomial - this number isa modulus; more generally, qequal to the degree of the polynomial plus 1. modulus is an upper bound on the value of the coefficients. coefficients is the list of numberOfEntries coefficients,listed as a ModQVector with only degree+1 coefficient entries.represented in order from lowest degree to highest degree. Ifqmodulus < 257, each coefficient is stored in a single byte. Ifqmodulus > 256 andqmodulus < 2^16, each coefficient is stored in two bytes. The fields of type SmallModulus have the following meanings: integerValue is the value of p if p is an integer. polynomialValue is the value of p if p is a polynomial. The fields of type ExplicitNTRUParameters have the following meanings: version is the version number, for compatibility with future revisions of this document. It SHALL be 0 for this version of the document. degree is the value N. bigModulus is the value q. q will be 256 or less. smallModulus is the value p. It SHALL be represented with the SmallModulustype, defined below.type. mrgm identifies the message representative generation method using an allowed AlgorithmIdentifier. db is the size of the random component. bvgm identifies the blinding value generation method using an allowed AlgorithmIdentifier. Thefields of type SmallModulus have the following meanings: integerValue is the value of p if p is an integer. polynomialValue isASN.1 for thevalue of p if p is a polynomial. The AlgorithmIdentifiersmrgm used in ExplicitNTRUParametersareis specified below.ntruEESS1v1MRGMsNTRUMRGMAlgorithmIdentifier ::= AlgorithmIdentifier {{NTRUEESS1v1MRGMs}} NTRUEESS1v1MRGMs ALGORITHM ::= {{NTRUMRGM1-params IDENTIFIED BY id-mrgm-ntru-1},{OID id-mrgm-ntru-1 PARMS NTRUMRGM1-params}, ...} id-eess1-encodingMethods OBJECT IDENTIFIER ::= {id-eess1 3} id-mrgm-ntru-1 OBJECT IDENTIFIER ::= {id-eess1-encodingMethods 1} NTRUMRGM1-params ::= NTRUHashAlgorithmIdentifier NTRUHashAlgorithmIdentifier ::= AlgorithmIdentifier{{ntruEESS1v1Hashes}}{{NTRUEESS1v1Hashes}} The identifier id-mrgm-ntru-1 identifies the message representative generation method MRGM-NTRU1, defined in EESS #1 [EESS#1]. The parameters identify the hashing mechanism using an allowed AlgorithmIdentifier.ntruEESS1v1Hashes AlgorithmIdentifierNTRUEESS1v1Hashes ALGORITHM ::= {{NULL IDENTIFIED BY id-sha1}| {NULL IDENTIFIED BY id-sha256}| {NULL IDENTIFIED BY id-sha384}| {NULL IDENTIFIED BY id-sha512}|{OID id-sha1 PARMS NULL}| {OID id-sha256 PARMS NULL }| {OID id-sha384 PARMS NULL }| {OID id-sha512 PARMS NULL }, ...} These identifiers identify the one-way hash algorithms SHA-1 [FIPS180-1] and SHA-2 [TBD].ntruEESS1v1BVGMsThe ASN.1 for the bvgm used in ExplicitNTRUParameters is specified below. NTRUBVGMAlgorithmIdentifier ::= AlgorithmIdentifier {{NTRUEESS1v1BVGMs}} NTRUEESS1v1BVGMs ALGORITHM ::= {{NTRUBVGM1-params IDENTIFIED BY id-bvgm-ntru-1}, {NTRUBVGM2-params IDENTIFIED BY id-bvgm-ntru-2},{OID id-bvgm-ntru-1 PARMS NTRUBVGM1-params}| {OID id-bvgm-ntru-2 PARMS NTRUBVGM2-params}, ...} id-bvgm-ntru-1 OBJECT IDENTIFIER ::= {id-eess1-encodingMethods 2} NTRUBVGM1-params ::= SEQUENCE { c INTEGER, prngAlgorithmIdentifier {{ntruEESS1v1PRNGs}},NTRUPRNGAlgorithmIdentifier, dr INTEGER } id-bvgm-ntru-2 OBJECT IDENTIFIER ::= {id-eess1-encodingMethods 3} NTRUBVGM2-params ::= SEQUENCE { c INTEGER, prngAlgorithmIdentifier {{ntruEESS1v1PRNGs}},NTRUPRNGAlgorithmIdentifier, dr1 INTEGER, dr2 INTEGER, dr3 INTEGER } The identifier id-bvgm-ntru-1 identifies blinding value generation method BVGM-NTRU1, defined in EESS #1 [EESS#1]. The identifier id- bvgm-ntru-2 identifies blinding value generation method BVGM-NTRU2, defined in EESS #1 [EESS#1]. The fields of type NTRUBVGM1-params have the following meanings: c is the random polynomial generation constant used to select the polynomial r. prng identifies the pseudo-random number generation algorithm using an allowed AlgorithmIdentifier. dr is the number of 1s in the blinding value r. The fields of type NTRUBVGM2-params have the following meanings: c is the random polynomial generation constant used to select the polynomial r. prng identifies the pseudo-random number generation algorithm using an allowed AlgorithmIdentifier. dr1 is the number of 1s in the blinding value component r1. dr2 is the number of 1s in the blinding value component r2. dr3 is the number of 1s in the blinding value component r3. The allowed pseudo-random number generation algorithms are defined by:ntruEESS1v1PRNGsNTRUPRNGAlgorithmIdentifier ::= AlgorithmIdentifier {{NTRUEESS1v1PRNGs}} NTRUEESS1v1PRNGs ALGORITHM ::= {{NTRUMGFAlgorithms}|NTRUMGFAlgorithms, ...} This identifies the pseudo-random number generation algorithm to be used when generating blinding values. The only allowed algorithms are MGF1 (see [IEEE 1363]) using SHA-1 [FIPS180-1] or SHA-2 [FIPS180-2]. NTRUMGFAlgorithmsAlgorithmIdentifierALGORITHM ::= {{MGF1Parameters IDENTIFIED BY id-mgf1}|{OID id-mgf1 PARMS MGF1Parameters}, ...} pkcs-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1} id-mgf1 OBJECT IDENTIFIER ::= {pkcs-1 8} MGF1Parameters ::= AlgorithmIdentifier{{ntruEESS1v1Hashes}}{{NTRUEESS1v1Hashes}} TheNTRUNTRUEncrypt public key MUST be encoded using the ASN.1 type NTRUPublicKey. NTRUPublicKey ::= SEQUENCE { publicKeyVector NTRUPublicVector, -- h ntruKeyExtensionsSETNTRUKeyExtensions OPTIONAL } NTRUKeyExtensions ::= SEQUENCE SIZE(1..MAX) OF NTRUKeyExtensionOPTIONAL}NTRUKeyExtension ::= CHOICE { keyID [0] IMPLICIT INTEGER, ...} The fields of the type NTRUPublicKey have the following meanings: publicKeyVector is the polynomial h. If the NTRUPublicVector is a ModQVector, each coefficient will be represented by one byte starting with the lowest degree and going to the highest. If the NTRUPublicVector is a PackedModQVector, this is the OCTET STRING representing h obtained using RE2BSP and then BS2OSP as defined in EESS #1 [EESS#1]. All coefficients up to X^(N-1) SHALL be explicitly included in publicKeyVector. Representing theNTRUNTRUEncrypt public key as a ModQVector is the preferred method. ntruKeyExtensions is provided for future extensibility. Only one extension is currently defined. The fields of the type NTRUKeyExtension have the following meanings: keyID can be used to associate a unique key identifier with the key. If the keyUsage extension is present in an end entity certificate that conveys anNTRUNTRUEncrypt public key, any combination of the following values MAY be present: keyEncipherment; dataEncipherment; If the keyUsage extension is present in a CA certificate that conveys anNTRUNTRUEncrypt public key, any combination of the following values MAY be present: keyEncipherment; and dataEncipherment. 2.2.2NSSNTRUSign Keys This section identifies the preferred OID and parameter encoding for the inclusion of anNSSNTRUSign public key in a certificate. TheNSSNTRUSign signature algorithm is defined in EESS #1 [EESS#1]. The OID id-ntru-EESS1v1-SVSSA identifiesNSSNTRUSign public keys.id-ntru-EESS1v1-SVSSAid-ntru-EESS1v1-NTRUSign OBJECT IDENTIFIER ::= {id-eess1-algs2}3} Theid-ntru-EESS1v1-SVSSAid-ntru-EESS1v1-NTRUSign OID is intended to be used in the algorithm field of a value of type AlgorithmIdentifier.NSSNTRUSign requires use of certain parameters with the public key. The parameters may be implied by context (e.g. they may be inherited from the issuer), implicitly included through reference of a degree, implicitly included through reference of a standard parameter set or explicitly included in the certificate.EESS1v1-SVSSA-ParametersThe parameters associated with id-ntru-EESS1v1-NTRUSign are EESS1v1-NTRUSign-Parameters. EESS1v1-NTRUSign-Parameters ::= CHOICE { degreeINTEGER (CONSTRAINED BY {--must be 251, 347 or 503}), standardNSSParameters OBJECT IDENTIFIER {{NSSParameters}}, explicitNSSParameters ExplicitNSSParameters,Degree, standardNTRUSignParameters StandardNTRUSignParameters, explicitNTRUSignParameters ExplicitNTRUSignParameters, externalParameters NULL } When the parameters are implied by context, the parameters field SHALL contain externalParameters, which is the ASN.1 value NULL. When the parameters are specified by degree, thevalues arevalue is restricted to251, 347 and 503.251. For thethreepermittedchoices,choice, the parameters are defined to beees251sp1, ees347sp1 and ees503sp1 respectivelyees251sp2 as defined in EESS #1 [EESS#1]. Specifying the degree is the preferred way for transmitting parameter information for the scheme when the parameters are not implied by context. When the parameters are specified by reference of a standard, the parameters shall consist of an OID chosen from the listNSSParameters.NTRUSignParameters. The current list ofNSSParametersNTRUSignParameters OIDs is:NSSParameters OBJECT IDENTIFIERStandardNTRUSignParameters ::= OIDS.&id({NTRUSignParameters}) NTRUSignParameters OIDS ::= {id-ees251sp1| id-ees347sp1| id-ees503sp1|{ OID id-ees251sp2 }, ...} The above objectidentifiers areidentifier is specified by:id-ees251sp1id-ees251sp2 OBJECT IDENTIFIER ::= {id-eess1-params4} id-ees347sp1 OBJECT IDENTIFIER ::= {id-eess1-params 5} id-ees503sp1 OBJECT IDENTIFIER ::= {id-eess1-params 6}7} When the parameters are explicitly included, they SHALL be encoded in the ASN.1 structureExplicitNSSParameters: ExplicitNSSParametersExplicitNTRUSignParameters: ExplicitNTRUSignParameters ::= SEQUENCE { versionINTEGER,Version, degree INTEGER, bigModulus INTEGER,smallModulus SmallModulus, bounds NSSBounds, hash AlgorithmIdentifier {{ntruEESS1v1Hashes}}, mrgm AlgorithmIdentifier {{nssEESS1v1MRGMs}}, ...} NSSBounds ::= SEQUENCE { version INTEGER, l2NormBound1 INTEGER, l2NormBound2 INTEGER, lInfBounds0 Bounds, lInfBounds1 Bounds, lInfBounds2 Bounds, lInfBounds3 Bounds, devBound0 INTEGER, devBound1 INTEGER, devBound2 INTEGER, devBound3 INTEGER, devBoundTot0 INTEGER, devBoundTot1normBound INTEGER,devBoundTot2 INTEGER, devBoundTot3messageRandLength INTEGER, hash NTRUSignHashAlgIdentifier, mrgm NTRUSignMRGMAlgIdentifier, ...}Bounds ::= SEQUENCE { minimum INTEGER, maximum INTEGER }The fields of typeExplicitNSSParametersExplicitNTRUSignParameters have the following meanings: version is the version number, for compatibility with future revisions of this document. It SHALL be 0 for this version of the document. degree is the value N. bigModulus is the value q. q will be 256 or less.smallModulusnormBound is thevalue p. It SHALL be represented withmaximum norm of theSmallModulus type, defined in section 2.2.1. boundssignature messageRandLength is thelist of valueslength of thebounds that are usedrandomization padding appended tocheckthevalidity ofmessage digest before generating thesignature.message representative hash identifies the hash algorithm used using an allowed AlgorithmIdentifier. mrgm identifies the message representative generation method using an allowed AlgorithmIdentifier. Thetype NSSBounds is used to encode the bounds used when verifying the NSS signature. The fields of type NSSBounds have the following meaning: version is the version number, for compatibility with future revisions of this document. It shall be 0 for this version of the document. l2NormBound1 is the L2 norm bound on a single signature component, s or t. l2NormBound2 is the L2 norm bound on the combined signature s||t. lInfBounds0 gives LInfBoundjMin and LInfBoundjMax for j = 0. lInfBounds1 gives LInfBoundjMin and LInfBoundjMax for j = 1. lInfBounds2 gives LInfBoundjMin and LInfBoundjMax for j = 2. lInfBounds3 gives LInfBoundjMin and LInfBoundjMax for j = 3. devBound0 is the deviation bound DevBound0. devBound1 is the deviation bound DevBound1. devBound2 is the deviation bound DevBound2. devBound3 is the deviation bound DevBound3. devBoundTot0 is the deviation bound DevBoundTot0. devBoundTot1 is the deviation bound DevBoundTot1. devBoundTot2 is the deviation bound DevBoundTot2. devBoundTot3 is the deviation bound DevBoundTot3. Within the NSSBounds type, the Bounds type encodes pairs of upper and lower bounds on values. The fields of type Bounds have the following meaning: minimum is the lower bound. maximum is the upper bound. TheAlgorithmIdentifiers for the field hash ofExplicitNSSParametersExplicitNTRUSignParameters are chosen from the setntruEESS1v1Hashes,NTRUEESS1v1Hashes, which is defined in section 2.2.1. NTRUSignHashAlgIdentifier ::= AlgorithmIdentifier {{NTRUEESS1v1Hashes}} The AlgorithmIdentifiers for the field mrgm ofExplicitNSSParametersExplicitNTRUSignParameters are specified below.nssEESS1v1MRGMsNTRUSignMRGMAlgIdentifier ::= AlgorithmIdentifier {{NTRUSignEESS1v1MRGMs}} NTRUSignEESS1v1MRGMs ALGORITHM ::= {{NSSMRGM1-params IDENTIFIED BY id-mrgm-nss-1}, {NSSMRGM2-params IDENTIFIED BY id-mrgm-nss-2},{OID id-mrgm-ntrusign-1 PARMS NTRUSignMRGM1-params}| {OID id-mrgm-ntrusign-2 PARMS NTRUSignMRGM2-params}, ...}id-mrgm-nss-1id-mrgm-ntrusign-1 OBJECT IDENTIFIER ::= {id-eess1-encodingMethods4} NSSMRGM1-params6} NTRUSignMRGM1-params ::=SEQUENCE { c INTEGER prng AlgorithmIdentifier {{ntruEESS1v1PRNGs}}, di INTEGER } id-mrgm-nss-2NTRUSignPRNGAlgIdentifier id-mrgm-ntrusign-2 OBJECT IDENTIFIER ::= {id-eess1-encodingMethods5} NSSMRGM2-params7} NTRUSignMRGM2-params ::= SEQUENCE { cINTEGER prng AlgorithmIdentifier {{ntruEESS1v1PRNGs}}, di1INTEGER,di2numGroups INTEGER,di3 INTEGERnumElements INTEGER, prng NTRUSignPRNGAlgIdentifier } NTRUSignPRNGAlgIdentifier ::= AlgorithmIdentifier {{NTRUEESS1v1PRNGs}} The identifierid-mrgm-nss-1id-mrgm-ntrusign-2 identifies the message representative generation methodMRGM-NSS1,MRGM-NTRUSign1, defined in EESS #1 [EESS#1]. The identifierid-mrgm-nss-2id-mrgm-ntrusign-2 identifies the message representative generation methodMRGM-NSS2,MRGM-NTRUSign2, defined in EESS #1 [EESS#1]. The fields of typeNSSMRGM1-paramsNTRUSignMRGM1-params have the following meanings:cNTRUSignPRNGAlgIdentifier is therandom polynomial generation constant used to select the polynomial i. prng identifies thepseudo-random number generation method using an allowedAlgorithmIdentifier. di is the number of 1's and -1's in the message representative i.AlgorithmIdentifier The fields of typeNSSMRGM2-paramsNTRUSignMRGM2-params have the following meanings: c is the random polynomial generation constant used to select thepolynomial i. prng identifies the pseudo-random number generation method using an allowed AlgorithmIdentifier. di1message representative. numGroups is the number of1's and -1's infactors combined to form the messagerepresentative component i1. di2representative. numElements is the number of1's and -1'snon-zero coefficients in each factor of the message representativecomponent i2. di3 isprng identifies the pseudo-random numberof 1's and -1's in the message representative component i3.generation method using an allowed AlgorithmIdentifier. The allowed pseudo-random number generation algorithms are chosen from the setntruEESS1v1PRNGs,NTRUEESS1v1PRNGs, which is defined in section 2.2.1. TheNSSNTRUSign public key MUST be encoded using the ASN.1 typeNSSPublicKey. NSSPublicKeyNTRUSignPublicKey. NTRUSignPublicKey ::= SEQUENCE { publicKeyVector NTRUPublicVector, -- hnssKeyExtensions SETntruSignKeyExtensions NTRUSignKeyExtensions OPTIONAL } NTRUSignKeyExtensions ::= SEQUENCE SIZE(1..MAX) OFNSSKeyExtension OPTIONAL} NSSKeyExtensionNTRUSignKeyExtension NTRUSignKeyExtension ::= CHOICE { keyID [0] IMPLICIT INTEGER, ...} The fields of the typeNSSPublicKeyNTRUSignPublicKey have the following meanings: publicKeyVector is the polynomial h. If the NTRUPublicVector is a ModQVector, each coefficient will be represented by one byte starting with the lowest degree and going to the highest. If the NTRUPublicVector is a PackedModQVector, this is the OCTET STRING representing h obtained using RE2BSP and then BS2OSP as defined in EESS #1 [EESS#1]. All coefficients up to X^(N-1) SHALL be explicitly included in publicKeyVector. Representing theNSSNTRUSign public key as a ModQVector is the preferred method.nssKeyExternsionsntruSignKeyExternsions is provided for future extensibility. Only one extension is currently defined. The fields of the typeNSSKeyExtensionNTRUSignKeyExtension have the following meanings: keyID can be used to associate a unique key identifier with the key. If the keyUsage extension is present in an end entity certificate that conveys anNSSNTRUSign public key, any combination of the following values MAY be present: digitalSignature; nonRepudiation; If the keyUsage extension is present in a CA certificate that conveys anNSSNTRUSign public key, any combination of the following values MAY be present: digitalSignature; nonRepudiation; keyCertSign; and cRLSign. 3. ASN.1 Module--PKIXAlgorithmOIDTBD{--TBD}-- {TBD} -- DEFINITIONS EXPLICIT TAGS ::= BEGIN -- EXPORTS ALL; --IMPORTS;-- IMPORTS None; -- -- Supporting definitions AlgorithmIdentifier { ALGORITHM: IOSet } ::= SEQUENCE { algorithm ALGORITHM.&id({IOSet}), parameters ALGORITHM.&Type({IOSet}{@algorithm}) OPTIONAL } ALGORITHM ::= CLASS { &id OBJECT IDENTIFIER UNIQUE, &Type OPTIONAL } WITH SYNTAX { OID &id [PARMS &Type] } OIDS ::= ALGORITHM -- Informational object identifiers pkcs-1 OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1} id-mgf1 OBJECT IDENTIFIER ::= {pkcs-1 8} id-sha1 OBJECT IDENTIFIER ::= {iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 26} id-sha256 OBJECT IDENTIFIER ::= {joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 1} id-sha384 OBJECT IDENTIFIER ::= {joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 2} id-sha512 OBJECT IDENTIFIER ::= {joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 3} --END IMPORTS ---- ---- General Types ---- ModQVector ::= OCTET STRING PackedModQVector ::= OCTET STRING NTRUPublicVector ::= CHOICE { modQVector [0] IMPLICIT ModQVector, packedModQVector [1] IMPLICIT PackedModQVector ...} TruncatedModQVector ::= OCTET STRING NTRUGeneralPolynomial ::= SEQUENCE { degree INTEGER, q INTEGER, coefficients TruncatedModQVector } SmallModulus ::= CHOICE { integerValue INTEGER, polynomialValue NTRUGeneralPolynomial } BoundsNTRU Object Identifiers ntru OBJECT IDENTIFIER ::=SEQUENCE { minimum INTEGER, maximum INTEGER{iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprises(1) ntruCryptosystems (8342) }---- ---- General OIDs and AlgorithmIdentifiers ----id-eess1 OBJECT IDENTIFIER ::={ iso(1) ISO Identified Organization(3) US Department of Defense(6) Internet(1) Private(4) Enterprises(1) NTRU Cryptosystems(8342){ntru eess(1) 1} id-eess1-algs OBJECT IDENTIFIER ::= {id-eess1 1} id-eess1-params OBJECT IDENTIFIER ::= {id-eess1 2} id-eess1-encodingMethods OBJECT IDENTIFIER ::= {id-eess1 3}ntruEESS1v1Hashes AlgorithmIdentifier-- OID for NTRUSign Algorithm and Public Key id-ntru-EESS1v1-NTRUSign OBJECT IDENTIFIER ::={ {NULL IDENTIFIED BY id-sha1}| {NULL IDENTIFIED BY id-sha256}| {NULL IDENTIFIED BY id-sha384}| {NULL IDENTIFIED BY id-sha512}| ...} ntruEESS1v1PRNGs AlgorithmIdentifier{id-eess1-algs 3} -- OID for NTRUSign Parameter Set id-ees251sp2 OBJECT IDENTIFIER ::={ {NTRUMGFAlgorithms}| ...} NTRUMGFAlgorithms AlgorithmIdentifier{id-eess1-params 7} -- OIDs for NTRUSign Encoding Methods id-mrgm-ntrusign-1 OBJECT IDENTIFIER ::={ {MGF1Parameters IDENTIFIED BY id-mgf1}| ...} MGF1Parameters{id-eess1-encodingMethods 6} id-mrgm-ntrusign-2 OBJECT IDENTIFIER ::=AlgorithmIdentifier {{ntruEESS1v1Hashes} ---- ---- NSS Keys and Signatures ----{id-eess1-encodingMethods 7} -- OID forNSSNTRUEncrypt Algorithm and Public Keyid-ntru-EESS1v1-SVSSAid-ntru-EESS1v1-SVES OBJECT IDENTIFIER ::= {id-eess1-algs2}1} -- OIDs forNSSNTRUEncrypt Parameter Setsid-ees251sp1id-ees251ep1 OBJECT IDENTIFIER ::= {id-eess1-params4} id-ees347sp11} id-ees347ep1 OBJECT IDENTIFIER ::= {id-eess1-params5} id-ees503sp12} id-ees503ep1 OBJECT IDENTIFIER ::= {id-eess1-params6}3} -- OIDs forNSSNTRUEncrypt Encoding Methodsid-mrgm-nss-1id-mrgm-ntru-1 OBJECT IDENTIFIER ::= {id-eess1-encodingMethods4} id-mrgm-nss-21} id-bvgm-ntru-1 OBJECT IDENTIFIER ::= {id-eess1-encodingMethods 2} id-bvgm-ntru-2 OBJECT IDENTIFIER ::= {id-eess1-encodingMethods5}3} -- General Types NTRUPublicVector ::= CHOICE { modQVector [0] IMPLICIT ModQVector, packedModQVector [1] IMPLICIT PackedModQVector, ...} ModQVector ::= OCTET STRING PackedModQVector ::= OCTET STRING NTRUGeneralPolynomial ::= SEQUENCE { numberOfEntries INTEGER, modulus INTEGER, coefficients GeneralVector } GeneralVector ::= OCTET STRING SmallModulus ::= CHOICE { integerValue INTEGER, polynomialValue NTRUGeneralPolynomial } Degree ::= INTEGER (251 | 347 | 503, ...) Version ::= INTEGER { v0(0) } (v0, ...) NTRUEESS1v1Hashes ALGORITHM ::= { {OID id-sha1 PARMS NULL}| {OID id-sha256 PARMS NULL }| {OID id-sha384 PARMS NULL }| {OID id-sha512 PARMS NULL }, ...} NTRUEESS1v1PRNGs ALGORITHM ::= { NTRUMGFAlgorithms, ...} NTRUMGFAlgorithms ALGORITHM ::= { {OID id-mgf1 PARMS MGF1Parameters}, ...} MGF1Parameters ::= AlgorithmIdentifier {{NTRUEESS1v1Hashes}} -- Encoding for NTRUSign Signatures NTRUSignSignedData ::= NTRUPublicVector -- Encoding forNSSNTRUSign PublicKey EESS1v1-SVSSA-ParametersKeys NTRUSignPublicKey ::= SEQUENCE { publicKeyVector NTRUPublicVector, -- h ntruSignKeyExtensions NTRUSignKeyExtensions OPTIONAL } NTRUSignKeyExtensions ::= SEQUENCE SIZE(1..MAX) OF NTRUSignKeyExtension NTRUSignKeyExtension ::= CHOICE { keyID [0] IMPLICIT INTEGER, ...} EESS1v1-NTRUSign-Parameters ::= CHOICE { degreeINTEGER (CONSTRAINED BY {--must be 251, 347 or 503}), standardNSSParameters OBJECT IDENTIFIER {{NSSParameters}}, explicitNSSParameters ExplicitNSSParameters,Degree, standardNTRUSignParameters StandardNTRUSignParameters, explicitNTRUSignParameters ExplicitNTRUSignParameters, externalParameters NULL }NSSParameters OBJECT IDENTIFIERStandardNTRUSignParameters ::= OIDS.&id({NTRUSignParameters}) NTRUSignParameters OIDS ::= {id-ees251sp1| id-ees347sp1| id-ees503sp1|{ OID id-ees251sp2 }, ...}ExplicitNSSParametersExplicitNTRUSignParameters ::= SEQUENCE { versionINTEGER,Version, degree INTEGER, bigModulus INTEGER,smallModulus SmallModulus, bounds NSSBounds,normBound INTEGER, messageRandLength INTEGER, hashAlgorithmIdentifier {{nssEESS1v1Hashes}},NTRUSignHashAlgIdentifier, mrgmAlgorithmIdentifier {{nssEESS1v1MRGMs}},NTRUSignMRGMAlgIdentifier, ...}NSSBoundsNTRUSignHashAlgIdentifier ::= AlgorithmIdentifier {{NTRUEESS1v1Hashes}} NTRUSignMRGMAlgIdentifier ::=SEQUENCE { version INTEGER, l2NormBound1 INTEGER, l2NormBound2 INTEGER, lInfBounds0 Bounds, lInfBounds1 Bounds, lInfBounds2 Bounds, lInfBounds3 Bounds, devBound0 INTEGER, devBound1 INTEGER, devBound2 INTEGER, devBound3 INTEGER, devBoundTot0 INTEGER, devBoundTot1 INTEGER, devBoundTot2 INTEGER, devBoundTot3 INTEGER, ...} nssEESS1v1MRGMsAlgorithmIdentifier {{NTRUSignEESS1v1MRGMs}} NTRUSignEESS1v1MRGMs ALGORITHM ::= {{NSSMRGM1-params IDENTIFIED BY id-mrgm-nss-1}, {NSSMRGM2-params IDENTIFIED BY id-mrgm-nss-2},{OID id-mrgm-ntrusign-1 PARMS NTRUSignMRGM1-params}| {OID id-mrgm-ntrusign-2 PARMS NTRUSignMRGM2-params}, ...}NSSMRGM1-paramsNTRUSignMRGM1-params ::=SEQUENCE { c INTEGER prng AlgorithmIdentifier {{ntruEESS1v1PRNGs}}, di INTEGER } NSSMRGM2-paramsNTRUSignPRNGAlgIdentifier NTRUSignMRGM2-params ::= SEQUENCE { cINTEGER prng AlgorithmIdentifier {{ntruEESS1v1PRNGs}}, di1INTEGER,di2numGroups INTEGER,di3 INTEGERnumElements INTEGER, prng NTRUSignPRNGAlgIdentifier }NSSPublicKeyNTRUSignPRNGAlgIdentifier ::= AlgorithmIdentifier {{NTRUEESS1v1PRNGs}} -- Encoding for NTRUEncrypt Public Keys NTRUPublicKey ::= SEQUENCE { publicKeyVector NTRUPublicVector, -- hnssKeyExtensions SETntruKeyExtensions NTRUKeyExtensions OPTIONAL } NTRUKeyExtensions ::= SEQUENCE SIZE(1..MAX) OFNSSKeyExtension OPTIONAL} NSSKeyExtensionNTRUKeyExtension NTRUKeyExtension ::= CHOICE { keyID [0] IMPLICIT INTEGER, ...}---- ---- NTRU Keys ---- -- OID for NTRU Algorithm and Public Key id-ntru-EESS1v1-SVSSA OBJECT IDENTIFIER ::= { iso(1) ISO Identified Organization(3) US Department of Defense(6) Internet(1) Private(4) Enterprises(1) NTRU Cryptosystems(8342) eess(1) eess-1(1) eess1-algs(1) 2} -- OIDs for NTRU Parameter Sets id-ees251ep1 OBJECT IDENTIFIER ::= {id-eess1-params 1} id-ees347ep1 OBJECT IDENTIFIER ::= {id-eess1-params 2} id-ees503ep1 OBJECT IDENTIFIER ::= {id-eess1-params 3} -- OIDs for NTRU Encoding Methods id-mrgm-ntru-1 OBJECT IDENTIFIER ::= {id-eess1-encodingMethods 1} id-bvgm-ntru-1 OBJECT IDENTIFIER ::= {id-eess1-encodingMethods 2} id-bvgm-ntru-2 OBJECT IDENTIFIER ::= {id-eess1-encodingMethods 3} -- Encoding for NTRU Public KeyEESS1v1-SVES-Parameters ::= CHOICE { degreeINTEGER (CONSTRAINED BY {--must be 251, 347 or 503}),Degree, standardNTRUParametersOBJECT IDENTIFIER {{NTRUParameters}},StandardNTRUParameters, explicitNTRUParameters ExplicitNTRUParameters, externalParameters NULL } StandardNTRUParameters ::= OIDS.&id({NTRUParameters}) NTRUParametersOBJECT IDENTIFIEROIDS ::= {id-ees251ep1| id-ees347ep1| id-ees503ep1|{ OID id-ees251ep1 }| { OID id-ees347ep1 }| { OID id-ees503ep1 }, ...} ExplicitNTRUParameters ::= SEQUENCE { versionINTEGER,Version, degree INTEGER, bigModulus INTEGER, smallModulus SmallModulus, mrgmAlgorithmIdentifier {{ntruEESS1v1MRGMs}},NTRUMRGMAlgorithmIdentifier, db INTEGER, bvgmAlgorithmIdentifier {{ntruEESS1v1BVGMs}},NTRUBVGMAlgorithmIdentifier, ...}ntruEESS1v1MRGMsNTRUMRGMAlgorithmIdentifier ::= AlgorithmIdentifier {{NTRUEESS1v1MRGMs}} NTRUBVGMAlgorithmIdentifier ::= AlgorithmIdentifier {{NTRUEESS1v1BVGMs}} NTRUEESS1v1MRGMs ALGORITHM ::= {{NTRUMRGM1-params IDENTIFIED BY id-mrgm-ntru-1},{OID id-mrgm-ntru-1 PARMS NTRUMRGM1-params}, ...} NTRUMRGM1-params ::= NTRUHashAlgorithmIdentifier NTRUHashAlgorithmIdentifier ::= AlgorithmIdentifier{{ntruEESS1v1Hashes}} ntruEESS1v1BVGMs AlgorithmIdentifier{{NTRUEESS1v1Hashes}} NTRUEESS1v1BVGMs ALGORITHM ::= {{NTRUBVGM1-params IDENTIFIED BY id-bvgm-ntru-1}, {NTRUBVGM2-params IDENTIFIED BY id-bvgm-ntru-2},{OID id-bvgm-ntru-1 PARMS NTRUBVGM1-params}| {OID id-bvgm-ntru-2 PARMS NTRUBVGM2-params}, ...} NTRUBVGM1-params ::= SEQUENCE { c INTEGER, prngAlgorithmIdentifier {{ntruEESS1v1PRNGs}},NTRUPRNGAlgorithmIdentifier, dr INTEGER } NTRUBVGM2-params ::= SEQUENCE { c INTEGER, prngAlgorithmIdentifier {{ntruEESS1v1PRNGs}},NTRUPRNGAlgorithmIdentifier, dr1 INTEGER, dr2 INTEGER, dr3 INTEGER }NTRUPublicKey ::= SEQUENCE { publicKeyVector NTRUPublicVector, -- h ntruKeyExtensions SET OF NTRUKeyExtension OPTIONAL} NTRUKeyExtensionNTRUPRNGAlgorithmIdentifier ::=CHOICE { keyID [0] IMPLICIT INTEGER, ...}AlgorithmIdentifier {{NTRUEESS1v1PRNGs}} END -- PKIXAlgorithmOIDTBD -- 4. Security Considerations This document is entirely concerned with security mechanisms. It is based on the Internet X.509 Public Key Infrastructure Certificate and CRL Profile [RFC 2459], IEEE P1363.1 [P1363.1] and EESS #1 [EESS#1] and the appropriate security considerations from those documents apply. 5. Intellectual Property Rights NTRU Cryptosystems, Inc. has been granted U.S. Patent No. 6,081,597, which covers aspects of theNTRUNTRUEncrypt public-key encryption scheme, and has applied for a patent (or patents) that covers theNSSNTRUSign public-key signature scheme. In addition, NTRU Cryptosystems may have applied for additional patent coverage on implementation techniques related to the use ofNTRUNTRUEncrypt orNSS.NTRUSign. This and any additional patent information will be sent to the IETF. The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights, which may cover technology that may be required to implement the techniques in this document. Please address the information to the IETF Executive Director. 6. Acknowledgements The authors would like to thank Phil Griffin for his considerable aid in the formulation of the ASN.1 structures for this document. 7. References [EESS#1] Efficient Embedded Security Standards (EESS) #1: Implementation Aspects of NTRU andNSS,NTRUSign, Draft Version3, July 9, 2001,4, March 2002, Consortium for Efficient Embedded Security Standards, Available at http://www.ceesstandards.org. [FIPS180-1] FIPS PUB 180-1, Secure Hash Standard, Federal Information Processing Standards Publication 180-1, U.S. Department of Commerce/National Institute of Standards and Technology, National Technical Information Service, Springfield, Virginia, April 17, 1995 (supersedes FIPS PUB 180). Available at http://www.itl.nist.gov/div897/pubs/fip180-1.htm. [FIPS180-2] Draft FIPS PUB 180-2, Secure Hash Standard, Federal Information Processing Standards Publication 180-2, U.S. Department of Commerce/National Institute of Standards and Technology, National Technical Information Service, Springfield, Virginia, May 30, 2001 (draft available at http://csrc.nist.gov/encryption/shs/dfips-180- 2.pdf) [FIPS186-2] FIPS PUB 186-2, Digital Signature Standard, Federal Information Processing Standards Publication 186-2, U.S. Department of Commerce/National Institute of Standards and Technology, National Technical Information Service, Springfield, Virginia, 2000. Available at http://csrc.nist.gov/publications/fips/fips186- 2/fips186-2.pdf [IEEE1363] IEEE Std 1363-2000: IEEE Standard Specifications for Public-Key Cryptography, IEEE Computer Society, New York, NY, August 2000, Institute of Electrical and Electronics Engineers [P1363.1] IEEE Draft Standard P1363.1 D2: IEEE Standard Specifications for Public-Key Cryptographic Techniques Based on Hard Problems over Lattices, Draft 2, May 2001, Available at http://grouper.ieee.org/groups/1363. [PKIX-ALGS] L. Bassham, R. Housley, W. Polk, "Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and CRL Profile",draft-ietf-pkix-pkalgs-03.txt, Julydraft-ietf-pkix-pkalgs-05.txt, October 2001 [RFC2026] S. Bradner, "The Internet Standards Process", IETF RFC 2026, October 1996 [RFC2119] S. Bradner, "Key Words for Use in RFCs to Indicate Requirement Levels", IETF RFC 2119, March 1997 [RFC2459] R. Housley, W. Ford, W. Polk and D. Solo, "Internet X.509 Public Key Infrastructure Certificate and CRL Profile", IETF RFC 2459, January 1999 NTRU Algorithms and Identifiers February 2002 Authors' Addresses Ari Singer NTRU 5 Burlington Woods Phone: 1-781-418-2500 Burlington, MA 01803, USA Email: asinger@ntru.com William Whyte NTRU 5 Burlington Woods Phone: 1-781-418-2500 Burlington, MA 01803, USA Email: wwhyte@ntru.com