Hybrid Streamlined NTRU Prime sntrup761 and X25519 with SHA-512:
sntrup761+x25519+sha512
simon@josefsson.org
https://blog.josefsson.org/
Internet Engineering Task Force
We document a widely deployed hybrid key exchange method based
on Streamlined NTRU Prime sntrup761 and X25519 with SHA-512.
Introduction
Streamlined NTRU Prime provides post-quantum small
lattice-based key-encapsulation mechanisms. The variant
sntrup761 instance has been implemented widely.
The pre-quantum elliptic-curve Diffie-Hellman X25519 function
has been widely implemented.
To hedge against attacks on either of sntrup761 or X25519 a
hybrid construction may be used, with the intention that the
hybrid would be secure if either of the involved algorithms
are flawed.
This document describes how to implement key exchange based on
a hybrid between Streamlined NTRU Prime sntrup761 and X25519
with SHA-512 .
This hybrid construction was introduced for the Secure Shell
protocol as sntrup761x25519-sha512, and we offer this document
for other protocols that desire to use an established hybrid
key exchange method.
Key Exchange Method: sntrup761+x25519+sha512
The key-agreement is done by the X25519 Diffie-Hellman
protocol as described in section Curve25519 of , and the key encapsulation method described
in .
Alice sends a concatenation of the 1158 byte public key output
from the key generator of sntrup761 with the 32 byte K_A =
X25519(a, 9) as described in
and . The output value is thus 1190
bytes.
Bob sends a concatenation of the 1039 byte ciphertext output
from the key encapsulation mechanism of sntrup761 with the 32
byte K_B = X25519(b, 9) as described in and . The
output value is thus 1071 bytes.
Alice derive the 32 byte shared K1 based on the X25519 values
as described in and performs the
sntrup761 key decapsulation operation as described in to yield the 32 byte shared secret
K2. Alice derives the final hybrid shared secret key K using
SHA-512 as SHA512(K1||K2) where ||
denote concatenation. The output is 64 bytes.
Bob derive the 32 byte shared K1 based on the X25519 values as
described in and takes the 32 byte
shared secret key K2 from the earlier key encapsulation method
of sntrup761. Bob derives the final hybrid shared secret
secret key K using SHA-512 as
SHA512(K1||K2) where || denote concatenation. The output is
64 bytes.
Alice and Bob has now established a shared key.
Acknowledgements
This work is a simple generalization of the
sntrup761x25519-sha512 mechanism due to and TinySSH documented in
draft-josefsson-ntruprime-ssh-00.
Security Considerations
The security considerations of ,
and
are inherited.
While the construct should remain secure if either X25519 or
sntrup761 is found to be insecure, the security of the
combined hybrid construction depends on the security of the
SHA-512 algorithm.
IANA Considerations
This document has no IANA actions.
References
Normative References
NTRU Prime: round 3
Informative References
NTRU Prime: reducing attack surface at low cost
TinySSH - minimalistic SSH server which implements only a subset of SSHv2 features
TinySSH
The OpenSSH Project
OpenSSH group of OpenBSD