Thanks for reviewing this! Niels Möller <[email protected]> writes:
> Simon Josefsson <[email protected]> writes: > >> This adds sntrup761, what do you think? > > What's the context/usecase? I saw some mails on the ietf-ssh list, but > it was a bit unclear to me what the status of this algorithm is. Sntrup761 is used by default in OpenSSH (hybrid with X25519) since some years ago, and they are committed to support it for a many more years. The ietf-ssh posts were about documenting that protocol. My context for wanting it in Nettle is to reduce code duplication for other projects that will end up implementing it too. Unfortunately I think we'll need to add native sntrup761 code to some other projects anyway, until Nettle with sntrup761 is widely available. > In general, it makes sense to add support for post-quantum key exchange > methods, another candidate seems to be https://classic.mceliece.org/ > (with the drawback of much larger pubkeys). +1 >> Please consider it a first iteration for early review. > > I initially looked at the arithmetics. The signed (int32) sorting and > division seems unused? Do you mean crypto_sort_int32? It is called by crypto_sort_uint32. > For the side-channel silent divmod function, it seems we divide > exclusively with one or a few constants, then we could precompute > needed constants and perhaps simplify a bit. Possibly - this is reference code and supports other sntrup lengths. Supporting multiple lengths often leads to complexity which leads to reduced security. As far as I can tell, the non-sntrup761 lengths were insisted upon by NIST. So the answer depends on if we want to allow this code to be re-used by other sntrup lengths too. Also, do we want to deviate from audited implementations? My take was that it would be nice to add sntrup761 to Nettle ASAP to stabilize API and establish support for the algorithm -- we can optimize or improve the implementation later on (there are many optimized implementations around for different architectures out there). The patch I posted is similar to the reference code that is also used by OpenSSH. /Simon
signature.asc
Description: PGP signature
_______________________________________________ nettle-bugs mailing list -- [email protected] To unsubscribe send an email to [email protected]
