sntrup761 key size

[Niels Möller <nisse%lysator.liu.se@localhost>]

Hi,

I'm looking into implementing sntrup761 (so far, the underlying KEM
primitive, not yet the SSH specifics). But I'm confused by the private
key size, and I hope people here can help me shed some light.

As far as I understand, the main reference is
https://ntruprime.cr.yp.to/nist/ntruprime-20201007.pdf.

Key generation (2.3.6) outputs the public key _K_ (underlined K in the
spec), and private key that consists of _k_, _K_ and rho (these are all
octet strings; I'm assuming they are simply concatenated, even though
that's not explicitly said).

For the sntrup761 parameters, _K_ represents an element of R/q, encoded
as 1158 bytes. _k_ represents two elements in R/3, encoded as 191 octets
each. And rho is another 191 random octets, for a total of 1731 = 1158 +
3*191 octets.

But then it seems some implementations instead use a private key size of
1763 bytes, where the last 32 bytes are a hash of the public key _K_
(more precisely, Hash_4(_K_)). Which to me looks like a somewhat weird
optimization, since this value is very cheap to recompute whenever needed,
compared to the rest of the decapsulation operation.

Is there some authoritative spec nailing down the private key size and
representation?

Regards,
/Niels

-- 
Niels Möller. PGP key CB4962D070D77D7FCB8BA36271D8F1FF368C6677.
Internet email is subject to wholesale government surveillance.