Hi
See attached patch that adds sntrup761. What do you think?
My use case is to enable implementation of OpenSSH's
sntrup761x25519-sha512 in libssh/libssh2.
Specific open issues:
- Documentation
- Benchmarking self-test
- Self-tests that validate test vectors
Not trivial because the algorithm is randomized, so we would have to
use deterministic randomness somehow -- and to use an deterministic
algorithm for which there exists sntrup761 test vectors (DRBG-CTR is
the only one I am aware of, but far from ideal).
- API design
- Are gcry_kem_open/gcry_kem_close useful? They complicate
implementation for no gain for sntrup761, but could be useful for
other KEM's, OTOH they may just complicate it for all KEM's since I
believe the KEM APIs are fairly established these days.
- The pubkey parameter for KEM-Enc could be stored in the handle, as
could the seckey parameter for KEM-Dec. This would make the
gcry_kem_open/gcry_kem_close more useful, however it would mean
more memory zeroization issues.
- The #define's for output lengths could be functions, similar to
other libgcrypt APIs. This makes it harder to use statically
allocated buffers, so I think the current #define's are useful.
/Simon
See attached patch that adds sntrup761. What do you think?
My use case is to enable implementation of OpenSSH's
sntrup761x25519-sha512 in libssh/libssh2.
Specific open issues:
- Documentation
- Benchmarking self-test
- Self-tests that validate test vectors
Not trivial because the algorithm is randomized, so we would have to
use deterministic randomness somehow -- and to use an deterministic
algorithm for which there exists sntrup761 test vectors (DRBG-CTR is
the only one I am aware of, but far from ideal).
- API design
- Are gcry_kem_open/gcry_kem_close useful? They complicate
implementation for no gain for sntrup761, but could be useful for
other KEM's, OTOH they may just complicate it for all KEM's since I
believe the KEM APIs are fairly established these days.
- The pubkey parameter for KEM-Enc could be stored in the handle, as
could the seckey parameter for KEM-Dec. This would make the
gcry_kem_open/gcry_kem_close more useful, however it would mean
more memory zeroization issues.
- The #define's for output lengths could be functions, similar to
other libgcrypt APIs. This makes it harder to use statically
allocated buffers, so I think the current #define's are useful.
/Simon