Package: wnpp
Severity: wishlist
Owner: Simon Josefsson <simon@josefsson.org>
X-Debbugs-Cc: debian-devel@lists.debian.org
* Package name : libntruprime
Version : 20240825
Upstream Authort: Daniel J. Bernstein
* URL : https://libntruprime.cr.yp.to/
* License : LicenseRef-PD-hp OR CC0-1.0 OR 0BSD OR MIT-0 OR MIT
Programming Lang: C
Description : Streamlined NTRU Prime (sntrup) microlibrary
libntruprime is a microlibrary for the Streamlined NTRU Prime
cryptosystem. Streamlined NTRU Prime (sntrup) is a lattice-based
cryptosystem with the following features:
- Stability: Almost all details of sntrup match a May 2016
publication. The only exceptions are small changes to encoding and
hashing published in April 2019.
- Patent-freeness: April 2019 predates almost all post-quantum
patents. Analyses of various lattice patents filed before April 2019
indicate no problems for sntrup.
- Deployment: The popular OpenSSH tool switched to sntrup761 by default
in April 2022, following initial integration of sntrup into TinySSH.
- Affordability: Keys and ciphertexts are about 1KB for sntrup761, and
computations are fast.
- Careful design: Subject to the requirement of being a small
lattice-based cryptosystem, sntrup is systematically designed to
eliminate unnecessary complications in security review. It eliminates
decryption failures, for example, and eliminates cyclotomics. The
cryptosystem has never needed a security patch.
- Risk management: A much higher sntrup1277 security level is fully
supported, and is recommended whenever 2KB keys and ciphertexts are
affordable, to reduce risks from improvements in lattice attacks.
- Flexibility: The sntrup design allows a full spectrum of tradeoffs
between size and security level, so applications with intermediate
size limits aren't forced into much lower security levels. Six
different sizes have been selected for support.
libntruprime has a very simple stateless API based on the SUPERCOP API,
with wire-format inputs and outputs, providing functions that directly
match the KEM operations provided by the sntrup specification, such as
functions
sntrup1277_keypair
sntrup1277_enc
sntrup1277_dec
for the sntrup1277 KEM.
Internally, libntruprime includes implementations designed to work
portably across CPUs, and implementations designed for higher
performance on Intel/AMD CPUs with AVX2 instructions. libntruprime
includes automatic run-time selection of implementations.
libntruprime is intended to be called by larger multi-function libraries
(such as traditional cryptographic libraries), including libraries in
other languages via FFI. The idea is that libntruprime takes
responsibility for the details of sntrup computation, including
optimization, timing-attack protection, and (in ongoing work)
verification, freeing up the calling libraries to concentrate on
application-specific needs such as protocol integration. Applications
can also call libntruprime directly.
I hope to maintain this at https://salsa.debian.org/jas/libntruprime
/Simon
Attachment:
signature.asc
Description: PGP signature