ntrust-native

A safe pure-rust implementation of the NTRU post-quantum scheme.

• NTRU is a lattice-based key encapsulation mechanism (KEM)
• The implementation is based on the NTRU reference implementation of NIST round 3
• The implementation does not utilize any concurrency techniques (SIMD/threading/…, except maybe auto-vectorization on your CPU)
• It depends on tiny-keccak as SHA-3 implementation and aes as AES block cipher (used as RNG) implementation
• It passes the 100 testcases of the C reference implementation
• It implements the NTRU-HPS (Hoffstein-Pipher-Silverman) scheme in three variants
• It implements the NTRU-HRSS (Hülsing-Rijneveld-Schanck-Schwabe) scheme in one variant
• The implementation takes between 20 milliseconds (ntruhps2048509) and 45 milliseconds (ntruhps4096821) to run on a modern computer
• The implementation is constant-time on software instruction level
• The random number generator is based on AES256 in counter mode
• NTRUst is the name of a WebAssembly implementation. Thus, this implementation is called ntrust-native.

Who should use it?

Anyone, how wants to use the NTRU scheme to negotiate a key between two parties.

How does one use it?

Add this to your Cargo.toml: toml [dependencies] ntrust-native = "1.0"

To use a specific NTRU variant, you need to import it with the corresponding feature flag:

toml [dependencies] ntrust-native = { version = "1.0", features = ["ntruhrss701"] }

The simple example illustrates the API: ```rust use ntrustnative::AesState; use ntrustnative::{cryptokemdec, cryptokemenc, cryptokemkeypair}; use ntrustnative::{CRYPTOBYTES, CRYPTOCIPHERTEXTBYTES, CRYPTOPUBLICKEYBYTES, CRYPTO_SECRETKEYBYTES};

use std::error;

fn main() -> Result<(), Box> { let mut rng = AesState::new(); let mut pk = [0u8; CRYPTOPUBLICKEYBYTES]; let mut sk = [0u8; CRYPTOSECRETKEYBYTES]; let mut ct = [0u8; CRYPTOCIPHERTEXTBYTES]; let mut ssalice = [0u8; CRYPTOBYTES]; let mut ssbob = [0u8; CRYPTO_BYTES];

cryptokemkeypair(&mut pk, &mut sk, &mut rng)?; cryptokemenc(&mut ct, &mut ssbob, &pk, &mut rng)?; cryptokemdec(&mut ssalice, &ct, &sk)?;

asserteq!(ssbob, ss_alice);

Ok(()) } ```

How does one run it?

This library comes with two examples:

bash $ cargo run --example simple

The output annotates messages with Alice/Bob to illustrate which data is processed by which party. The katkem example implements the classic request/response file structure which is part of the NIST PQC framework.

bash $ cargo run --example katkem PQCkemKAT_935.req PQCkemKAT_935.rsp $ cargo run --example katkem PQCkemKAT_935.rsp

The different variants (ntruhps2048509, ntruhps2048677, ntruhps4096821, ntruhrss701) can be enabled through feature flags:

bash $ cargo run --example katkem --features ntruhrss701 -- PQCkemKAT_1450.req PQCkemKAT_1450.rsp

ntruhps2048509 is the default variant. You cannot enable two variants simultaneously.

How fast is it?

All data uses clock cycles as unit. The rust implementation has the following clock-cycle count characteristics (the smaller the better):

The C reference implementation has the following clock-cycle count characteristics (the smaller the better):

The tests were done on a Lenovo Thinkpad x260 (Intel Core i5-6200U CPU @ 2.30GHz). In the case of rust, criterion 0.3.5 has been used as given in benches/ and in case of C, Google's benchmark with PFM support and disabled CPU frequency scaling. Our summary is that both implementations have comparable runtime. rust is a little bit slower (but uses many copy operations for type safety you could replace with unsafe {} code). You can run the benchmark suite yourself with the bench subcommand and optionally some variant feature flag:

bash $ cargo bench --features ntruhrss701

Where is the source code?

On github.

What is the content's license?

MIT License

Changelog

• 2022-05-04 version 1.0.1: documentation fix
• 2022-05-03 version 1.0.0: public release

Where can I ask you to fix a bug?

On github.