NTRU » History » Version 8
Version 7 (Andreas Steffen, 02.03.2014 12:16) → Version 8/20 (Andreas Steffen, 02.03.2014 12:20)
h1. NTRU
NTRU is a lattice-based post-quantum encryption algorithm owned by "Security Innovation":https://www.securityinnovation.com/products/encryption-libraries/ntru-cryptography.html. Our implementation of the ntru plugin has been derived from the "ntru-crypto":https://github.com/NTRUOpenSourceProject/ntru-crypto C source code made available by Security Innovations under the GNU GPLv2 open source license. NTRU has been standardized by *IEEE Std 1363.1-2008* and *ANSI X9.98-2010*.
h2. NTRU Encryption used in IKE Key Exchange
The strongSwan *ntru* plugin uses NTRU encryption as an IKE key exchange algorithm in the following way:
* The IKE initiator generates a random NTRU public/private key pair for the specified security strength.
* The IKE initiator sends the NTRU public key in the KEi payload to the IKE responder.
* The IKE responder generates a random secret _s_ with a size of twice the security strength and encrypts it with the NTRU public key.
* The IKE responder sends the encrypted secret in the KEr payload to the IKE initiator
* The IKE initiator decrypts the KEr payload using the NTRU private key and extracts the secret _s_.
* With IKEv2 both initiator and responder use the secret _s_ to compute
<pre>
SKEYSEED = prf(Ni | Nr, s)
</pre>
* With IKEv1 both initiator and responder use the secret _s_ to compute
<pre>
SKEYID = prf(Ni_b | Nr_b, s) # for authby=pubkey i.e. public key signatures
SKEYID = prf(pre-shared-key, Ni_b | Nr_b) # for authby=psk, i.e. pre-shared keys
SKEYID_d = prf(SKEYID, s | CKY-I | CKY-R | 0)
SKEYID_a = prf(SKEYID, SKEYID_d | s | CKY-I | CKY-R | 1)
SKEYID_e = prf(SKEYID, SKEYID_a | s | CKY-I | CKY-R | 2)
</pre>
h2. Configuration Options
NTRU parameter sets are defined for security strengths of 112, 128, 192 and 256 bits for which strongSwan assigns the following key exchange algorithm keywords:
|Keyword |DH Group |Strength |
|*ntru112* |=. 1030 |>.112 bits |
|*ntru128* |=. 1031 |>.128 bits |
|*ntru192* |=. 1032 |>.192 bits |
|*ntru256* |=. 1033 |>.256 bits |
Thus an example IKE algorithm definition in _/etc/ipsec.conf_ for a security strength of 128 bits is
<pre>
ike=aes128-sha256-ntru128
</pre>
or for a security strength of 192 bits
<pre>
ike=aes192-sha384-ntru192
</pre>
and for a security strength of 256 bits
<pre>
ike=aes256-sha512-ntru256
</pre>
Since the Diffie-Hellman Group Transform IDs 1030..1033 selected by the strongSwan project to designate the four NTRU key exchange strengths are taken from the private-use range, the strongSwan vendor ID *must* be sent by the charon daemon. This can be enabled by the following statement in /etc/strongswan.conf:
<pre>
charon {
send_vendor_id = yes
}
</pre>
h2. Building the NTRU Plugin
The compilation of the NTRU plugin is enabled with the option
<pre>
./configure --enable-ntru ...
</pre>
NTRU is a lattice-based post-quantum encryption algorithm owned by "Security Innovation":https://www.securityinnovation.com/products/encryption-libraries/ntru-cryptography.html. Our implementation of the ntru plugin has been derived from the "ntru-crypto":https://github.com/NTRUOpenSourceProject/ntru-crypto C source code made available by Security Innovations under the GNU GPLv2 open source license. NTRU has been standardized by *IEEE Std 1363.1-2008* and *ANSI X9.98-2010*.
h2. NTRU Encryption used in IKE Key Exchange
The strongSwan *ntru* plugin uses NTRU encryption as an IKE key exchange algorithm in the following way:
* The IKE initiator generates a random NTRU public/private key pair for the specified security strength.
* The IKE initiator sends the NTRU public key in the KEi payload to the IKE responder.
* The IKE responder generates a random secret _s_ with a size of twice the security strength and encrypts it with the NTRU public key.
* The IKE responder sends the encrypted secret in the KEr payload to the IKE initiator
* The IKE initiator decrypts the KEr payload using the NTRU private key and extracts the secret _s_.
* With IKEv2 both initiator and responder use the secret _s_ to compute
<pre>
SKEYSEED = prf(Ni | Nr, s)
</pre>
* With IKEv1 both initiator and responder use the secret _s_ to compute
<pre>
SKEYID = prf(Ni_b | Nr_b, s) # for authby=pubkey i.e. public key signatures
SKEYID = prf(pre-shared-key, Ni_b | Nr_b) # for authby=psk, i.e. pre-shared keys
SKEYID_d = prf(SKEYID, s | CKY-I | CKY-R | 0)
SKEYID_a = prf(SKEYID, SKEYID_d | s | CKY-I | CKY-R | 1)
SKEYID_e = prf(SKEYID, SKEYID_a | s | CKY-I | CKY-R | 2)
</pre>
h2. Configuration Options
NTRU parameter sets are defined for security strengths of 112, 128, 192 and 256 bits for which strongSwan assigns the following key exchange algorithm keywords:
|Keyword |DH Group |Strength |
|*ntru112* |=. 1030 |>.112 bits |
|*ntru128* |=. 1031 |>.128 bits |
|*ntru192* |=. 1032 |>.192 bits |
|*ntru256* |=. 1033 |>.256 bits |
Thus an example IKE algorithm definition in _/etc/ipsec.conf_ for a security strength of 128 bits is
<pre>
ike=aes128-sha256-ntru128
</pre>
or for a security strength of 192 bits
<pre>
ike=aes192-sha384-ntru192
</pre>
and for a security strength of 256 bits
<pre>
ike=aes256-sha512-ntru256
</pre>
Since the Diffie-Hellman Group Transform IDs 1030..1033 selected by the strongSwan project to designate the four NTRU key exchange strengths are taken from the private-use range, the strongSwan vendor ID *must* be sent by the charon daemon. This can be enabled by the following statement in /etc/strongswan.conf:
<pre>
charon {
send_vendor_id = yes
}
</pre>
h2. Building the NTRU Plugin
The compilation of the NTRU plugin is enabled with the option
<pre>
./configure --enable-ntru ...
</pre>