NTRU¶

NTRU is a lattice-based post-quantum encryption algorithm owned by Security Innovation. Our implementation of the ntru plugin has been derived from the ntru-crypto C source code made available by Security Innovations under the GNU GPLv2 open source license.

NTRU has been standardized by IEEE Std 1363.1-2008 and ANSI X9.98-2010. NTRU parameter sets are defined for security strengths of 112, 128, 192 and 256 bits. The strongSwan ntru plugin uses NTRU encryption as an IKEv1|IKEv2 key exchange algorithm in the following way:

• The IKE initiator generates a random NTRU public/private key pair for the specified security strength.

• The IKE initiator sends the NTRU public key in the KEi payload to the IKE responder.

• The IKE responder generates a random secret s with a size of twice the security strength and encrypts it with the NTRU public key.

• The IKE responder sends the encrypted secret in the KEr payload to the IKE initiator

• The IKE initiator decrypts the KEr payload using the NTRU private key and extracts the secret s.

• With IKEv2 both initiator and responder use the secret s to compute
  

  SKEYSEED = prf(Ni | Nr, s)
  

• With IKEv1 both initiator and responder use the secret s to compute
  

  SKEYID = prf(Ni_b | Nr_b, s)               # for authby=pubkey i.e. public key signatures
  SKEYID = prf(pre-shared-key, Ni_b | Nr_b)  # for authby=psk, i.e. pre-shared keys
  
  SKEYID_d = prf(SKEYID, s | CKY-I | CKY-R | 0)
  SKEYID_a = prf(SKEYID, SKEYID_d | s | CKY-I | CKY-R | 1)
  SKEYID_e = prf(SKEYID, SKEYID_a | s | CKY-I | CKY-R | 2)