Project

General

Profile

History

strongSwan User Documentation » strongSwan plugins »

NTRU » History » Version 8

« Previous - Version 8/20 (diff) - Next » - Current version
Andreas Steffen, 02.03.2014 12:20

NTRU

NTRU is a lattice-based post-quantum encryption algorithm owned by Security Innovation. Our implementation of the ntru plugin has been derived from the ntru-crypto C source code made available by Security Innovations under the GNU GPLv2 open source license. NTRU has been standardized by IEEE Std 1363.1-2008 and ANSI X9.98-2010.

NTRU Encryption used in IKE Key Exchange

The strongSwan ntru plugin uses NTRU encryption as an IKE key exchange algorithm in the following way:

  • The IKE initiator generates a random NTRU public/private key pair for the specified security strength.
  • The IKE initiator sends the NTRU public key in the KEi payload to the IKE responder.
  • The IKE responder generates a random secret s with a size of twice the security strength and encrypts it with the NTRU public key.
  • The IKE responder sends the encrypted secret in the KEr payload to the IKE initiator
  • The IKE initiator decrypts the KEr payload using the NTRU private key and extracts the secret s.
  • With IKEv2 both initiator and responder use the secret s to compute
    SKEYSEED = prf(Ni | Nr, s)
  • With IKEv1 both initiator and responder use the secret s to compute
    SKEYID = prf(Ni_b | Nr_b, s)               # for authby=pubkey i.e. public key signatures
SKEYID = prf(pre-shared-key, Ni_b | Nr_b)  # for authby=psk, i.e. pre-shared keys

SKEYID_d = prf(SKEYID, s | CKY-I | CKY-R | 0)
SKEYID_a = prf(SKEYID, SKEYID_d | s | CKY-I | CKY-R | 1)
SKEYID_e = prf(SKEYID, SKEYID_a | s | CKY-I | CKY-R | 2)

Configuration Options

NTRU parameter sets are defined for security strengths of 112, 128, 192 and 256 bits for which strongSwan assigns the following key exchange algorithm keywords:

Keyword DH Group Strength
ntru112 1030 112 bits
ntru128 1031 128 bits
ntru192 1032 192 bits
ntru256 1033 256 bits

Thus an example IKE algorithm definition in /etc/ipsec.conf for a security strength of 128 bits is

ike=aes128-sha256-ntru128

or for a security strength of 192 bits
ike=aes192-sha384-ntru192

and for a security strength of 256 bits
ike=aes256-sha512-ntru256

Since the Diffie-Hellman Group Transform IDs 1030..1033 selected by the strongSwan project to designate the four NTRU key exchange strengths are taken from the private-use range, the strongSwan vendor ID must be sent by the charon daemon. This can be enabled by the following statement in /etc/strongswan.conf:

charon {
  send_vendor_id = yes
}

Building the NTRU Plugin

The compilation of the NTRU plugin is enabled with the option

./configure --enable-ntru ...