Niels Möller <[email protected]> writes: > Hi, > > I'm having a new look at sntrup761, I have rebased the branch based on > Simon's work, and pushed as branch "sntrup761" in the Nettle > repository.
Yay! I had forgotten about that. IIRC it was based on OpenSSH extraction from supercop, but I think it should be updated against latest upstream -- https://libntruprime.cr.yp.to/download.html -- although I won't be able to work on it for the next few weeks, so if you happen to have cycles upgrading it would be great. > And I've reread https://ntruprime.cr.yp.to/nist/ntruprime-20201007.pdf > (is that still the main spec?). Yes. > I've also added valgrind-based tests for side-channels. It appears key > generation may have leaks (when I mark the output from the randomness > generator as secret). I think this was fixed in latest upstream, or I confuse it with something that sounded similar. > * Not entirely sure where the sorting comes from (I saw no mention of it > in the spec). I imagine it's part of generating random values of the > appropriate types. Sorting happens during key generation, as part of the (Hash)Shorts conversion (see section 3.3, on lprime, which somewhat confusingly is re-used by sntrup too). I suspect https://sorting.cr.yp.to/ eventually finds it way here too, there is a very recent page with speed comparisons: https://sorting.cr.yp.to/speed.html /Simon
signature.asc
Description: PGP signature
_______________________________________________ nettle-bugs mailing list -- [email protected] To unsubscribe send an email to [email protected]
