Niels Möller nisse@lysator.liu.se writes:
Hi,
I'm having a new look at sntrup761, I have rebased the branch based on Simon's work, and pushed as branch "sntrup761" in the Nettle repository.
Yay! I had forgotten about that. IIRC it was based on OpenSSH extraction from supercop, but I think it should be updated against latest upstream -- https://libntruprime.cr.yp.to/download.html -- although I won't be able to work on it for the next few weeks, so if you happen to have cycles upgrading it would be great.
And I've reread https://ntruprime.cr.yp.to/nist/ntruprime-20201007.pdf (is that still the main spec?).
Yes.
I've also added valgrind-based tests for side-channels. It appears key generation may have leaks (when I mark the output from the randomness generator as secret).
I think this was fixed in latest upstream, or I confuse it with something that sounded similar.
- Not entirely sure where the sorting comes from (I saw no mention of it in the spec). I imagine it's part of generating random values of the appropriate types.
Sorting happens during key generation, as part of the (Hash)Shorts conversion (see section 3.3, on lprime, which somewhat confusingly is re-used by sntrup too). I suspect https://sorting.cr.yp.to/ eventually finds it way here too, there is a very recent page with speed comparisons: https://sorting.cr.yp.to/speed.html
/Simon