3. Key Exchange Method: sntrup761x25519-sha512
This section preserves the RFC text for the SSH hybrid key exchange method, including sntrup761, X25519, SHA-512, SSH message names, public value lengths, IANA registration, security considerations, and test vectors.
3. Key Exchange Method: sntrup761x25519-sha512
The key agreement is done by the X25519 Diffie-Hellman protocol as
described in Section 3 ("Key Exchange Methods") of [RFC8731] and by
the key encapsulation method described in [NTRUPrimePQCS].
The key exchange procedure reuses the ECDH key exchange defined in
Sections 4 ("ECDH Key Exchange") and 7.1 ("ECDH Message Numbers") of
[RFC5656].
The protocol flow and the SSH_MSG_KEX_ECDH_INIT and
SSH_MSG_KEX_ECDH_REPLY messages are identical, except that we use
different ephemeral public values Q_C and Q_S and shared secret K as
described below.
Implementations MAY use the name SSH_MSG_KEX_HYBRID_INIT where
SSH_MSG_KEX_ECDH_INIT is used and the name SSH_MSG_KEX_HYBRID_REPLY
where SSH_MSG_KEX_ECDH_REPLY is used, as long as the encoding on the
wire is identical. These symbolic names do not appear on the wire;
they are merely used in specifications to refer to particular byte
values. For consistency with [RFC5656], which defines the packet
syntax, we use those names in the rest of this document.
The SSH_MSG_KEX_ECDH_INIT's value Q_C that holds the client's
ephemeral public key MUST be constructed by concatenating the
1158-byte public key output from the key generator of sntrup761 with
the 32-byte K_A = X25519(a, 9) as described in [NTRUPrimePQCS] and
[RFC8731]. The Q_C value is thus 1190 bytes.
The SSH_MSG_KEX_ECDH_REPLY's value Q_S that holds the server's
ephemeral public key MUST be constructed by concatenating the
1039-byte ciphertext output from the key encapsulation mechanism of
sntrup761 with the 32-byte K_B = X25519(b, 9) as described in
[NTRUPrimePQCS] and [RFC8731]. The Q_S value is thus 1071 bytes.
Clients and servers MUST abort if the length of the received public
keys Q_C or Q_S are not the expected lengths. An abort for these
purposes is defined as a disconnect (SSH_MSG_DISCONNECT) of the
session and SHOULD use the SSH_DISCONNECT_KEY_EXCHANGE_FAILED reason
for the message; see Section 11.1 ("Disconnection Message") of
[RFC4253]. No further validation is required beyond what is
described in [RFC7748], [RFC8731], and [NTRUPrimePQCS].
The SSH_MSG_KEX_ECDH_REPLY's signature value is computed as described
in ECC for SSH [RFC5656] with the following changes. Instead of
encoding the shared secret K as "mpint", it MUST be encoded as
"string". The shared secret K value MUST be the 64-byte output octet
string of the SHA-512 hash computed with the input as the 32-byte
octet string key output from the key encapsulation mechanism of
sntrup761 concatenated with the 32-byte octet string of X25519(a,
X25519(b, 9)) = X25519(b, X25519(a, 9)).
Some earlier implementations may implement this protocol only through
the name [email protected]; therefore, it is
RECOMMENDED to announce and accept that name as an alias of this
protocol to increase chances for successfully negotiating the
protocol.