< draft-ietf-pkix-pkalgs-supp-00.txt   draft-ietf-pkix-pkalgs-supp-01.txt >
Internet Draft Ari Singer, NTRU Internet Draft Ari Singer, NTRU
Document: draft-ietf-pkix-pkalgs-supp-00.txt William Whyte, NTRU Document: draft-ietf-pkix-pkalgs-supp-01.txt William Whyte, NTRU
Expires: January 2002 July 2001 Expires: September 2002 March 2002
Supplemental Algorithms and Identifiers for the Supplemental Algorithms and Identifiers for the
Internet X.509 Public Key Infrastructure Internet X.509 Public Key Infrastructure
Certificate and CRL Profile Certificate and CRL Profile
<draft-ietf-pkix-pkalgs-supp-00.txt> <draft-ietf-pkix-pkalgs-supp-01.txt>
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance This document is an Internet-Draft and is in full conformance
with all provisions of Section 10 of RFC 2026 [RFC2026]. with all provisions of Section 10 of RFC 2026 [RFC2026].
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 43 skipping to change at page 1, line 43
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
this document are to be interpreted as described in RFC 2119 this document are to be interpreted as described in RFC 2119
[RFC2119]. [RFC2119].
Abstract Abstract
This document specifies algorithm identifiers and ASN.1 encoding This document specifies algorithm identifiers and ASN.1 encoding
formats for digital signatures and subject public keys, including formats for digital signatures and subject public keys, including
NSS digital signatures and NTRU and NSS subject public keys used in NTRUSign digital signatures and NTRUEncrypt and NTRUSign subject
the Internet X.509 Public Key Infrastructure (PKI). Digital public keys used in the Internet X.509 Public Key Infrastructure
signatures are used to sign certificates and certificate revocation (PKI). Digital signatures are used to sign certificates and
lists (CRLs). Certificates include the public key of the named certificate revocation lists (CRLs). Certificates include the
subject. This document is intended to be a companion to draft-ietf- public key of the named subject. This document is intended to be a
pkix-ipki-pkalgs-03.txt [PKIX-ALGS] and may be merged with that companion to draft-ietf-pkix-ipki-pkalgs-05.txt [PKIX-ALGS] and may
document in future revisions if approved by the PKIX working group. be merged with that document in future revisions if approved by the
PKIX working group.
Table of Contents Table of Contents
Status of this Memo................................................1 Status of this Memo................................................1
Conventions used in this document..................................1 Conventions used in this document..................................1
Abstract...........................................................1 Abstract...........................................................1
1. Overview........................................................3 1. Overview........................................................3
2. Algorithm Support...............................................3 2. Algorithm Support...............................................3
2.1 Signature Algorithms...........................................4 2.1 Signature Algorithms...........................................4
2.1.1 NSS Signature Algorithm......................................4 2.1.1 NTRUSign Signature Algorithm.................................4
2.2 Subject Public Key Algorithms..................................6 2.2 Subject Public Key Algorithms..................................6
2.2.1 NTRU Keys....................................................6 2.2.1 NTRUEncrypt Keys.............................................6
2.2.2 NSS Keys....................................................11 2.2.2 NTRUSign Keys...............................................12
3. ASN.1 Module...................................................16 3. ASN.1 Module...................................................15
4. Security Considerations........................................22 4. Security Considerations........................................21
5. Intellectual Property Rights...................................22 5. Intellectual Property Rights...................................21
6. References.....................................................22 6. Acknowledgements...............................................21
7. References.....................................................22
Authors' Addresses................................................23 Authors' Addresses................................................23
1. Overview 1. Overview
This document specifies algorithm identifiers and ASN.1 encoding This document specifies algorithm identifiers and ASN.1 encoding
formats for digital signatures and subject public keys used in the formats for digital signatures and subject public keys used in the
Internet X.509 Public Key Infrastructure (PKI). This specification Internet X.509 Public Key Infrastructure (PKI). This specification
supplements RFC 2459 [RFC2459], "Internet Public Key Infrastructure: supplements RFC 2459 [RFC2459], "Internet Public Key Infrastructure:
X.509 Certificate and CRL Profile". Implementations of this X.509 Certificate and CRL Profile". Implementations of this
specification must also conform to RFC 2459 [RFC2459]. This specification must also conform to RFC 2459 [RFC2459]. This
document is being written concurrently with the PKIX public key document is being written concurrently with the PKIX public key
algorithms Internet Draft [PKIX-ALGS] (the latest version as of this algorithms Internet Draft [PKIX-ALGS] (the latest version as of this
writing is draft-ietf-pkix-ipki-pkalgs-03.txt). It is intended that writing is draft-ietf-pkix-ipki-pkalgs-05.txt). It is intended that
when this document is completed and approved by the PKIX working when this document is completed and approved by the PKIX working
group that it be merged with that document. The format of this group that it be merged with that document. The format of this
document is written to approximately match the format of that document is written to approximately match the format of that
Internet Draft. Internet Draft.
This specification defines the contents of the signatureAlgorithm, This specification defines the contents of the signatureAlgorithm,
signatureValue, signature and subjectPubliKeyInfo fields within signatureValue, signature and subjectPubliKeyInfo fields within
Internet X.509 certificates and CRLs. Internet X.509 certificates and CRLs.
This document does not currently introduce any new one-way hash This document does not currently introduce any new one-way hash
functions, however it specifies the use of SHA-256, SHA-384 and SHA- functions, but it specifies the use of SHA-256, SHA-384 and SHA-512
512 hash algorithms as defined in the draft of FIPS 180-2 [FIPS180- hash algorithms as defined in the draft of FIPS 180-2 [FIPS180-2] as
2] as well as the SHA-1 hash algorithm as defined in FIPS 180-1 well as the SHA-1 hash algorithm as defined in FIPS 180-1 [FIPS180-
[FIPS180-1] with the NSS signature algorithm. It is anticipated 1] with the NTRUSign signature algorithm. It is anticipated that
that future revisions will include the algorithm identifiers and future revisions will include the algorithm identifiers and ASN.1
ASN.1 encoding of the FIPS 180-2 hash algorithms. encoding of the FIPS 180-2 hash algorithms.
This specification describes the encoding of digital signatures This specification describes the encoding of digital signatures
generated with the following cryptographic algorithms; generated with the following cryptographic algorithms;
* NTRU Signature Scheme (NSS). * NTRUSign Signature Scheme (NTRUSign).
It is anticipated that future revisions of this document will It is anticipated that future revisions of this document will
include the extended version of the Digital Signature Algorithm include the extended version of the Digital Signature Algorithm
(DSA) [FIPS186-2], which has not yet been published. In addition, (DSA) [FIPS186-2], which has not yet been published. In addition,
it is anticipated that the document will include the algorithm it is anticipated that the document will include the algorithm
identifiers and ASN.1 encoding of pre-existing algorithms (e.g. RSA) identifiers and ASN.1 encoding of pre-existing algorithms (e.g. RSA)
when used in conjunction with the FIPS 180-2 hash algorithms. when used in conjunction with the FIPS 180-2 hash algorithms.
This document specifies the contents of the subjectPublicKeyInfo This document specifies the contents of the subjectPublicKeyInfo
field in Internet X.509 certificates. For each algorithm, the field in Internet X.509 certificates. For each algorithm, the
appropriate alternatives for the keyUsage extension are provided. appropriate alternatives for the keyUsage extension are provided.
This specification describes encoding formats for public keys used This specification describes encoding formats for public keys used
with the following cryptographic algorithms: with the following cryptographic algorithms:
* NTRU Encryption Scheme (NTRU) * NTRUEncrypt Encryption Scheme (NTRUEncrypt)
* NTRU Signature Scheme (NSS) * NTRUSign Signature Scheme (NTRUSign)
2. Algorithm Support 2. Algorithm Support
This section describes cryptographic algorithms that may be used This section describes cryptographic algorithms that may be used
with the Internet X.509 Certificate and CRL Profile. It describes with the Internet X.509 Certificate and CRL Profile. In particular,
the NSS digital signature algorithm, which may be used to sign it describes the NTRUSign digital signature algorithm, which may be
certificates and CRLs, and identifies OIDs and ASN.1 encoding for used to sign certificates and CRLs. In addition, this section
identifies OIDs and ASN.1 encoding for NTRUSign and NTRUEncrypt
public keys contained in a certificate. It is anticipated that public keys contained in a certificate. It is anticipated that
additional algorithms, such as the extended version of DSA, will be additional algorithms, such as the extended version of DSA, will be
included in future revisions. included in future revisions.
Conforming CAs and application are not required to support the Conforming CAs and application are not required to support the
algorithms or algorithm identifiers described in this section. algorithms or algorithm identifiers described in this section.
However, conforming CAs and applications that use the algorithms However, conforming CAs and applications that use the algorithms
identified here MUST support them as specified. identified here MUST support them as specified.
2.1 Signature Algorithms 2.1 Signature Algorithms
Certificates and CRLs conforming to RFC 2459 [RFC2459] may be signed Certificates and CRLs conforming to RFC 2459 [RFC2459] may be signed
with any public key signature algorithm. The certificate or CRL with any public key signature algorithm. The certificate or CRL
indicates the algorithm through an algorithm identifier, which indicates the algorithm through an algorithm identifier, which
appears in the signatureAlgorithm field within the Certificate or appears in the signatureAlgorithm field within the Certificate or
CertificateList. This algorithm identifier is an OID and has CertificateList. An algorithm identifier consists of an OID and
optionally associated parameters. This section identifies algorithm (optionally) associated parameters. This section describes OIDs and
identifiers and parameters that MUST be used in the parameter encoding for NTRUSign.
signatureAlgorithm field in a Certificate or CertificateList.
Signature algorithms are always used in conjunction with a one-way Signature algorithms are always used in conjunction with a one-way
hash function. hash function.
This section identifies OIDs for NSS. Details for the contents of The data to be signed (e.g. the one-way hash function output value)
the parameters component for NSS are provided.
The data to be signed (e.g., the one-way hash function output value)
is formatted for the signature algorithm to be used. Then, a is formatted for the signature algorithm to be used. Then, a
private key operation (e.g. NSS signature primitive) is performed to private key operation (e.g. NTRUSign signature primitive) is
generate the signature value. This signature value is then ASN.1 performed to generate the signature value. This signature value is
encoded as a BIT STRING and included in the Certificate or then ASN.1 encoded as a BIT STRING and included in the Certificate
CertificateList in the signature field. or CertificateList in the signature field.
2.1.1 NSS Signature Algorithm 2.1.1 NTRUSign Signature Algorithm
The NSS signature algorithm was invented by Hoffstein, Pipher and The NTRUSign signature algorithm was invented by Hoffstein,
Silverman. It is defined in Efficient Embedded Security Standard Howgrave-Graham, Pipher, Silverman and Whyte. It is defined in
(EESS) #1 [EESS#1]. This profile defines a single signature Efficient Embedded Security Standard (EESS) #1 [EESS#1]. This
algorithm, NSS signature algorithm with the SHA-1, SHA-256, SHA-384 profile defines a single signature algorithm, the NTRUSign signature
or SHA-512 one-way hash function. algorithm with the SHA-1, SHA-256, SHA-384 or SHA-512 one-way hash
function.
The signature algorithm is implemented using the padding and The signature algorithm is implemented using the padding and
encoding conventions described in EESS #1 [EESS#1]. The message encoding conventions described in EESS #1 [EESS#1]. The message
digest is computed using the SHA-1 Hash Algorithm [FIPS180-1] or any digest is computed using the SHA-1 Hash Algorithm [FIPS180-1] or any
of the SHA-2 algorithms [FIPS180-2] and the message digest is of the SHA-2 algorithms [FIPS180-2] and the message digest is
encoded using the MGF1 mask generation function as specified in Std encoded using the MGF1 mask generation function as specified in Std
IEEE 1363-2000 [IEEE1363]. IEEE 1363-2000 [IEEE1363].
Unlike previously defined public-key signature algorithms, the Unlike previously defined public-key signature algorithms, the
object identifier for the NSS signature algorithm does not specify object identifier for the NTRUSign signature algorithm does not
the hash function. Rather, the parameter field in the specify the hash function. Rather, the parameter field in the
AlgorithmIdentifier contains an indication of the hash function as AlgorithmIdentifier contains an indication of the hash function as
well as the encoding methods that are to be used. well as the encoding methods that are to be used.
The ASN.1 object identifier used to identify this signature The ASN.1 object identifier used to identify this signature
algorithm is: algorithm is named id-ntru-EESS1v1-NTRUSign and is given by the
following ASN.1:
id-ntru-EESS1v1-SVSSA OBJECT IDENTIFIER ::= ntru OBJECT IDENTIFIER ::=
{ iso(1) ISO Identified Organization(3) US Department {iso(1) identified-organization(3) dod(6) internet(1)
of Defense(6) Internet(1) Private(4) Enterprises(1) private(4) enterprises(1) ntruCryptosystems (8342) }
NTRU Cryptosystems(8342) eess(1) eess-1(1) eess1-
algs(1) 2} id-eess1 OBJECT IDENTIFIER ::= {ntru eess(1) 1}
id-eess1-algs OBJECT IDENTIFIER ::= {id-eess1 1}
id-ntru-EESS1v1-NTRUSign OBJECT IDENTIFIER ::=
{id-eess1-algs 3}
When this OID appears in the signatureAlgorithm field or the When this OID appears in the signatureAlgorithm field or the
signature field of an X.509 certificate, the encoding SHALL omit the signature field of an X.509 certificate, the encoding SHALL omit the
parameters field. That is, the AlgorithmIdentifier shall be a parameters field. That is, the AlgorithmIdentifier shall be a
SEQUENCE of one component: the OBJECT IDENTIFIER id-ntru-EESS1v1- SEQUENCE of one component: the OBJECT IDENTIFIER id-ntru-EESS1v1-
SVSSA. SVSSA.
The NSS parameters in the subjectPublicKeyInfo field of the The NTRUSign parameters in the subjectPublicKeyInfo field of the
certificate of the issuer shall apply to the verification of the certificate of the issuer shall apply to the verification of the
signature. signature.
When signing, the NSS algorithm generates a signature polynomial. When signing, the NTRUSign algorithm generates a signature
This polynomial SHALL be encoded as an OCTET STRING as described in polynomial. This polynomial SHALL be encoded as an OCTET STRING as
EESS #1 [EESS#1]. The signature SHALL be ASN.1 encoded using the described in EESS #1 [EESS#1]. The signature SHALL be ASN.1 encoded
following ASN.1 structure: using the following ASN.1 structure:
NSSSignedData ::= NTRUPublicVector NTRUSignSignedData ::= NTRUPublicVector
NTRUPublicVector ::= CHOICE { NTRUPublicVector ::= CHOICE {
modQVector [0] IMPLICIT ModQVector, modQVector [0] IMPLICIT ModQVector,
packedModQVector [1] IMPLICIT PackedModQVector packedModQVector [1] IMPLICIT PackedModQVector,
...} ...}
ModQVector ::= OCTET STRING ModQVector ::= OCTET STRING
PackedModQVector ::= OCTET STRING PackedModQVector ::= OCTET STRING
The field choices of type NTRUPublicVector have the following The field choices of type NTRUPublicVector have the following
meanings: meanings:
modQVector is the representation of the NTRUPublicVector in modQVector is the representation of the NTRUPublicVector in
skipping to change at page 5, line 55 skipping to change at page 5, line 57
coefficients reduced mod q, each of the N bytes of the OCTET coefficients reduced mod q, each of the N bytes of the OCTET
STRING represent integers x in the range 0 <= x < q STRING represent integers x in the range 0 <= x < q
corresponding to the coefficient values of the polynomial from corresponding to the coefficient values of the polynomial from
lowest degree to highest. lowest degree to highest.
packedModQVector is the representation of the NTRUPublicVector packedModQVector is the representation of the NTRUPublicVector
in packed form. For a polynomial of degree N-1 with in packed form. For a polynomial of degree N-1 with
coefficients reduced mod q, each log_2(q) bits of the OCTET coefficients reduced mod q, each log_2(q) bits of the OCTET
STRING represent integers x in the range 0 <= x < q STRING represent integers x in the range 0 <= x < q
corresponding to the coefficient values of the polynomial from corresponding to the coefficient values of the polynomial from
lowest degree to highest. The values are packed starting from lowest degree to highest. The values are concatenated bitwise,
the left, without any intermediate padding, irrespective of the without any intermediate padding, and irrespective of the byte
byte boundaries and the final byte of the OCTET STRING is boundaries. If necessary, zero bits are appended to the packed
padded on the right with zeros (if necessary). data in order to make the length a multiple of 8 bits.
Implementations that sign certificates using NSS SHOULD encode the Implementations that sign certificates using NTRUSign SHOULD encode
signature as a ModQVector. the signature as a ModQVector.
2.2 Subject Public Key Algorithms 2.2 Subject Public Key Algorithms
Certificates conforming to RFC 2459 [RFC2459] may convey a public Certificates conforming to RFC 2459 [RFC2459] may convey a public
key for any public key algorithm. The certificate indicates the key for any public key algorithm. The certificate indicates the
algorithm through an algorithm identifier. This algorithm algorithm through an algorithm identifier. This algorithm
identifier is an OID and optionally associated parameters. identifier consists of an OID and optionally associated parameters.
This section identifies preferred OIDs and parameters for the NTRU This section identifies preferred OIDs and parameters for the
and NSS algorithms. Conforming CAs MUST use the identified OIDs NTRUEncrypt and NTRUSign algorithms. Conforming CAs MUST use the
when issuing certificates containing public keys for these identified OIDs when issuing certificates containing public keys for
algorithms. Conforming applications supporting any of these these algorithms. Conforming applications supporting any of these
algorithms MUST, at a minimum, recognize the OIDs identified in this algorithms MUST, at a minimum, recognize the OIDs identified in this
section. section.
2.2.1 NTRU Keys 2.2.1 NTRUEncrypt Keys
This section identifies the preferred OID and parameter encoding for This section identifies the preferred OID and parameter encoding for
the inclusion of an NTRU public key in a certificate. The NTRU the inclusion of an NTRUEncrypt public key in a certificate. The
encryption algorithm is defined in EESS #1 [EESS#1]. NTRUEncrypt encryption algorithm is defined in EESS #1 [EESS#1].
The OID id-ntru-EESS1v1-SVES identifies NTRU public keys.
id-eess1 OBJECT IDENTIFIER ::=
{ iso(1) ISO Identified Organization(3) US Department
of Defense(6) Internet(1) Private(4) Enterprises(1)
NTRU Cryptosystems(8342) eess(1) 1}
id-eess1-algs OBJECT IDENTIFIER ::= {id-eess1 1} The OID id-ntru-EESS1v1-SVES identifies NTRUEncrypt public keys.
id-ntru-EESS1v1-SVES OBJECT IDENTIFIER ::= {id-eess1-algs 1} id-ntru-EESS1v1-SVES OBJECT IDENTIFIER ::= {id-eess1-algs 1}
The id-ntru-EESS1v1-SVES OID is intended to be used in the algorithm The id-ntru-EESS1v1-SVES OID is intended to be used in the algorithm
field of a value of type AlgorithmIdentifier. NTRU requires use of field of a value of type AlgorithmIdentifier. NTRUEncrypt requires
certain parameters with the public key. The parameters may be use of certain parameters with the public key. The parameters may
implied by context, implicitly included through reference of a be implied by context, implicitly included through reference of a
degree, implicitly included through reference of a standard degree, implicitly included through reference of a standard
parameter set or explicitly included in the certificate. parameter set or explicitly included in the certificate. The
parameters associated with id-ntru-EESS1v1-SVES are EESS1v1-SVES-
Parameters.
EESS1v1-SVES-Parameters ::= CHOICE { EESS1v1-SVES-Parameters ::= CHOICE {
degree INTEGER degree Degree,
(CONSTRAINED BY {--must be 251, standardNTRUParameters StandardNTRUParameters,
347 or 503}), explicitNTRUParameters ExplicitNTRUParameters,
standardNTRUParameters OBJECT IDENTIFIER externalParameters NULL
{{NTRUParameters}},
explicitNTRUParameters ExplicitNTRUParameters,
externalParameters NULL
} }
When the parameters are implied by context, the parameters field When the parameters are implied by context, the parameters field
SHALL contain externalParameters, which is the ASN.1 value NULL. SHALL contain externalParameters, which is a value of the ASN.1 type
NULL.
When the parameters are specified by degree, the values are When the parameters are specified by degree, the values are
restricted to 251, 347 and 503. For the three permitted choices, restricted to 251, 347 and 503. For the three permitted choices,
the parameters are defined to be ees251ep1, ees347ep1 and ees503ep1 the parameters are defined to be ees251ep1, ees347ep1 and ees503ep1
respectively as defined in EESS #1 [EESS#1]. Specifying the degree respectively as defined in EESS #1 [EESS#1]. Specifying the degree
is the preferred way for transmitting parameter information for the is the preferred way for transmitting parameter information for the
scheme when the parameters are not implied by context. scheme when the parameters are not implied by context.
Degree ::= INTEGER (251 | 347 | 503, ...)
When the parameters are specified by reference of a standard, the When the parameters are specified by reference of a standard, the
parameters shall consist of an OID chosen from the list parameters shall consist of an OID chosen from the list
NTRUParameters. The current list of NTRUParameters OIDs is: NTRUParameters. The current list of NTRUParameters OIDs is:
NTRUParameters OBJECT IDENTIFIER ::= { StandardNTRUParameters ::= OIDS.&id({NTRUParameters})
id-ees251ep1|
id-ees347ep1| NTRUParameters OIDS ::= {
id-ees503ep1| { OID id-ees251ep1 }|
{ OID id-ees347ep1 }|
{ OID id-ees503ep1 },
...} ...}
The above object identifiers are specified by: The above object identifiers are specified by:
id-eess1-params OBJECT IDENTIFIER ::= {id-eess1 2} id-eess1-params OBJECT IDENTIFIER ::= {id-eess1 2}
id-ees251ep1 OBJECT IDENTIFIER ::= {id-eess1-params 1} id-ees251ep1 OBJECT IDENTIFIER ::= {id-eess1-params 1}
id-ees347ep1 OBJECT IDENTIFIER ::= {id-eess1-params 2} id-ees347ep1 OBJECT IDENTIFIER ::= {id-eess1-params 2}
id-ees503ep1 OBJECT IDENTIFIER ::= {id-eess1-params 3} id-ees503ep1 OBJECT IDENTIFIER ::= {id-eess1-params 3}
When the parameters are explicitly included, they SHALL be encoded When the parameters are explicitly included, they SHALL be encoded
in the ASN.1 structure ExplicitNTRUParameters: in the ASN.1 structure ExplicitNTRUParameters:
ExplicitNTRUParameters ::= SEQUENCE { ExplicitNTRUParameters ::= SEQUENCE {
version INTEGER, version Version,
degree INTEGER, degree INTEGER,
bigModulus INTEGER, bigModulus INTEGER,
smallModulus SmallModulus, smallModulus SmallModulus,
mrgm AlgorithmIdentifier mrgm NTRUMRGMAlgorithmIdentifier,
{{ntruEESS1v1MRGMs}},
db INTEGER, db INTEGER,
bvgm AlgorithmIdentifier bvgm NTRUBVGMAlgorithmIdentifier,
{{ntruEESS1v1BVGMs}},
...} ...}
Version ::= INTEGER { v0(0) } (v0, ...)
SmallModulus ::= CHOICE { SmallModulus ::= CHOICE {
integerValue INTEGER, integerValue INTEGER,
polynomialValue NTRUGeneralPolynomial polynomialValue NTRUGeneralPolynomial
} }
NTRUGeneralPolynomial ::= SEQUENCE { NTRUGeneralPolynomial ::= SEQUENCE {
degree INTEGER, numberOfEntries INTEGER,
q INTEGER, modulus INTEGER,
coefficients TruncatedModQVector coefficients GeneralVector
} }
TruncatedModQVector ::= OCTET STRING GeneralVector ::= OCTET STRING
The fields of type NTRUGeneralPolynomial have the following The fields of type NTRUGeneralPolynomial have the following
meanings: meanings:
degree is the degree of the polynomial. numberOfEntries is the number of coefficients used to represent
the polynomial - this number is equal to the degree of the
polynomial plus 1.
q is a modulus; more generally, q is an upper bound on the modulus is an upper bound on the value of the coefficients.
value of the coefficients.
coefficients is the list of coefficients, listed as a coefficients is the list of numberOfEntries coefficients,
ModQVector with only degree+1 coefficient entries. If q < 257, represented in order from lowest degree to highest degree. If
each coefficient is stored in a single byte. If q > 256 and q modulus < 257, each coefficient is stored in a single byte. If
< 2^16, each coefficient is stored in two bytes. modulus > 256 and modulus < 2^16, each coefficient is stored in
two bytes.
The fields of type SmallModulus have the following meanings:
integerValue is the value of p if p is an integer.
polynomialValue is the value of p if p is a polynomial.
The fields of type ExplicitNTRUParameters have the following The fields of type ExplicitNTRUParameters have the following
meanings: meanings:
version is the version number, for compatibility with future version is the version number, for compatibility with future
revisions of this document. It SHALL be 0 for this version of revisions of this document. It SHALL be 0 for this version of
the document. the document.
degree is the value N. degree is the value N.
bigModulus is the value q. q will be 256 or less. bigModulus is the value q. q will be 256 or less.
smallModulus is the value p. It SHALL be represented with the smallModulus is the value p. It SHALL be represented with the
SmallModulus type, defined below. SmallModulus type.
mrgm identifies the message representative generation method mrgm identifies the message representative generation method
using an allowed AlgorithmIdentifier. using an allowed AlgorithmIdentifier.
db is the size of the random component. db is the size of the random component.
bvgm identifies the blinding value generation method using an bvgm identifies the blinding value generation method using an
allowed AlgorithmIdentifier. allowed AlgorithmIdentifier.
The fields of type SmallModulus have the following meanings: The ASN.1 for the mrgm used in ExplicitNTRUParameters is specified
below.
integerValue is the value of p if p is an integer.
polynomialValue is the value of p if p is a polynomial.
The AlgorithmIdentifiers used in ExplicitNTRUParameters are NTRUMRGMAlgorithmIdentifier ::=
specified below. AlgorithmIdentifier {{NTRUEESS1v1MRGMs}}
ntruEESS1v1MRGMs AlgorithmIdentifier ::= { NTRUEESS1v1MRGMs ALGORITHM ::= {
{NTRUMRGM1-params IDENTIFIED BY id-mrgm-ntru-1}, {OID id-mrgm-ntru-1 PARMS NTRUMRGM1-params},
...} ...}
id-eess1-encodingMethods OBJECT IDENTIFIER ::= {id-eess1 3} id-eess1-encodingMethods OBJECT IDENTIFIER ::= {id-eess1 3}
id-mrgm-ntru-1 OBJECT IDENTIFIER ::= id-mrgm-ntru-1 OBJECT IDENTIFIER ::=
{id-eess1-encodingMethods 1} {id-eess1-encodingMethods 1}
NTRUMRGM1-params ::= AlgorithmIdentifier {{ntruEESS1v1Hashes}} NTRUMRGM1-params ::= NTRUHashAlgorithmIdentifier
NTRUHashAlgorithmIdentifier ::=
AlgorithmIdentifier {{NTRUEESS1v1Hashes}}
The identifier id-mrgm-ntru-1 identifies the message representative The identifier id-mrgm-ntru-1 identifies the message representative
generation method MRGM-NTRU1, defined in EESS #1 [EESS#1]. The generation method MRGM-NTRU1, defined in EESS #1 [EESS#1]. The
parameters identify the hashing mechanism using an allowed parameters identify the hashing mechanism using an allowed
AlgorithmIdentifier. AlgorithmIdentifier.
ntruEESS1v1Hashes AlgorithmIdentifier ::= { NTRUEESS1v1Hashes ALGORITHM ::= {
{NULL IDENTIFIED BY id-sha1}| {OID id-sha1 PARMS NULL}|
{NULL IDENTIFIED BY id-sha256}| {OID id-sha256 PARMS NULL }|
{NULL IDENTIFIED BY id-sha384}| {OID id-sha384 PARMS NULL }|
{NULL IDENTIFIED BY id-sha512}| {OID id-sha512 PARMS NULL },
...} ...}
These identifiers identify the one-way hash algorithms SHA-1 These identifiers identify the one-way hash algorithms SHA-1
[FIPS180-1] and SHA-2 [TBD]. [FIPS180-1] and SHA-2 [TBD].
ntruEESS1v1BVGMs AlgorithmIdentifier ::= { The ASN.1 for the bvgm used in ExplicitNTRUParameters is specified
{NTRUBVGM1-params IDENTIFIED BY id-bvgm-ntru-1}, below.
{NTRUBVGM2-params IDENTIFIED BY id-bvgm-ntru-2},
NTRUBVGMAlgorithmIdentifier ::=
AlgorithmIdentifier {{NTRUEESS1v1BVGMs}}
NTRUEESS1v1BVGMs ALGORITHM ::= {
{OID id-bvgm-ntru-1 PARMS NTRUBVGM1-params}|
{OID id-bvgm-ntru-2 PARMS NTRUBVGM2-params},
...} ...}
id-bvgm-ntru-1 OBJECT IDENTIFIER ::= id-bvgm-ntru-1 OBJECT IDENTIFIER ::=
{id-eess1-encodingMethods 2} {id-eess1-encodingMethods 2}
NTRUBVGM1-params ::= SEQUENCE { NTRUBVGM1-params ::= SEQUENCE {
c INTEGER, c INTEGER,
prng AlgorithmIdentifier {{ntruEESS1v1PRNGs}}, prng NTRUPRNGAlgorithmIdentifier,
dr INTEGER dr INTEGER
} }
id-bvgm-ntru-2 OBJECT IDENTIFIER ::= id-bvgm-ntru-2 OBJECT IDENTIFIER ::=
{id-eess1-encodingMethods 3} {id-eess1-encodingMethods 3}
NTRUBVGM2-params ::= SEQUENCE { NTRUBVGM2-params ::= SEQUENCE {
c INTEGER, c INTEGER,
prng AlgorithmIdentifier {{ntruEESS1v1PRNGs}}, prng NTRUPRNGAlgorithmIdentifier,
dr1 INTEGER, dr1 INTEGER,
dr2 INTEGER, dr2 INTEGER,
dr3 INTEGER dr3 INTEGER
} }
The identifier id-bvgm-ntru-1 identifies blinding value generation The identifier id-bvgm-ntru-1 identifies blinding value generation
method BVGM-NTRU1, defined in EESS #1 [EESS#1]. The identifier id- method BVGM-NTRU1, defined in EESS #1 [EESS#1]. The identifier id-
bvgm-ntru-2 identifies blinding value generation method BVGM-NTRU2, bvgm-ntru-2 identifies blinding value generation method BVGM-NTRU2,
defined in EESS #1 [EESS#1]. defined in EESS #1 [EESS#1].
The fields of type NTRUBVGM1-params have the following meanings: The fields of type NTRUBVGM1-params have the following meanings:
c is the random polynomial generation constant used to select c is the random polynomial generation constant used to select
the polynomial r. the polynomial r.
skipping to change at page 10, line 24 skipping to change at page 10, line 36
dr1 is the number of 1s in the blinding value component r1. dr1 is the number of 1s in the blinding value component r1.
dr2 is the number of 1s in the blinding value component r2. dr2 is the number of 1s in the blinding value component r2.
dr3 is the number of 1s in the blinding value component r3. dr3 is the number of 1s in the blinding value component r3.
The allowed pseudo-random number generation algorithms are defined The allowed pseudo-random number generation algorithms are defined
by: by:
ntruEESS1v1PRNGs AlgorithmIdentifier ::= { NTRUPRNGAlgorithmIdentifier ::=
{NTRUMGFAlgorithms}| AlgorithmIdentifier {{NTRUEESS1v1PRNGs}}
NTRUEESS1v1PRNGs ALGORITHM ::= {
NTRUMGFAlgorithms,
...} ...}
This identifies the pseudo-random number generation algorithm to be This identifies the pseudo-random number generation algorithm to be
used when generating blinding values. The only allowed algorithms used when generating blinding values. The only allowed algorithms
are MGF1 (see [IEEE 1363]) using SHA-1 [FIPS180-1] or SHA-2 are MGF1 (see [IEEE 1363]) using SHA-1 [FIPS180-1] or SHA-2
[FIPS180-2]. [FIPS180-2].
NTRUMGFAlgorithms AlgorithmIdentifier ::= { NTRUMGFAlgorithms ALGORITHM ::= {
{MGF1Parameters IDENTIFIED BY id-mgf1}| {OID id-mgf1 PARMS MGF1Parameters},
...} ...}
pkcs-1 OBJECT IDENTIFIER ::= pkcs-1 OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
1} 1}
id-mgf1 OBJECT IDENTIFIER ::= {pkcs-1 8} id-mgf1 OBJECT IDENTIFIER ::= {pkcs-1 8}
MGF1Parameters ::= AlgorithmIdentifier {{ntruEESS1v1Hashes}} MGF1Parameters ::= AlgorithmIdentifier {{NTRUEESS1v1Hashes}}
The NTRU public key MUST be encoded using the ASN.1 type The NTRUEncrypt public key MUST be encoded using the ASN.1 type
NTRUPublicKey. NTRUPublicKey.
NTRUPublicKey ::= SEQUENCE { NTRUPublicKey ::= SEQUENCE {
publicKeyVector NTRUPublicVector, -- h publicKeyVector NTRUPublicVector, -- h
ntruKeyExtensions SET OF NTRUKeyExtension ntruKeyExtensions NTRUKeyExtensions OPTIONAL
OPTIONAL} }
NTRUKeyExtensions ::=
SEQUENCE SIZE(1..MAX) OF NTRUKeyExtension
NTRUKeyExtension ::= CHOICE { NTRUKeyExtension ::= CHOICE {
keyID [0] IMPLICIT INTEGER, keyID [0] IMPLICIT INTEGER,
...} ...}
The fields of the type NTRUPublicKey have the following meanings: The fields of the type NTRUPublicKey have the following meanings:
publicKeyVector is the polynomial h. If the NTRUPublicVector publicKeyVector is the polynomial h. If the NTRUPublicVector
is a ModQVector, each coefficient will be represented by one is a ModQVector, each coefficient will be represented by one
byte starting with the lowest degree and going to the highest. byte starting with the lowest degree and going to the highest.
If the NTRUPublicVector is a PackedModQVector, this is the If the NTRUPublicVector is a PackedModQVector, this is the
OCTET STRING representing h obtained using RE2BSP and then OCTET STRING representing h obtained using RE2BSP and then
BS2OSP as defined in EESS #1 [EESS#1]. All coefficients up to BS2OSP as defined in EESS #1 [EESS#1]. All coefficients up to
X^(N-1) SHALL be explicitly included in publicKeyVector. X^(N-1) SHALL be explicitly included in publicKeyVector.
Representing the NTRU public key as a ModQVector is the Representing the NTRUEncrypt public key as a ModQVector is the
preferred method. preferred method.
ntruKeyExtensions is provided for future extensibility. Only ntruKeyExtensions is provided for future extensibility. Only
one extension is currently defined. one extension is currently defined.
The fields of the type NTRUKeyExtension have the following meanings: The fields of the type NTRUKeyExtension have the following meanings:
keyID can be used to associate a unique key identifier with the keyID can be used to associate a unique key identifier with the
key. key.
If the keyUsage extension is present in an end entity certificate If the keyUsage extension is present in an end entity certificate
that conveys an NTRU public key, any combination of the following that conveys an NTRUEncrypt public key, any combination of the
values MAY be present: following values MAY be present:
keyEncipherment; keyEncipherment;
dataEncipherment; dataEncipherment;
If the keyUsage extension is present in a CA certificate that If the keyUsage extension is present in a CA certificate that
conveys an NTRU public key, any combination of the following values conveys an NTRUEncrypt public key, any combination of the following
MAY be present: values MAY be present:
keyEncipherment; and keyEncipherment; and
dataEncipherment. dataEncipherment.
2.2.2 NSS Keys 2.2.2 NTRUSign Keys
This section identifies the preferred OID and parameter encoding for This section identifies the preferred OID and parameter encoding for
the inclusion of an NSS public key in a certificate. The NSS the inclusion of an NTRUSign public key in a certificate. The
signature algorithm is defined in EESS #1 [EESS#1]. NTRUSign signature algorithm is defined in EESS #1 [EESS#1].
The OID id-ntru-EESS1v1-SVSSA identifies NSS public keys. The OID id-ntru-EESS1v1-SVSSA identifies NTRUSign public keys.
id-ntru-EESS1v1-SVSSA OBJECT IDENTIFIER ::= {id-eess1-algs 2} id-ntru-EESS1v1-NTRUSign OBJECT IDENTIFIER ::=
{id-eess1-algs 3}
The id-ntru-EESS1v1-SVSSA OID is intended to be used in the The id-ntru-EESS1v1-NTRUSign OID is intended to be used in the
algorithm field of a value of type AlgorithmIdentifier. NSS algorithm field of a value of type AlgorithmIdentifier. NTRUSign
requires use of certain parameters with the public key. The requires use of certain parameters with the public key. The
parameters may be implied by context (e.g. they may be inherited parameters may be implied by context (e.g. they may be inherited
from the issuer), implicitly included through reference of a degree, from the issuer), implicitly included through reference of a degree,
implicitly included through reference of a standard parameter set or implicitly included through reference of a standard parameter set or
explicitly included in the certificate. explicitly included in the certificate. The parameters associated
with id-ntru-EESS1v1-NTRUSign are EESS1v1-NTRUSign-Parameters.
EESS1v1-SVSSA-Parameters ::= CHOICE { EESS1v1-NTRUSign-Parameters ::= CHOICE {
degree INTEGER degree Degree,
(CONSTRAINED BY {--must be 251, standardNTRUSignParameters
347 or 503}), StandardNTRUSignParameters,
standardNSSParameters OBJECT IDENTIFIER explicitNTRUSignParameters
{{NSSParameters}}, ExplicitNTRUSignParameters,
explicitNSSParameters ExplicitNSSParameters, externalParameters NULL
externalParameters NULL
} }
When the parameters are implied by context, the parameters field When the parameters are implied by context, the parameters field
SHALL contain externalParameters, which is the ASN.1 value NULL. SHALL contain externalParameters, which is the ASN.1 value NULL.
When the parameters are specified by degree, the values are When the parameters are specified by degree, the value is restricted
restricted to 251, 347 and 503. For the three permitted choices, to 251. For the permitted choice, the parameters are defined to be
the parameters are defined to be ees251sp1, ees347sp1 and ees503sp1 ees251sp2 as defined in EESS #1 [EESS#1]. Specifying the degree is
respectively as defined in EESS #1 [EESS#1]. Specifying the degree the preferred way for transmitting parameter information for the
is the preferred way for transmitting parameter information for the
scheme when the parameters are not implied by context. scheme when the parameters are not implied by context.
When the parameters are specified by reference of a standard, the When the parameters are specified by reference of a standard, the
parameters shall consist of an OID chosen from the list parameters shall consist of an OID chosen from the list
NSSParameters. The current list of NSSParameters OIDs is: NTRUSignParameters. The current list of NTRUSignParameters OIDs is:
NSSParameters OBJECT IDENTIFIER ::= { StandardNTRUSignParameters ::= OIDS.&id({NTRUSignParameters})
id-ees251sp1|
id-ees347sp1| NTRUSignParameters OIDS ::= {
id-ees503sp1| { OID id-ees251sp2 },
...} ...}
The above object identifiers are specified by: The above object identifier is specified by:
id-ees251sp1 OBJECT IDENTIFIER ::= {id-eess1-params 4} id-ees251sp2 OBJECT IDENTIFIER ::= {id-eess1-params 7}
id-ees347sp1 OBJECT IDENTIFIER ::= {id-eess1-params 5}
id-ees503sp1 OBJECT IDENTIFIER ::= {id-eess1-params 6}
When the parameters are explicitly included, they SHALL be encoded When the parameters are explicitly included, they SHALL be encoded
in the ASN.1 structure ExplicitNSSParameters: in the ASN.1 structure ExplicitNTRUSignParameters:
ExplicitNSSParameters ::= SEQUENCE {
version INTEGER,
degree INTEGER,
bigModulus INTEGER,
smallModulus SmallModulus,
bounds NSSBounds,
hash AlgorithmIdentifier
{{ntruEESS1v1Hashes}},
mrgm AlgorithmIdentifier
{{nssEESS1v1MRGMs}},
...}
NSSBounds ::= SEQUENCE { ExplicitNTRUSignParameters ::= SEQUENCE {
version INTEGER, version Version,
l2NormBound1 INTEGER, degree INTEGER,
l2NormBound2 INTEGER, bigModulus INTEGER,
lInfBounds0 Bounds, normBound INTEGER,
lInfBounds1 Bounds, messageRandLength INTEGER,
lInfBounds2 Bounds, hash NTRUSignHashAlgIdentifier,
lInfBounds3 Bounds, mrgm NTRUSignMRGMAlgIdentifier,
devBound0 INTEGER,
devBound1 INTEGER,
devBound2 INTEGER,
devBound3 INTEGER,
devBoundTot0 INTEGER,
devBoundTot1 INTEGER,
devBoundTot2 INTEGER,
devBoundTot3 INTEGER,
...} ...}
Bounds ::= SEQUENCE { The fields of type ExplicitNTRUSignParameters have the following
minimum INTEGER,
maximum INTEGER
}
The fields of type ExplicitNSSParameters have the following
meanings: meanings:
version is the version number, for compatibility with future version is the version number, for compatibility with future
revisions of this document. It SHALL be 0 for this version of revisions of this document. It SHALL be 0 for this version of
the document. the document.
degree is the value N. degree is the value N.
bigModulus is the value q. q will be 256 or less. bigModulus is the value q. q will be 256 or less.
smallModulus is the value p. It SHALL be represented with the normBound is the maximum norm of the signature
SmallModulus type, defined in section 2.2.1.
bounds is the list of values of the bounds that are used to messageRandLength is the length of the randomization padding
check the validity of the signature. appended to the message digest before generating the message
representative
hash identifies the hash algorithm used using an allowed hash identifies the hash algorithm used using an allowed
AlgorithmIdentifier. AlgorithmIdentifier.
mrgm identifies the message representative generation method mrgm identifies the message representative generation method
using an allowed AlgorithmIdentifier. using an allowed AlgorithmIdentifier.
The type NSSBounds is used to encode the bounds used when verifying The AlgorithmIdentifiers for the field hash of
the NSS signature. The fields of type NSSBounds have the following ExplicitNTRUSignParameters are chosen from the set
meaning: NTRUEESS1v1Hashes, which is defined in section 2.2.1.
version is the version number, for compatibility with future
revisions of this document. It shall be 0 for this version of
the document.
l2NormBound1 is the L2 norm bound on a single signature
component, s or t.
l2NormBound2 is the L2 norm bound on the combined signature
s||t.
lInfBounds0 gives LInfBoundjMin and LInfBoundjMax for j = 0.
lInfBounds1 gives LInfBoundjMin and LInfBoundjMax for j = 1.
lInfBounds2 gives LInfBoundjMin and LInfBoundjMax for j = 2.
lInfBounds3 gives LInfBoundjMin and LInfBoundjMax for j = 3.
devBound0 is the deviation bound DevBound0.
devBound1 is the deviation bound DevBound1.
devBound2 is the deviation bound DevBound2.
devBound3 is the deviation bound DevBound3.
devBoundTot0 is the deviation bound DevBoundTot0.
devBoundTot1 is the deviation bound DevBoundTot1.
devBoundTot2 is the deviation bound DevBoundTot2.
devBoundTot3 is the deviation bound DevBoundTot3.
Within the NSSBounds type, the Bounds type encodes pairs of upper
and lower bounds on values. The fields of type Bounds have the
following meaning:
minimum is the lower bound.
maximum is the upper bound. NTRUSignHashAlgIdentifier ::=
AlgorithmIdentifier {{NTRUEESS1v1Hashes}}
The AlgorithmIdentifiers for the field hash of ExplicitNSSParameters The AlgorithmIdentifiers for the field mrgm of
are chosen from the set ntruEESS1v1Hashes, which is defined in ExplicitNTRUSignParameters are specified below.
section 2.2.1.
The AlgorithmIdentifiers for the field mrgm of ExplicitNSSParameters NTRUSignMRGMAlgIdentifier ::=
are specified below. AlgorithmIdentifier {{NTRUSignEESS1v1MRGMs}}
nssEESS1v1MRGMs AlgorithmIdentifier ::= { NTRUSignEESS1v1MRGMs ALGORITHM ::= {
{NSSMRGM1-params IDENTIFIED BY id-mrgm-nss-1}, {OID id-mrgm-ntrusign-1 PARMS NTRUSignMRGM1-params}|
{NSSMRGM2-params IDENTIFIED BY id-mrgm-nss-2}, {OID id-mrgm-ntrusign-2 PARMS NTRUSignMRGM2-params},
...} ...}
id-mrgm-nss-1 OBJECT IDENTIFIER ::= id-mrgm-ntrusign-1 OBJECT IDENTIFIER ::=
{id-eess1-encodingMethods 4} {id-eess1-encodingMethods 6}
NSSMRGM1-params ::= SEQUENCE { NTRUSignMRGM1-params ::= NTRUSignPRNGAlgIdentifier
c INTEGER
prng AlgorithmIdentifier
{{ntruEESS1v1PRNGs}},
di INTEGER
}
id-mrgm-nss-2 OBJECT IDENTIFIER ::= id-mrgm-ntrusign-2 OBJECT IDENTIFIER ::=
{id-eess1-encodingMethods 5} {id-eess1-encodingMethods 7}
NSSMRGM2-params ::= SEQUENCE { NTRUSignMRGM2-params ::= SEQUENCE {
c INTEGER c INTEGER,
prng AlgorithmIdentifier numGroups INTEGER,
{{ntruEESS1v1PRNGs}}, numElements INTEGER,
di1 INTEGER, prng NTRUSignPRNGAlgIdentifier
di2 INTEGER,
di3 INTEGER
} }
The identifier id-mrgm-nss-1 identifies the message representative NTRUSignPRNGAlgIdentifier ::=
generation method MRGM-NSS1, defined in EESS #1 [EESS#1]. The AlgorithmIdentifier {{NTRUEESS1v1PRNGs}}
identifier id-mrgm-nss-2 identifies the message representative
generation method MRGM-NSS2, defined in EESS #1 [EESS#1].
The fields of type NSSMRGM1-params have the following meanings:
c is the random polynomial generation constant used to select The identifier id-mrgm-ntrusign-2 identifies the message
the polynomial i. representative generation method MRGM-NTRUSign1, defined in EESS #1
[EESS#1]. The identifier id-mrgm-ntrusign-2 identifies the message
representative generation method MRGM-NTRUSign2, defined in EESS #1
[EESS#1].
prng identifies the pseudo-random number generation method The fields of type NTRUSignMRGM1-params have the following meanings:
using an allowed AlgorithmIdentifier.
di is the number of 1's and -1's in the message representative NTRUSignPRNGAlgIdentifier is the pseudo-random number
i. generation method using an allowed AlgorithmIdentifier
The fields of type NSSMRGM2-params have the following meanings: The fields of type NTRUSignMRGM2-params have the following meanings:
c is the random polynomial generation constant used to select c is the random polynomial generation constant used to select
the polynomial i. the message representative.
prng identifies the pseudo-random number generation method
using an allowed AlgorithmIdentifier.
di1 is the number of 1's and -1's in the message representative numGroups is the number of factors combined to form the message
component i1. representative.
di2 is the number of 1's and -1's in the message representative numElements is the number of non-zero coefficients in each
component i2. factor of the message representative
di3 is the number of 1's and -1's in the message representative prng identifies the pseudo-random number generation method
component i3. using an allowed AlgorithmIdentifier.
The allowed pseudo-random number generation algorithms are chosen The allowed pseudo-random number generation algorithms are chosen
from the set ntruEESS1v1PRNGs, which is defined in section 2.2.1. from the set NTRUEESS1v1PRNGs, which is defined in section 2.2.1.
The NSS public key MUST be encoded using the ASN.1 type The NTRUSign public key MUST be encoded using the ASN.1 type
NSSPublicKey. NTRUSignPublicKey.
NSSPublicKey ::= SEQUENCE { NTRUSignPublicKey ::= SEQUENCE {
publicKeyVector NTRUPublicVector, -- h publicKeyVector NTRUPublicVector, -- h
nssKeyExtensions SET OF NSSKeyExtension ntruSignKeyExtensions NTRUSignKeyExtensions OPTIONAL
OPTIONAL} }
NSSKeyExtension ::= CHOICE {
NTRUSignKeyExtensions ::=
SEQUENCE SIZE(1..MAX) OF NTRUSignKeyExtension
NTRUSignKeyExtension ::= CHOICE {
keyID [0] IMPLICIT INTEGER, keyID [0] IMPLICIT INTEGER,
...} ...}
The fields of the type NSSPublicKey have the following meanings: The fields of the type NTRUSignPublicKey have the following
meanings:
publicKeyVector is the polynomial h. If the NTRUPublicVector publicKeyVector is the polynomial h. If the NTRUPublicVector
is a ModQVector, each coefficient will be represented by one is a ModQVector, each coefficient will be represented by one
byte starting with the lowest degree and going to the highest. byte starting with the lowest degree and going to the highest.
If the NTRUPublicVector is a PackedModQVector, this is the If the NTRUPublicVector is a PackedModQVector, this is the
OCTET STRING representing h obtained using RE2BSP and then OCTET STRING representing h obtained using RE2BSP and then
BS2OSP as defined in EESS #1 [EESS#1]. All coefficients up to BS2OSP as defined in EESS #1 [EESS#1]. All coefficients up to
X^(N-1) SHALL be explicitly included in publicKeyVector. X^(N-1) SHALL be explicitly included in publicKeyVector.
Representing the NSS public key as a ModQVector is the Representing the NTRUSign public key as a ModQVector is the
preferred method. preferred method.
nssKeyExternsions is provided for future extensibility. Only ntruSignKeyExternsions is provided for future extensibility.
one extension is currently defined. Only one extension is currently defined.
The fields of the type NSSKeyExtension have the following meanings: The fields of the type NTRUSignKeyExtension have the following
meanings:
keyID can be used to associate a unique key identifier with the keyID can be used to associate a unique key identifier with the
key. key.
If the keyUsage extension is present in an end entity certificate If the keyUsage extension is present in an end entity certificate
that conveys an NSS public key, any combination of the following that conveys an NTRUSign public key, any combination of the
values MAY be present: following values MAY be present:
digitalSignature; digitalSignature;
nonRepudiation; nonRepudiation;
If the keyUsage extension is present in a CA certificate that If the keyUsage extension is present in a CA certificate that
conveys an NSS public key, any combination of the following values conveys an NTRUSign public key, any combination of the following
MAY be present: values MAY be present:
digitalSignature; digitalSignature;
nonRepudiation; nonRepudiation;
keyCertSign; and keyCertSign; and
cRLSign. cRLSign.
3. ASN.1 Module 3. ASN.1 Module
-- PKIXAlgorithmOIDTBD {--TBD} PKIXAlgorithmOIDTBD -- {TBD} --
DEFINITIONS EXPLICIT TAGS ::= BEGIN DEFINITIONS EXPLICIT TAGS ::= BEGIN
-- EXPORTS ALL; -- EXPORTS ALL; --
-- IMPORTS; -- IMPORTS None; --
-- Supporting definitions
AlgorithmIdentifier { ALGORITHM: IOSet } ::= SEQUENCE {
algorithm ALGORITHM.&id({IOSet}),
parameters ALGORITHM.&Type({IOSet}{@algorithm})
OPTIONAL
}
ALGORITHM ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Type OPTIONAL
}
WITH SYNTAX { OID &id [PARMS &Type] }
OIDS ::= ALGORITHM
-- Informational object identifiers
pkcs-1 OBJECT IDENTIFIER ::= pkcs-1 OBJECT IDENTIFIER ::=
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
1} 1}
id-mgf1 OBJECT IDENTIFIER ::= {pkcs-1 8} id-mgf1 OBJECT IDENTIFIER ::= {pkcs-1 8}
id-sha1 OBJECT IDENTIFIER ::= id-sha1 OBJECT IDENTIFIER ::=
{iso(1) identified-organization(3) oiw(14) secsig(3) {iso(1) identified-organization(3) oiw(14) secsig(3)
algorithms(2) 26} algorithms(2) 26}
id-sha256 OBJECT IDENTIFIER ::= id-sha256 OBJECT IDENTIFIER ::=
{joint-iso-itu-t(2) country(16) us(840) organization(1) {joint-iso-itu-t(2) country(16) us(840) organization(1)
gov(101) csor(3) nistalgorithm(4) hashalgs(2) 1} gov(101) csor(3) nistalgorithm(4) hashalgs(2) 1}
id-sha384 OBJECT IDENTIFIER ::= id-sha384 OBJECT IDENTIFIER ::=
{joint-iso-itu-t(2) country(16) us(840) organization(1) {joint-iso-itu-t(2) country(16) us(840) organization(1)
gov(101) csor(3) nistalgorithm(4) hashalgs(2) 2} gov(101) csor(3) nistalgorithm(4) hashalgs(2) 2}
id-sha512 OBJECT IDENTIFIER ::= id-sha512 OBJECT IDENTIFIER ::=
{joint-iso-itu-t(2) country(16) us(840) organization(1) {joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101)
gov(101) csor(3) nistalgorithm(4) hashalgs(2) 3} csor(3) nistalgorithm(4) hashalgs(2) 3}
-- END IMPORTS -- NTRU Object Identifiers
---- ntru OBJECT IDENTIFIER ::=
---- General Types {iso(1) identified-organization(3) dod(6) internet(1)
---- private(4) enterprises(1) ntruCryptosystems (8342) }
ModQVector ::= OCTET STRING id-eess1 OBJECT IDENTIFIER ::= {ntru eess(1) 1}
PackedModQVector ::= OCTET STRING id-eess1-algs OBJECT IDENTIFIER ::= {id-eess1 1}
id-eess1-params OBJECT IDENTIFIER ::= {id-eess1 2}
id-eess1-encodingMethods OBJECT IDENTIFIER ::= {id-eess1 3}
NTRUPublicVector ::= CHOICE { -- OID for NTRUSign Algorithm and Public Key
modQVector [0] IMPLICIT ModQVector, id-ntru-EESS1v1-NTRUSign OBJECT IDENTIFIER ::=
packedModQVector [1] IMPLICIT PackedModQVector {id-eess1-algs 3}
...}
TruncatedModQVector ::= OCTET STRING -- OID for NTRUSign Parameter Set
NTRUGeneralPolynomial ::= SEQUENCE { id-ees251sp2 OBJECT IDENTIFIER ::= {id-eess1-params 7}
degree INTEGER,
q INTEGER,
coefficients TruncatedModQVector
}
SmallModulus ::= CHOICE { -- OIDs for NTRUSign Encoding Methods
integerValue INTEGER,
polynomialValue NTRUGeneralPolynomial
}
Bounds ::= SEQUENCE { id-mrgm-ntrusign-1 OBJECT IDENTIFIER ::=
minimum INTEGER, {id-eess1-encodingMethods 6}
maximum INTEGER
}
---- id-mrgm-ntrusign-2 OBJECT IDENTIFIER ::=
---- General OIDs and AlgorithmIdentifiers {id-eess1-encodingMethods 7}
----
id-eess1 OBJECT IDENTIFIER ::= -- OID for NTRUEncrypt Algorithm and Public Key
{ iso(1) ISO Identified Organization(3) US Department
of Defense(6) Internet(1) Private(4) Enterprises(1)
NTRU Cryptosystems(8342) eess(1) 1}
id-eess1-algs OBJECT IDENTIFIER ::= {id-eess1 1} id-ntru-EESS1v1-SVES OBJECT IDENTIFIER ::=
id-eess1-params OBJECT IDENTIFIER ::= {id-eess1 2} {id-eess1-algs 1}
id-eess1-encodingMethods OBJECT IDENTIFIER ::= {id-eess1 3}
ntruEESS1v1Hashes AlgorithmIdentifier ::= { -- OIDs for NTRUEncrypt Parameter Sets
{NULL IDENTIFIED BY id-sha1}|
{NULL IDENTIFIED BY id-sha256}|
{NULL IDENTIFIED BY id-sha384}|
{NULL IDENTIFIED BY id-sha512}|
...}
ntruEESS1v1PRNGs AlgorithmIdentifier ::= { id-ees251ep1 OBJECT IDENTIFIER ::= {id-eess1-params 1}
{NTRUMGFAlgorithms}| id-ees347ep1 OBJECT IDENTIFIER ::= {id-eess1-params 2}
...} id-ees503ep1 OBJECT IDENTIFIER ::= {id-eess1-params 3}
NTRUMGFAlgorithms AlgorithmIdentifier ::= { -- OIDs for NTRUEncrypt Encoding Methods
{MGF1Parameters IDENTIFIED BY id-mgf1}|
...}
MGF1Parameters ::= AlgorithmIdentifier {{ntruEESS1v1Hashes} id-mrgm-ntru-1 OBJECT IDENTIFIER ::=
{id-eess1-encodingMethods 1}
---- id-bvgm-ntru-1 OBJECT IDENTIFIER ::=
---- NSS Keys and Signatures {id-eess1-encodingMethods 2}
----
-- OID for NSS Algorithm and Public Key id-bvgm-ntru-2 OBJECT IDENTIFIER ::=
{id-eess1-encodingMethods 3}
id-ntru-EESS1v1-SVSSA OBJECT IDENTIFIER ::= {id-eess1-algs 2} -- General Types
-- OIDs for NSS Parameter Sets NTRUPublicVector ::= CHOICE {
modQVector [0] IMPLICIT ModQVector,
packedModQVector [1] IMPLICIT PackedModQVector,
...}
id-ees251sp1 OBJECT IDENTIFIER ::= {id-eess1-params 4} ModQVector ::= OCTET STRING
id-ees347sp1 OBJECT IDENTIFIER ::= {id-eess1-params 5}
id-ees503sp1 OBJECT IDENTIFIER ::= {id-eess1-params 6}
-- OIDs for NSS Encoding Methods PackedModQVector ::= OCTET STRING
id-mrgm-nss-1 OBJECT IDENTIFIER ::= NTRUGeneralPolynomial ::= SEQUENCE {
{id-eess1-encodingMethods 4} numberOfEntries INTEGER,
modulus INTEGER,
coefficients GeneralVector
}
GeneralVector ::= OCTET STRING
id-mrgm-nss-2 OBJECT IDENTIFIER ::= SmallModulus ::= CHOICE {
{id-eess1-encodingMethods 5} integerValue INTEGER,
polynomialValue NTRUGeneralPolynomial
}
-- Encoding for NSS Public Key Degree ::= INTEGER (251 | 347 | 503, ...)
EESS1v1-SVSSA-Parameters ::= CHOICE { Version ::= INTEGER { v0(0) } (v0, ...)
degree INTEGER
(CONSTRAINED BY {--must be 251,
347 or 503}),
standardNSSParameters OBJECT IDENTIFIER
{{NSSParameters}},
explicitNSSParameters ExplicitNSSParameters,
externalParameters NULL
}
NSSParameters OBJECT IDENTIFIER ::= { NTRUEESS1v1Hashes ALGORITHM ::= {
id-ees251sp1| {OID id-sha1 PARMS NULL}|
id-ees347sp1| {OID id-sha256 PARMS NULL }|
id-ees503sp1| {OID id-sha384 PARMS NULL }|
{OID id-sha512 PARMS NULL },
...} ...}
ExplicitNSSParameters ::= SEQUENCE { NTRUEESS1v1PRNGs ALGORITHM ::= {
version INTEGER, NTRUMGFAlgorithms,
degree INTEGER,
bigModulus INTEGER,
smallModulus SmallModulus,
bounds NSSBounds,
hash AlgorithmIdentifier
{{nssEESS1v1Hashes}},
mrgm AlgorithmIdentifier
{{nssEESS1v1MRGMs}},
...} ...}
NSSBounds ::= SEQUENCE { NTRUMGFAlgorithms ALGORITHM ::= {
version INTEGER, {OID id-mgf1 PARMS MGF1Parameters},
l2NormBound1 INTEGER,
l2NormBound2 INTEGER,
lInfBounds0 Bounds,
lInfBounds1 Bounds,
lInfBounds2 Bounds,
lInfBounds3 Bounds,
devBound0 INTEGER,
devBound1 INTEGER,
devBound2 INTEGER,
devBound3 INTEGER,
devBoundTot0 INTEGER,
devBoundTot1 INTEGER,
devBoundTot2 INTEGER,
devBoundTot3 INTEGER,
...} ...}
nssEESS1v1MRGMs AlgorithmIdentifier ::= { MGF1Parameters ::= AlgorithmIdentifier
{NSSMRGM1-params IDENTIFIED BY id-mrgm-nss-1}, {{NTRUEESS1v1Hashes}}
{NSSMRGM2-params IDENTIFIED BY id-mrgm-nss-2},
...}
NSSMRGM1-params ::= SEQUENCE { -- Encoding for NTRUSign Signatures
c INTEGER
prng AlgorithmIdentifier
{{ntruEESS1v1PRNGs}},
di INTEGER
}
NSSMRGM2-params ::= SEQUENCE { NTRUSignSignedData ::= NTRUPublicVector
c INTEGER
prng AlgorithmIdentifier
{{ntruEESS1v1PRNGs}},
di1 INTEGER,
di2 INTEGER,
di3 INTEGER
}
NSSPublicKey ::= SEQUENCE { -- Encoding for NTRUSign Public Keys
NTRUSignPublicKey ::= SEQUENCE {
publicKeyVector NTRUPublicVector, -- h publicKeyVector NTRUPublicVector, -- h
nssKeyExtensions SET OF NSSKeyExtension ntruSignKeyExtensions NTRUSignKeyExtensions OPTIONAL
OPTIONAL} }
NSSKeyExtension ::= CHOICE { NTRUSignKeyExtensions ::=
SEQUENCE SIZE(1..MAX) OF NTRUSignKeyExtension
NTRUSignKeyExtension ::= CHOICE {
keyID [0] IMPLICIT INTEGER, keyID [0] IMPLICIT INTEGER,
...} ...}
---- EESS1v1-NTRUSign-Parameters ::= CHOICE {
---- NTRU Keys degree Degree,
---- standardNTRUSignParameters
StandardNTRUSignParameters,
explicitNTRUSignParameters
ExplicitNTRUSignParameters,
externalParameters NULL
}
-- OID for NTRU Algorithm and Public Key StandardNTRUSignParameters ::= OIDS.&id({NTRUSignParameters})
id-ntru-EESS1v1-SVSSA OBJECT IDENTIFIER ::= NTRUSignParameters OIDS ::= {
{ iso(1) ISO Identified Organization(3) US Department of { OID id-ees251sp2 },
Defense(6) Internet(1) Private(4) Enterprises(1) NTRU ...}
Cryptosystems(8342) eess(1) eess-1(1) eess1-algs(1) 2}
-- OIDs for NTRU Parameter Sets ExplicitNTRUSignParameters ::= SEQUENCE {
version Version,
degree INTEGER,
bigModulus INTEGER,
normBound INTEGER,
messageRandLength INTEGER,
hash NTRUSignHashAlgIdentifier,
mrgm NTRUSignMRGMAlgIdentifier,
...}
id-ees251ep1 OBJECT IDENTIFIER ::= {id-eess1-params 1} NTRUSignHashAlgIdentifier ::=
id-ees347ep1 OBJECT IDENTIFIER ::= {id-eess1-params 2} AlgorithmIdentifier {{NTRUEESS1v1Hashes}}
id-ees503ep1 OBJECT IDENTIFIER ::= {id-eess1-params 3}
-- OIDs for NTRU Encoding Methods NTRUSignMRGMAlgIdentifier ::=
AlgorithmIdentifier {{NTRUSignEESS1v1MRGMs}}
id-mrgm-ntru-1 OBJECT IDENTIFIER ::= NTRUSignEESS1v1MRGMs ALGORITHM ::= {
{id-eess1-encodingMethods 1} {OID id-mrgm-ntrusign-1 PARMS NTRUSignMRGM1-params}|
{OID id-mrgm-ntrusign-2 PARMS NTRUSignMRGM2-params},
...}
id-bvgm-ntru-1 OBJECT IDENTIFIER ::= NTRUSignMRGM1-params ::= NTRUSignPRNGAlgIdentifier
{id-eess1-encodingMethods 2}
id-bvgm-ntru-2 OBJECT IDENTIFIER ::= NTRUSignMRGM2-params ::= SEQUENCE {
{id-eess1-encodingMethods 3} c INTEGER,
numGroups INTEGER,
numElements INTEGER,
prng NTRUSignPRNGAlgIdentifier
}
-- Encoding for NTRU Public Key NTRUSignPRNGAlgIdentifier ::=
AlgorithmIdentifier {{NTRUEESS1v1PRNGs}}
-- Encoding for NTRUEncrypt Public Keys
NTRUPublicKey ::= SEQUENCE {
publicKeyVector NTRUPublicVector, -- h
ntruKeyExtensions NTRUKeyExtensions OPTIONAL
}
NTRUKeyExtensions ::=
SEQUENCE SIZE(1..MAX) OF NTRUKeyExtension
NTRUKeyExtension ::= CHOICE {
keyID [0] IMPLICIT INTEGER,
...}
EESS1v1-SVES-Parameters ::= CHOICE { EESS1v1-SVES-Parameters ::= CHOICE {
degree INTEGER degree Degree,
(CONSTRAINED BY {--must be 251, standardNTRUParameters StandardNTRUParameters,
347 or 503}), explicitNTRUParameters ExplicitNTRUParameters,
standardNTRUParameters OBJECT IDENTIFIER externalParameters NULL
{{NTRUParameters}},
explicitNTRUParameters ExplicitNTRUParameters,
externalParameters NULL
} }
NTRUParameters OBJECT IDENTIFIER ::= { StandardNTRUParameters ::= OIDS.&id({NTRUParameters})
id-ees251ep1|
id-ees347ep1| NTRUParameters OIDS ::= {
id-ees503ep1| { OID id-ees251ep1 }|
{ OID id-ees347ep1 }|
{ OID id-ees503ep1 },
...} ...}
ExplicitNTRUParameters ::= SEQUENCE { ExplicitNTRUParameters ::= SEQUENCE {
version INTEGER, version Version,
degree INTEGER, degree INTEGER,
bigModulus INTEGER, bigModulus INTEGER,
smallModulus SmallModulus, smallModulus SmallModulus,
mrgm AlgorithmIdentifier mrgm NTRUMRGMAlgorithmIdentifier,
{{ntruEESS1v1MRGMs}}, db INTEGER,
db INTEGER, bvgm NTRUBVGMAlgorithmIdentifier,
bvgm AlgorithmIdentifier
{{ntruEESS1v1BVGMs}},
...} ...}
ntruEESS1v1MRGMs AlgorithmIdentifier ::= { NTRUMRGMAlgorithmIdentifier ::=
{NTRUMRGM1-params IDENTIFIED BY id-mrgm-ntru-1}, AlgorithmIdentifier {{NTRUEESS1v1MRGMs}}
NTRUBVGMAlgorithmIdentifier ::=
AlgorithmIdentifier {{NTRUEESS1v1BVGMs}}
NTRUEESS1v1MRGMs ALGORITHM ::= {
{OID id-mrgm-ntru-1 PARMS NTRUMRGM1-params},
...} ...}
NTRUMRGM1-params ::= AlgorithmIdentifier {{ntruEESS1v1Hashes}} NTRUMRGM1-params ::= NTRUHashAlgorithmIdentifier
ntruEESS1v1BVGMs AlgorithmIdentifier ::= { NTRUHashAlgorithmIdentifier ::=
{NTRUBVGM1-params IDENTIFIED BY id-bvgm-ntru-1}, AlgorithmIdentifier {{NTRUEESS1v1Hashes}}
{NTRUBVGM2-params IDENTIFIED BY id-bvgm-ntru-2},
NTRUEESS1v1BVGMs ALGORITHM ::= {
{OID id-bvgm-ntru-1 PARMS NTRUBVGM1-params}|
{OID id-bvgm-ntru-2 PARMS NTRUBVGM2-params},
...} ...}
NTRUBVGM1-params ::= SEQUENCE { NTRUBVGM1-params ::= SEQUENCE {
c INTEGER, c INTEGER,
prng AlgorithmIdentifier {{ntruEESS1v1PRNGs}}, prng NTRUPRNGAlgorithmIdentifier,
dr INTEGER dr INTEGER
} }
NTRUBVGM2-params ::= SEQUENCE { NTRUBVGM2-params ::= SEQUENCE {
c INTEGER, c INTEGER,
prng AlgorithmIdentifier {{ntruEESS1v1PRNGs}}, prng NTRUPRNGAlgorithmIdentifier,
dr1 INTEGER, dr1 INTEGER,
dr2 INTEGER, dr2 INTEGER,
dr3 INTEGER dr3 INTEGER
} }
NTRUPublicKey ::= SEQUENCE { NTRUPRNGAlgorithmIdentifier ::= AlgorithmIdentifier
publicKeyVector NTRUPublicVector, -- h {{NTRUEESS1v1PRNGs}}
ntruKeyExtensions SET OF NTRUKeyExtension
OPTIONAL}
NTRUKeyExtension ::= CHOICE {
keyID [0] IMPLICIT INTEGER,
...}
END END -- PKIXAlgorithmOIDTBD --
4. Security Considerations 4. Security Considerations
This document is entirely concerned with security mechanisms. It is This document is entirely concerned with security mechanisms. It is
based on the Internet X.509 Public Key Infrastructure Certificate based on the Internet X.509 Public Key Infrastructure Certificate
and CRL Profile [RFC 2459], IEEE P1363.1 [P1363.1] and EESS #1 and CRL Profile [RFC 2459], IEEE P1363.1 [P1363.1] and EESS #1
[EESS#1] and the appropriate security considerations from those [EESS#1] and the appropriate security considerations from those
documents apply. documents apply.
5. Intellectual Property Rights 5. Intellectual Property Rights
NTRU Cryptosystems, Inc. has been granted U.S. Patent No. 6,081,597, NTRU Cryptosystems, Inc. has been granted U.S. Patent No. 6,081,597,
which covers aspects of the NTRU public-key encryption scheme, and which covers aspects of the NTRUEncrypt public-key encryption
has applied for a patent (or patents) that covers the NSS public-key scheme, and has applied for a patent (or patents) that covers the
signature scheme. In addition, NTRU Cryptosystems may have applied NTRUSign public-key signature scheme. In addition, NTRU
for additional patent coverage on implementation techniques related Cryptosystems may have applied for additional patent coverage on
to the use of NTRU or NSS. This and any additional patent implementation techniques related to the use of NTRUEncrypt or
information will be sent to the IETF. NTRUSign. This and any additional patent information will be sent
to the IETF.
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances claims of rights made available for publication and any assurances
skipping to change at page 22, line 51 skipping to change at page 21, line 54
to obtain a general license or permission for the use of such to obtain a general license or permission for the use of such
proprietary rights by implementers or users of this specification proprietary rights by implementers or users of this specification
can be obtained from the IETF Secretariat. can be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights, which may cover technology that may be required to implement rights, which may cover technology that may be required to implement
the techniques in this document. Please address the information to the techniques in this document. Please address the information to
the IETF Executive Director. the IETF Executive Director.
6. References 6. Acknowledgements
The authors would like to thank Phil Griffin for his considerable
aid in the formulation of the ASN.1 structures for this document.
7. References
[EESS#1] Efficient Embedded Security Standards (EESS) #1: [EESS#1] Efficient Embedded Security Standards (EESS) #1:
Implementation Aspects of NTRU and NSS, Draft Version 3, July 9, Implementation Aspects of NTRU and NTRUSign, Draft Version 4, March
2001, Consortium for Efficient Embedded Security Standards, 2002, Consortium for Efficient Embedded Security Standards,
Available at http://www.ceesstandards.org. Available at http://www.ceesstandards.org.
[FIPS180-1] FIPS PUB 180-1, Secure Hash Standard, Federal [FIPS180-1] FIPS PUB 180-1, Secure Hash Standard, Federal
Information Processing Standards Publication 180-1, U.S. Department Information Processing Standards Publication 180-1, U.S. Department
of Commerce/National Institute of Standards and Technology, National of Commerce/National Institute of Standards and Technology, National
Technical Information Service, Springfield, Virginia, April 17, 1995 Technical Information Service, Springfield, Virginia, April 17, 1995
(supersedes FIPS PUB 180). Available at (supersedes FIPS PUB 180). Available at
http://www.itl.nist.gov/div897/pubs/fip180-1.htm. http://www.itl.nist.gov/div897/pubs/fip180-1.htm.
[FIPS180-2] Draft FIPS PUB 180-2, Secure Hash Standard, Federal [FIPS180-2] Draft FIPS PUB 180-2, Secure Hash Standard, Federal
skipping to change at page 23, line 37 skipping to change at page 22, line 44
Public-Key Cryptography, IEEE Computer Society, New York, NY, August Public-Key Cryptography, IEEE Computer Society, New York, NY, August
2000, Institute of Electrical and Electronics Engineers 2000, Institute of Electrical and Electronics Engineers
[P1363.1] IEEE Draft Standard P1363.1 D2: IEEE Standard [P1363.1] IEEE Draft Standard P1363.1 D2: IEEE Standard
Specifications for Public-Key Cryptographic Techniques Based on Hard Specifications for Public-Key Cryptographic Techniques Based on Hard
Problems over Lattices, Draft 2, May 2001, Available at Problems over Lattices, Draft 2, May 2001, Available at
http://grouper.ieee.org/groups/1363. http://grouper.ieee.org/groups/1363.
[PKIX-ALGS] L. Bassham, R. Housley, W. Polk, "Algorithms and [PKIX-ALGS] L. Bassham, R. Housley, W. Polk, "Algorithms and
Identifiers for the Internet X.509 Public Key Infrastructure Identifiers for the Internet X.509 Public Key Infrastructure
Certificate and CRL Profile", draft-ietf-pkix-pkalgs-03.txt, July Certificate and CRL Profile", draft-ietf-pkix-pkalgs-05.txt, October
2001 2001
[RFC2026] S. Bradner, "The Internet Standards Process", IETF RFC [RFC2026] S. Bradner, "The Internet Standards Process", IETF RFC
2026, October 1996 2026, October 1996
[RFC2119] S. Bradner, "Key Words for Use in RFCs to Indicate [RFC2119] S. Bradner, "Key Words for Use in RFCs to Indicate
Requirement Levels", IETF RFC 2119, March 1997 Requirement Levels", IETF RFC 2119, March 1997
[RFC2459] R. Housley, W. Ford, W. Polk and D. Solo, "Internet X.509 [RFC2459] R. Housley, W. Ford, W. Polk and D. Solo, "Internet X.509
Public Key Infrastructure Certificate and CRL Profile", IETF RFC Public Key Infrastructure Certificate and CRL Profile", IETF RFC
2459, January 1999 2459, January 1999
NTRU Algorithms and Identifiers February 2002
Authors' Addresses Authors' Addresses
Ari Singer Ari Singer
NTRU NTRU
5 Burlington Woods Phone: 1-781-418-2500 5 Burlington Woods Phone: 1-781-418-2500
Burlington, MA 01803, USA Email: asinger@ntru.com Burlington, MA 01803, USA Email: asinger@ntru.com
William Whyte William Whyte
NTRU NTRU
 End of changes. 177 change blocks. 
526 lines changed or deleted 480 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/