-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sntrup761 prime sharedKeyBytes value not correct? #1554
Comments
FYI, using the following, the sntrup761x25519-sha512@openssh.com I've authored for JSch works with OpenSSH:
|
Originally we restricted the size of the shared secret to the strength of the security properties as while the test vectors all used 256 bit values there was no guidance around whether this was actually going to happen in the final draft. So the rule has since come down that it's always 256 bits regardless of the security strength. We have updated NTRU already to follow this, I'll do the same for NTRUPrime. |
Great, thank you for the update! Thanks, |
I've deployed a new beta with the changes now as well - you'll find it at https://www.bouncycastle.org/betas The change is in beta 178b03 or later. |
HI @dghgit, I've tested with the 178b03 beta and can confirm it works with OpenSSH, thanks! Thanks, |
I am a co-maintainer of JSch & recently I began working on integrating support for the sntrup761x25519-sha512@openssh.com KEX algorithm using Bouncy Castle's SNTRUPrime implementation.
However, I have hit a roadblock, as it appears the
sntrup761
sharedKeyBytes value is defined as 16 bytes, as seen atbc-java/core/src/main/java/org/bouncycastle/pqc/crypto/ntruprime/SNTRUPrimeParameters.java
Lines 13 to 14 in 1cae543
This differs from OpenSSH's implementation, which defines it as 32 bytes, as seen at https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/crypto_api.h#L45-L48
Is there a reason that Bouncy Castle defines the sharedKeyBytes value as 16 bytes instead of 32 bytes?
The Open Quantum Safe site seems to also define the shared secret size as 32 bytes, agreeing with OpenSSH's definition?
The text was updated successfully, but these errors were encountered: