[PATCH] Add Streamlined NTRU Prime sntrup761.

Simon Josefsson simon at josefsson.org
Fri May 19 23:37:31 CEST 2023 

Werner Koch via Gcrypt-devel <gcrypt-devel at gnupg.org> writes:

> I have not yet anaylyzed your needs but I think that this new API is not
> needed because we have KEM functions already implemented in the pubkey
> API.

Do you mean these?

 -- Function: gcry_error_t gcry_pk_genkey (gcry_sexp_t *R_KEY,
          gcry_sexp_t PARMS)
 -- Function: gcry_error_t gcry_pk_encrypt (gcry_sexp_t *R_CIPH,
          gcry_sexp_t DATA, gcry_sexp_t PKEY)
 -- Function: gcry_error_t gcry_pk_decrypt (gcry_sexp_t *R_PLAIN,
          gcry_sexp_t DATA, gcry_sexp_t SKEY)

I think these are poorly suited for modern KEM's like sntrup761.  They
are all now byte-oriented, not MPI/sexp.  KEM's use of public/private
keys are ephemeral, like diffie-hellman, so they are different than
long-term keys.  I think this is comparable to the separate APIs
introduced for X25519:

 -- Function: gpg_error_t gcry_ecc_mul_point (int CURVEID,
          unsigned char *RESULT, const unsigned char *SCALAR,
          const unsigned char *POINT)

Using MPI's to store byte-values lead to a security concern in RFC 8731,
since MPI's encode different byte-values in different length depending
on the content.  I haven't checked if libgcrypt would be vulnerable to
the same problem, but type-overloading is not safe.

Maybe you could take a second look on the API I proposed below?  It
matches the API that several modern KEM's uses.  Yes this would make
KEM's a special animal that is not compatible with other
public/private-key stuff in libgcrypt, but I think that is actually a
good thing.

enum gcry_kem_algos
  {
    GCRY_KEM_SNTRUP761 = 761,
  };

#define GCRY_KEM_SNTRUP761_SECRETKEY_SIZE 1763
#define GCRY_KEM_SNTRUP761_PUBLICKEY_SIZE 1158
#define GCRY_KEM_SNTRUP761_CIPHERTEXT_SIZE 1039
#define GCRY_KEM_SNTRUP761_SHAREDSECRET_SIZE 32

gcry_error_t gcry_kem_keypair (int algo,
			       void *pubkey,
			       void *seckey);
gcry_error_t gcry_kem_enc (int algo,
			   const void *pubkey,
			   void *ciphertext,
			   void *ss);
gcry_error_t gcry_kem_dec (int algo,
			   const void *ciphertext,
			   const void *seckey,
			   void *ss);

/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 255 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20230519/563d8ecd/attachment.sig>

More information about the Gcrypt-devel mailing list