Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sntrup761 prime sharedKeyBytes value not correct? #1554

Closed
norrisjeremy opened this issue Dec 21, 2023 · 5 comments
Closed

sntrup761 prime sharedKeyBytes value not correct? #1554

norrisjeremy opened this issue Dec 21, 2023 · 5 comments

Comments

@norrisjeremy
Copy link

I am a co-maintainer of JSch & recently I began working on integrating support for the sntrup761x25519-sha512@openssh.com KEX algorithm using Bouncy Castle's SNTRUPrime implementation.

However, I have hit a roadblock, as it appears the sntrup761 sharedKeyBytes value is defined as 16 bytes, as seen at

bc-java/core/src/main/java/org/bouncycastle/pqc/crypto/ntruprime/SNTRUPrimeParameters.java

Lines 13 to 14 in 1cae543

public static final SNTRUPrimeParameters sntrup761 = new SNTRUPrimeParameters("sntrup761", 761, 4591, 286,
1158, 1007, 1158, 1763, 16);

This differs from OpenSSH's implementation, which defines it as 32 bytes, as seen at https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/crypto_api.h#L45-L48

Is there a reason that Bouncy Castle defines the sharedKeyBytes value as 16 bytes instead of 32 bytes?
The Open Quantum Safe site seems to also define the shared secret size as 32 bytes, agreeing with OpenSSH's definition?
@norrisjeremy
Copy link
Author

FYI, using the following, the sntrup761x25519-sha512@openssh.com I've authored for JSch works with OpenSSH:

  static SNTRUPrimeParameters sntrup761() {
    try {
      Constructor<SNTRUPrimeParameters> c =
          SNTRUPrimeParameters.class.getDeclaredConstructor(String.class, int.class, int.class,
              int.class, int.class, int.class, int.class, int.class, int.class);
      c.setAccessible(true);
      return c.newInstance("sntrup761", 761, 4591, 286, 1158, 1007, 1158, 1763, 32);
    } catch (Throwable t) {
      return null;
    }
  }

@dghgit
Copy link
Contributor

dghgit commented Dec 22, 2023

Originally we restricted the size of the shared secret to the strength of the security properties as while the test vectors all used 256 bit values there was no guidance around whether this was actually going to happen in the final draft.

So the rule has since come down that it's always 256 bits regardless of the security strength. We have updated NTRU already to follow this, I'll do the same for NTRUPrime.

@norrisjeremy
Copy link
Author

@dghgit,

Great, thank you for the update!

Thanks,
Jeremy

@norrisjeremy norrisjeremy mentioned this issue Dec 22, 2023
Merged
@dghgit
Copy link
Contributor

dghgit commented Dec 23, 2023

I've deployed a new beta with the changes now as well - you'll find it at https://www.bouncycastle.org/betas The change is in beta 178b03 or later.

@norrisjeremy
Copy link
Author

HI @dghgit,

I've tested with the 178b03 beta and can confirm it works with OpenSSH, thanks!

Thanks,
Jeremy

vanitasvitae pushed a commit to pgpainless/bc-java that referenced this issue Jan 2, 2024
@dghgit
moved NTRUPrime to always produce 256 bit secrets - relates to github b…
db3ae60 
…cgit#1554
@quic-nasserg quic-nasserg mentioned this issue Aug 13, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cipherboy @dghgit @norrisjeremy