Project

General

Profile

NTRU

NTRU is a lattice-based post-quantum encryption algorithm owned by Security Innovation. Our implementation of the ntru plugin has been derived from the ntru-crypto C source code made available by Security Innovations under the GNU GPLv2 open source license. NTRU Encryption has been standardized by IEEE Std 1363.1-2008 and ANSI X9.98-2010.

NTRU Encryption as an IKE Key Exchange Mechanism

The strongSwan ntru plugin uses NTRU encryption as an IKE key exchange algorithm in the following way:

  • The IKE initiator generates a random ephemeral NTRU public/private key pair for the specified security strength.
  • The IKE initiator sends the NTRU public key in the KEi payload to the IKE responder.
  • The IKE responder generates a random secret s with a size of twice the security strength and encrypts it with the NTRU public key.
  • The IKE responder sends the encrypted secret in the KEr payload to the IKE initiator
  • The IKE initiator decrypts the KEr payload using the NTRU private key and extracts the secret s.
  • With IKEv2 both initiator and responder use the secret s to compute
    SKEYSEED = prf(Ni | Nr, s)
    
  • With IKEv1 both initiator and responder use the secret s to compute
    SKEYID = prf(Ni_b | Nr_b, s)               # for authby=pubkey i.e. public key signatures
    SKEYID = prf(pre-shared-key, Ni_b | Nr_b)  # for authby=psk, i.e. pre-shared keys
    
    SKEYID_d = prf(SKEYID, s | CKY-I | CKY-R | 0)
    SKEYID_a = prf(SKEYID, SKEYID_d | s | CKY-I | CKY-R | 1)
    SKEYID_e = prf(SKEYID, SKEYID_a | s | CKY-I | CKY-R | 2)
    

Configuration Options

NTRU parameter sets are defined for security strengths of 112, 128, 192 and 256 bits for which strongSwan assigns the following key exchange algorithm keywords:

Keyword DH Group Strength
ntru112 1030 112 bits
ntru128 1031 128 bits
ntru192 1032 192 bits
ntru256 1033 256 bits

Thus an example IKE algorithm definition in /etc/ipsec.conf for a security strength of 128 bits is

ike=aes128-sha256-ntru128

or for a security strength of 192 bits
ike=aes192-sha384-ntru192

and for a security strength of 256 bits
ike=aes256-sha512-ntru256

Since the Diffie-Hellman Group Transform IDs 1030..1033 selected by the strongSwan project to designate the four NTRU key exchange strengths are taken from the private-use range, the strongSwan vendor ID must be sent by the charon daemon. This can be enabled by the following statement in /etc/strongswan.conf:

charon {
  send_vendor_id = yes
}

By default strongSwan uses NTRU parameters optimized for both size and speed by Security Innovation. If compatibility with the ANSI X9.98-2010 standard is needed, the following NTRU parameter sets can be configured in strongswan.conf

charon {
  plugins {
    ntru {
      parameter_set = x9_98_speed|x9_98_bandwidth|x9_98_balance|optimum
    }
  }
}

where x9_98_speed optimizes the NTRU parameters for processing speed, x9_98_bandwidth for network bandwidth, i.e. minimizes the IKE key exchange payload size which helps to prevent IKE datagram fragmentation, x9_98_balance is a mix of the two previous options, and optimum being the default and based on a product form of trinary polynomials is both the fastest and most compact option. Details on the NTRU parameters can be found here.

Building the NTRU Plugin

The compilation of the NTRU plugin is enabled with the option

./configure --enable-ntru ... 

NTRU Example Scenarios