strongSwan

h1. NTRU

{{>toc}}

NTRU is a lattice-based post-quantum encryption algorithm owned by "Security Innovation":https://www.securityinnovation.com/products/encryption-libraries/ntru-cryptography.html. Our implementation of the ntru plugin has been derived from the "ntru-crypto":https://github.com/NTRUOpenSourceProject/ntru-crypto C source code made available by Security Innovations under the GNU GPLv2 open source license. NTRU has been standardized by *IEEE Std 1363.1-2008* and *ANSI X9.98-2010*.

h2. NTRU Encryption as an IKE Key Exchange Mechanism

The strongSwan *ntru* plugin uses NTRU encryption as an IKE key exchange algorithm in the following way:

 * The IKE initiator generates a random NTRU public/private key pair for the specified security strength.

 * The IKE initiator sends the NTRU public key in the KEi payload to the IKE responder.

 * The IKE responder generates a random secret _s_ with a size of twice the security strength and encrypts it with the NTRU public key.

 * The IKE responder sends the encrypted secret in the KEr payload to the IKE initiator

 * The IKE initiator decrypts the KEr payload using the NTRU private key and extracts the secret _s_.

 * With IKEv2 both initiator and responder use the secret _s_ to compute

<pre>

SKEYSEED = prf(Ni | Nr, s)

</pre>

 * With IKEv1 both initiator and responder use the secret _s_ to compute

<pre>

SKEYID = prf(Ni_b | Nr_b, s)               # for authby=pubkey i.e. public key signatures

SKEYID = prf(pre-shared-key, Ni_b | Nr_b)  # for authby=psk, i.e. pre-shared keys

SKEYID_d = prf(SKEYID, s | CKY-I | CKY-R | 0)

SKEYID_a = prf(SKEYID, SKEYID_d | s | CKY-I | CKY-R | 1)

SKEYID_e = prf(SKEYID, SKEYID_a | s | CKY-I | CKY-R | 2)

</pre> 

h2. Configuration Options

NTRU parameter sets are defined for security strengths of 112, 128, 192 and 256 bits for which strongSwan assigns the following key exchange algorithm keywords:

|Keyword    |DH Group |Strength   |

|*ntru112*  |=. 1030  |>.112 bits |

|*ntru128*  |=. 1031  |>.128 bits |

|*ntru192*  |=. 1032  |>.192 bits |

|*ntru256*  |=. 1033  |>.256 bits |

Thus an example IKE algorithm definition in _/etc/ipsec.conf_ for a security strength of 128 bits is

<pre>

ike=aes128-sha256-ntru128

</pre>

or for a security strength of 192 bits

<pre>

ike=aes192-sha384-ntru192

</pre>

and for a security strength of 256 bits

<pre>

ike=aes256-sha512-ntru256

</pre>

Since the Diffie-Hellman Group Transform IDs 1030..1033 selected by the strongSwan project to designate the four NTRU key exchange strengths are taken from the private-use range, the strongSwan vendor ID *must* be sent by the charon daemon. This can be enabled by the following statement in /etc/strongswan.conf:

<pre>

charon {

  send_vendor_id = yes

}

</pre> 

By default strongSwan uses NTRU parameters optimized for both size and speed by "Security Innovations":https://www.securityinnovation.com/products/encryption-libraries/ntru-cryptography.html. If compatibility with the *ANSI X9.98-2010* standard is needed than the following NTRU parameter sets can be configured in _strongswan.conf_ 

<pre>

charon {

  plugins {

    ntru {

      parameter_set = x9_98_speed|x9_98_bandwidth|x9_98_balance|optimum

    }

  }

}

</pre>

where *x9_98_speed* optimizes the NTRU parameters for processing speed, *x9_98_bandwidth* for network bandwidth, i.e. IKE key exchange size which helps to prevent IKE datagram fragmentation, *x9_98_balance* is a mix of the two previous options, and *optimum* being the default and based on a product form of trinary polynomials is both the fastest and most compact option. Details on the NTRU parameters can be found "here":https://github.com/NTRUOpenSourceProject/ntru-crypto/blob/master/reference-code/C/Encrypt/doc/UserNotes-NTRUEncrypt.pdf.

h2. Building the NTRU Plugin

The compilation of the NTRU plugin is enabled with the option

<pre>

./configure --enable-ntru ... 

</pre>

h2. NTRU Example Scenarios

 * "IKEv2 Net-to-Net with 256 bit strength and certificate-based authentication":http://www.strongswan.org/uml/testresults/ikev2/net2net-ntru-cert/

 * "IKEv2 Remote Access with 128/192 bit strength and PSK-based authentication":http://www.strongswan.org/uml/testresults/ikev2/rw-ntru-psk/

 * "IKEv1 Net-to-Net with 256 bit strength and certificate-based authentication":http://www.strongswan.org/uml/testresults/ikev1/net2net-ntru-cert/

 * "IKEv1 Remote Access with 128/192 bit strength and PSK-based authentication":http://www.strongswan.org/uml/testresults/ikev1/rw-ntru-psk/