While reading the specification of NTRU+, I discovered something peculiar about the hash functions. Regardless of its security, it was being used in a manner where either the full output of SHA256 or the last 256 bits of SHA512's output were fed into an AES256 key and used in counter mode. This doesn't seem immediately vulnerable to attack, but it presents a problem when proving these hash functions as random oracles in the context of 192-bit or 256-bit security. (A collision in XOF input can be found with queries.)
Originally, there is no such thing as 512-bit AES, but even if there were, we can't guarantee that a combination of non-hash functions would act similarly to a random oracle. This is usually proven through indifferentiability, which is often difficult and complex to prove. Therefore, using AES should involve modeling and proving it as a PRG, or alternatively, using SHAKE256 might be more appropriate.
If there's anything incorrect in my statement, I would appreciate your feedback. Cheers, Seongkwang