NTRU¶
- Table of contents
- NTRU
NTRU is a lattice-based post-quantum encryption algorithm owned by Security Innovation. Our implementation of the ntru plugin has been derived from the ntru-crypto C source code made available by Security Innovations under the GNU GPLv2 open source license. NTRU Encryption has been standardized by IEEE Std 1363.1-2008 and ANSI X9.98-2010.
NTRU Encryption as an IKE Key Exchange Mechanism¶
The strongSwan ntru plugin uses NTRU encryption as an IKE key exchange algorithm in the following way:
- The IKE initiator generates a random ephemeral NTRU public/private key pair for the specified security strength.
- The IKE initiator sends the NTRU public key in the KEi payload to the IKE responder.
- The IKE responder generates a random secret s with a size of twice the security strength and encrypts it with the NTRU public key.
- The IKE responder sends the encrypted secret in the KEr payload to the IKE initiator
- The IKE initiator decrypts the KEr payload using the NTRU private key and extracts the secret s.
- With IKEv2 both initiator and responder use the secret s to compute
SKEYSEED = prf(Ni | Nr, s)
- With IKEv1 both initiator and responder use the secret s to compute
SKEYID = prf(Ni_b | Nr_b, s) # for authby=pubkey i.e. public key signatures SKEYID = prf(pre-shared-key, Ni_b | Nr_b) # for authby=psk, i.e. pre-shared keys SKEYID_d = prf(SKEYID, s | CKY-I | CKY-R | 0) SKEYID_a = prf(SKEYID, SKEYID_d | s | CKY-I | CKY-R | 1) SKEYID_e = prf(SKEYID, SKEYID_a | s | CKY-I | CKY-R | 2)
Configuration Options¶
NTRU parameter sets are defined for security strengths of 112, 128, 192 and 256 bits for which strongSwan assigns the following key exchange algorithm keywords:
Keyword | DH Group | Strength |
ntru112 | 1030 | 112 bits |
ntru128 | 1031 | 128 bits |
ntru192 | 1032 | 192 bits |
ntru256 | 1033 | 256 bits |
Thus an example IKE algorithm definition in /etc/ipsec.conf for a security strength of 128 bits is
ike=aes128-sha256-ntru128
or for a security strength of 192 bits
ike=aes192-sha384-ntru192
and for a security strength of 256 bits
ike=aes256-sha512-ntru256
Since the Diffie-Hellman Group Transform IDs 1030..1033 selected by the strongSwan project to designate the four NTRU key exchange strengths are taken from the private-use range, the strongSwan vendor ID must be sent by the charon daemon. This can be enabled by the following statement in /etc/strongswan.conf:
charon { send_vendor_id = yes }
By default strongSwan uses NTRU parameters optimized for both size and speed by Security Innovation. If compatibility with the ANSI X9.98-2010 standard is needed, the following NTRU parameter sets can be configured in strongswan.conf
charon { plugins { ntru { parameter_set = x9_98_speed|x9_98_bandwidth|x9_98_balance|optimum } } }
where x9_98_speed optimizes the NTRU parameters for processing speed, x9_98_bandwidth for network bandwidth, i.e. minimizes the IKE key exchange payload size which helps to prevent IKE datagram fragmentation, x9_98_balance is a mix of the two previous options, and optimum being the default and based on a product form of trinary polynomials is both the fastest and most compact option. Details on the NTRU parameters can be found here.
Building the NTRU Plugin¶
The compilation of the NTRU plugin is enabled with the option
./configure --enable-ntru ...