Hash functions in NTRU+
Seongkwang Kim
While reading the specification of NTRU+, I discovered something peculiar about the hash functions. Regardless of its security, it was being used in a manner where either the full output of SHA256 or the last 256 bits of SHA512's output were fed into an AES256 key and used in counter mode. This doesn't seem immediately vulnerable to attack, but it presents a problem when proving these hash functions as random oracles in the context of 192-bit or 256-bit security. (A collision in XOF input can be found with queries.)
Originally, there is no such thing as 512-bit AES, but even if there were, we can't guarantee that a combination of non-hash functions would act similarly to a random oracle. This is usually proven through indifferentiability, which is often difficult and complex to prove. Therefore, using AES should involve modeling and proving it as a PRG, or alternatively, using SHAKE256 might be more appropriate.
If there's anything incorrect in my statement, I would appreciate your feedback. Cheers, Seongkwang
김종현
Thank you for your insightful feedback regarding the use of hash functions in the NTRU+ specification.
The decision to utilize AES256CTR mode in the hash functions within NTRU+ was motivated by the aim to generate randomness more efficiently using AES-NI.
However, as you pointed out, since the hash functions used in the NTRU+ specification are modeled as random oracles, the use of AES256CTR mode inside the hash function is not appropriate.
Taking your feedback into consideration, we plan to replace the hash functions utilizing AES256CTR mode with either SHAKE128 or SHAKE256 in future updates.
Once again, we appreciate your interest in NTRU+.
Best regards,
NTRU+ TEAM