[PATCH] Add Streamlined NTRU Prime sntrup761.

Simon Josefsson simon at josefsson.org
Mon May 15 16:02:39 CEST 2023


See attached patch that adds sntrup761.  What do you think?

My use case is to enable implementation of OpenSSH's
sntrup761x25519-sha512 in libssh/libssh2.

Specific open issues:

- Documentation

- Benchmarking self-test

- Self-tests that validate test vectors

   Not trivial because the algorithm is randomized, so we would have to
   use deterministic randomness somehow -- and to use an deterministic
   algorithm for which there exists sntrup761 test vectors (DRBG-CTR is
   the only one I am aware of, but far from ideal).

- API design

   - Are gcry_kem_open/gcry_kem_close useful?  They complicate
     implementation for no gain for sntrup761, but could be useful for
     other KEM's, OTOH they may just complicate it for all KEM's since I
     believe the KEM APIs are fairly established these days.

   - The pubkey parameter for KEM-Enc could be stored in the handle, as
     could the seckey parameter for KEM-Dec.  This would make the
     gcry_kem_open/gcry_kem_close more useful, however it would mean
     more memory zeroization issues.

   - The #define's for output lengths could be functions, similar to
     other libgcrypt APIs.  This makes it harder to use statically
     allocated buffers, so I think the current #define's are useful.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-Streamlined-NTRU-Prime-sntrup761.patch
Type: text/x-diff
Size: 41181 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20230515/5e4b75fb/attachment-0001.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 255 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20230515/5e4b75fb/attachment-0001.sig>

More information about the Gcrypt-devel mailing list