[PATCH] Add Streamlined NTRU Prime sntrup761.

Tue May 16 09:58:40 CEST 2023

Am Dienstag, 16. Mai 2023, 08:56:08 CEST schrieb Simon Josefsson via Gcrypt-
devel:

Hi Simon,

> Hi
> 
> Attached is a second version of the sntrup761 patch, this time using a
> minimal API that would work for Kyber too (please confirm).  Unless we
> know complexity is required, I prefer to keep things minimal.
> 
> I've pushed it to:
> https://gitlab.com/jas/libgcrypt/-/commits/jas/sntrup761v2
> 
> Below is the added API.  Thoughts?
> 
> enum gcry_kem_algos
>   {
>     GCRY_KEM_SNTRUP761 = 761,
>   };
> 
> #define GCRY_KEM_SNTRUP761_SECRETKEY_SIZE 1763
> #define GCRY_KEM_SNTRUP761_PUBLICKEY_SIZE 1158
> #define GCRY_KEM_SNTRUP761_CIPHERTEXT_SIZE 1039
> #define GCRY_KEM_SNTRUP761_SHAREDSECRET_SIZE 32
> 
> gcry_error_t gcry_kem_keypair (int algo,
> 			       void *pubkey,
> 			       void *seckey);
> 
> gcry_error_t gcry_kem_enc (int algo,
> 			   const void *pubkey,
> 			   void *ciphertext,
> 			   void *ss);

May I suggest to add another parameter: size_t ss_len which shall specify the 
caller-requested size of ss?
> 
> gcry_error_t gcry_kem_dec (int algo,
> 			   const void *ciphertext,
> 			   const void *seckey,
> 			   void *ss);

Same here.

Kyber uses a KDF as the last step. I am aware of the fact that the Kyber 
reference implementation returns 32 bytes statically. However, considering the 
use of a true KDF which has the property of a pseudorandom behavior (either 
SHAKE256 or AES-CTR is used), the KDF can produce arbitrary amounts of data. 
By specifying an ss_len parameter, the caller can directly request the data 
that may be needed as a key/IV/mac Key or similar for subsequent cipher 
operations.

In [1] and [2], I use such an ss_len parameter which in turn serves me well 
for production use cases.

[1] https://github.com/smuellerDD/leancrypto/blob/master/kem/api/
lc_kyber.h#L149

[2] https://github.com/smuellerDD/leancrypto/blob/master/kem/api/
lc_kyber.h#L167

Thanks a lot
Stephan