NTRU¶

• Table of contents
• NTRU
  • NTRU Encryption as an IKE Key Exchange Mechanism
  • Configuration Options
  • Building the NTRU Plugin
  • NTRU Example Scenarios

NTRU is a lattice-based post-quantum encryption algorithm owned by Security Innovation. Our implementation of the ntru plugin has been derived from the ntru-crypto C source code made available by Security Innovations under the GNU GPLv2 open source license. NTRU Encryption has been standardized by IEEE Std 1363.1-2008 and ANSI X9.98-2010.

NTRU Encryption as an IKE Key Exchange Mechanism¶

The strongSwan ntru plugin uses NTRU encryption as an IKE key exchange algorithm in the following way:

• The IKE initiator generates a random ephemeral NTRU public/private key pair for the specified security strength.

• The IKE initiator sends the NTRU public key in the KEi payload to the IKE responder.

• The IKE responder generates a random secret s with a size of twice the security strength and encrypts it with the NTRU public key.

• The IKE responder sends the encrypted secret in the KEr payload to the IKE initiator

• The IKE initiator decrypts the KEr payload using the NTRU private key and extracts the secret s.

• With IKEv2 both initiator and responder use the secret s to compute
  

  SKEYSEED = prf(Ni | Nr, s)
  

• With IKEv1 both initiator and responder use the secret s to compute
  

  SKEYID = prf(Ni_b | Nr_b, s)               # for authby=pubkey i.e. public key signatures
  SKEYID = prf(pre-shared-key, Ni_b | Nr_b)  # for authby=psk, i.e. pre-shared keys
  
  SKEYID_d = prf(SKEYID, s | CKY-I | CKY-R | 0)
  SKEYID_a = prf(SKEYID, SKEYID_d | s | CKY-I | CKY-R | 1)
  SKEYID_e = prf(SKEYID, SKEYID_a | s | CKY-I | CKY-R | 2)
  

Configuration Options¶

NTRU parameter sets are defined for security strengths of 112, 128, 192 and 256 bits for which strongSwan assigns the following key exchange algorithm keywords:

Keyword	DH Group	Strength
ntru112	1030	112 bits
ntru128	1031	128 bits
ntru192	1032	192 bits
ntru256	1033	256 bits

Thus an example IKE algorithm definition in /etc/ipsec.conf for a security strength of 128 bits is

ike=aes128-sha256-ntru128

or for a security strength of 192 bits

ike=aes192-sha384-ntru192

and for a security strength of 256 bits

ike=aes256-sha512-ntru256

Since the Diffie-Hellman Group Transform IDs 1030..1033 selected by the strongSwan project to designate the four NTRU key exchange strengths are taken from the private-use range, the strongSwan vendor ID must be sent by the charon daemon. This can be enabled by the following statement in /etc/strongswan.conf:

charon {
  send_vendor_id = yes
}

By default strongSwan uses NTRU parameters optimized for both size and speed by Security Innovation. If compatibility with the ANSI X9.98-2010 standard is needed, the following NTRU parameter sets can be configured in strongswan.conf

charon {
  plugins {
    ntru {
      parameter_set = x9_98_speed|x9_98_bandwidth|x9_98_balance|optimum
    }
  }
}

where x9_98_speed optimizes the NTRU parameters for processing speed, x9_98_bandwidth for network bandwidth, i.e. minimizes the IKE key exchange payload size which helps to prevent IKE datagram fragmentation, x9_98_balance is a mix of the two previous options, and optimum being the default and based on a product form of trinary polynomials is both the fastest and most compact option. Details on the NTRU parameters can be found here.

Building the NTRU Plugin¶

The compilation of the NTRU plugin is enabled with the option

./configure --enable-ntru ... 

NTRU Example Scenarios¶

• IKEv2 Net-to-Net with 256 bit strength and certificate-based authentication
• IKEv2 Remote Access with 128/192 bit strength and PSK-based authentication
• IKEv2 Remote Access with 128/192 bit strength and BLISS-based authentication

• IKEv1 Net-to-Net with 256 bit strength and certificate-based authentication
• IKEv1 Remote Access with 128/192 bit strength and PSK-based authentication