Niels Möller nisse@lysator.liu.se writes:
I've been hacking a bit on the sntrup code in recent days. See branch https://git.lysator.liu.se/nettle/nettle/-/tree/sntrup761
I've now merged the sntrup761 support. We can consider further API tweaks before it gets into a release.
I have a couple of questions, both on api details and on the algorithm.
- According to the spec, the secret key includes a copy of the public key. Should we stick to this for nettle's api, or would it make more sense to have the decrypt function taking a separate pubkey argument?
For now, sticking to the representation in the spec.
- Would it be useful with an api where public and private keys can be decoded from byte strings to an internal representation, to not have to redo the decoding on each operation? Or stick to only bytestring input and output?
I'd like to revisit this when ml-kem is merged, to get some consistency. For ml-kem, the decoded keys are considerably larger, so might make sense to let caller deal with them (and their allocation) explicitly.
- For private key decoding, it may happen that the private key is invalid. The private key includes lots of mod 3 coefficients, where each coefficient is represented as two bits with valid values 00, 01, 10. What if caller passes 11? Hitting some undefined behaviour or an assertion failure for this isn't that nice. One could return an error (which would be somewhat natural if one has a private key decode function as above), or silently replace 11 values with 00? Neither the spec or the current code includes any error handling as far as I've found.
Current code silently replaces 11 bits with 00 (reduction mod 3). Not sure if some error reporting when decoding private keys is useful.
(Somewhat releated: I just realized that the slh-dsa signing functions hit an assertion failure if public and private keys don't match. I think it may be useful with an alternative signing function with a success/fail return value).
- I'm confused by the extra steps taken to get "implicit rejection".
Still confused about this, but I guess Nettle simply has to follow the spec.
Regards, /Niels