Add NTRU back

This commit includes following changes:
* Revert "Removed NTRU. (#1335)"
* Replace the uses of malloc with OQS_MEM_malloc
* Add a derandomized keypair function
* Add "all" entries of NTRU algorithms to the KATs file
* Fix reflecting the removal of NTRU from PQClean
* Update NTRU documents with the latest manners
* Change the CODEOWNERS of NTRU KEM

Signed-off-by: Saito Masataka <[email protected]>

Author: saitomst

.CMake/alg_support.cmake

@@ -111,6 +111,38 @@ if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS))
 endif()
 endif()
 
+option(OQS_ENABLE_KEM_NTRU "Enable ntru algorithm family" ON)
+cmake_dependent_option(OQS_ENABLE_KEM_ntru_hps2048509 "" ON "OQS_ENABLE_KEM_NTRU" OFF)
+if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
+if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_BMI2_INSTRUCTIONS))
+    cmake_dependent_option(OQS_ENABLE_KEM_ntru_hps2048509_avx2 "" ON "OQS_ENABLE_KEM_ntru_hps2048509" OFF)
+endif()
+endif()
+
+cmake_dependent_option(OQS_ENABLE_KEM_ntru_hps2048677 "" ON "OQS_ENABLE_KEM_NTRU" OFF)
+if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
+if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_BMI2_INSTRUCTIONS))
+    cmake_dependent_option(OQS_ENABLE_KEM_ntru_hps2048677_avx2 "" ON "OQS_ENABLE_KEM_ntru_hps2048677" OFF)
+endif()
+endif()
+
+cmake_dependent_option(OQS_ENABLE_KEM_ntru_hps4096821 "" ON "OQS_ENABLE_KEM_NTRU" OFF)
+if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
+if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_BMI2_INSTRUCTIONS))
+    cmake_dependent_option(OQS_ENABLE_KEM_ntru_hps4096821_avx2 "" ON "OQS_ENABLE_KEM_ntru_hps4096821" OFF)
+endif()
+endif()
+
+cmake_dependent_option(OQS_ENABLE_KEM_ntru_hps40961229 "" ON "OQS_ENABLE_KEM_NTRU" OFF)
+cmake_dependent_option(OQS_ENABLE_KEM_ntru_hrss701 "" ON "OQS_ENABLE_KEM_NTRU" OFF)
+if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
+if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_BMI2_INSTRUCTIONS))
+    cmake_dependent_option(OQS_ENABLE_KEM_ntru_hrss701_avx2 "" ON "OQS_ENABLE_KEM_ntru_hrss701" OFF)
+endif()
+endif()
+
+cmake_dependent_option(OQS_ENABLE_KEM_ntru_hrss1373 "" ON "OQS_ENABLE_KEM_NTRU" OFF)
+
 ##### OQS_COPY_FROM_UPSTREAM_FRAGMENT_ADD_ENABLE_BY_ALG_START
 option(OQS_ENABLE_KEM_CLASSIC_MCELIECE "Enable classic_mceliece algorithm family" ON)
 cmake_dependent_option(OQS_ENABLE_KEM_classic_mceliece_348864 "" ON "OQS_ENABLE_KEM_CLASSIC_MCELIECE" OFF)

.github/CODEOWNERS

@@ -12,6 +12,7 @@
 /src/kem/kyber @bhess
 /src/kem/kyber/libjade* @praveksharma
 /src/kem/ml_kem @bhess
+/src/kem/ntru @saitomst
 /src/sig/cross @alexrow
 /src/sig/dilithium @bhess
 /src/sig/mayo @bhess

CMakeLists.txt

@@ -233,6 +233,9 @@ endif()
 if(OQS_ENABLE_KEM_NTRUPRIME)
     set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_SOURCE_DIR}/src/kem/ntruprime/kem_ntruprime.h)
 endif()
+if(OQS_ENABLE_KEM_NTRU)
+    set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_SOURCE_DIR}/src/kem/ntru/kem_ntru.h)
+endif()
 ##### OQS_COPY_FROM_UPSTREAM_FRAGMENT_INCLUDE_HEADERS_START
 if(OQS_ENABLE_KEM_CLASSIC_MCELIECE)
     set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_SOURCE_DIR}/src/kem/classic_mceliece/kem_classic_mceliece.h)

README.md

@@ -16,6 +16,7 @@ liboqs is an open source C library for quantum-safe cryptographic algorithms.
 			- [Signature schemes](#signature-schemes)
 		- [Limitations and Security](#limitations-and-security)
 			- [Platform limitations](#platform-limitations)
+			- [Support limitations](#support-limitations)
 	- [Quickstart](#quickstart)
 		- [Linux and Mac](#linux-and-mac)
 		- [Windows](#windows)
@@ -62,6 +63,7 @@ All names other than `ML-KEM` and `ML-DSA` are subject to change. `liboqs` makes
 - **HQC**: HQC-128, HQC-192, HQC-256
 - **Kyber**: Kyber512, Kyber768, Kyber1024
 - **ML-KEM**: ML-KEM-512, ML-KEM-768, ML-KEM-1024
+- **NTRU**: NTRU-HPS-2048-509, NTRU-HPS-2048-677, NTRU-HPS-4096-821, NTRU-HPS-4096-1229, NTRU-HRSS-701, NTRU-HRSS-1373
 - **NTRU-Prime**: sntrup761
 <!--- OQS_TEMPLATE_FRAGMENT_LIST_KEXS_END -->
 
@@ -216,6 +218,7 @@ liboqs includes some third party libraries or modules that are licensed differen
 - `src/kem/kyber/pqclean_*`: public domain (CC0), and public domain (CC0) or Apache License v2.0, and public domain (CC0) or MIT, and MIT
 - `src/kem/kyber/libjade_*` public domain (CC0) or Apache License v2.
 - `src/kem/ml_kem/mlkem-native_*`: Apache License v2.0
+- `src/kem/ntru/pqclean_*`: public domain (CC0)
 - `src/sig/dilithium/pqcrystals-*`: public domain (CC0) or Apache License v2.0
 - `src/sig/dilithium/pqclean_*`: public domain (CC0), and public domain (CC0) or Apache License v2.0, and public domain (CC0) or MIT, and MIT
 -  src/sig/falcon/pqclean_\*\_aarch64 : Apache License v2.0

docs/algorithms/kem/ntru.md

@@ -0,0 +1,82 @@
+# NTRU
+
+- **Algorithm type**: Key encapsulation mechanism.
+- **Main cryptographic assumption**: NTRU in Z[x]/(q, x^n-1) with prime n and power-of-two q.
+- **Principal submitters**: John M. Schanck.
+- **Auxiliary submitters**: Cong Chen, Oussama Danba, Jeffrey Hoffstein, Andreas Hülsing, Joost Rijneveld, Tsunekazu Saito, Peter Schwabe, William Whyte, Keita Xagawa, Takashi Yamakawa, Zhenfei Zhang.
+- **Authors' website**: https://ntru.org/
+- **Specification version**: NIST Round 3 submission.
+- **Primary Source**<a name="primary-source"></a>:
+  - **Source**: https://github.com/PQClean/PQClean/commit/4c9e5a3aa715cc8d1d0e377e4e6e682ebd7602d6
+  - **Implementation license (SPDX-Identifier)**: CC0-1.0
+- **Ancestors of primary source**:
+  - https://github.com/jschanck/ntru/tree/a43a4457
+
+## Parameter set summary
+
+|   Parameter set    | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Ciphertext size (bytes) |   Shared secret size (bytes) | Keypair seed size (bytes)   |
+|:------------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|--------------------------:|-----------------------------:|:----------------------------|
+| NTRU-HPS-2048-509  | NA                    | IND-CCA2         |                    1 |                       699 |                       935 |                       699 |                           32 | NA                          |
+| NTRU-HPS-2048-677  | NA                    | IND-CCA2         |                    3 |                       930 |                      1234 |                       930 |                           32 | NA                          |
+| NTRU-HPS-4096-821  | NA                    | IND-CCA2         |                    5 |                      1230 |                      1590 |                      1230 |                           32 | NA                          |
+| NTRU-HPS-4096-1229 | NA                    | IND-CCA2         |                    5 |                      1842 |                      2366 |                      1842 |                           32 | NA                          |
+|   NTRU-HRSS-701    | NA                    | IND-CCA2         |                    3 |                      1138 |                      1450 |                      1138 |                           32 | NA                          |
+|   NTRU-HRSS-1373   | NA                    | IND-CCA2         |                    5 |                      2401 |                      2983 |                      2401 |                           32 | NA                          |
+
+## NTRU-HPS-2048-509 implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?‡   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:----------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | False                 |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2,BMI2               | True                               | True                                           | False                 |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+ ‡For an explanation of what this denotes, consult the [Explanation of Terms](#explanation-of-terms) section at the end of this file.
+
+## NTRU-HPS-2048-677 implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2,BMI2               | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## NTRU-HPS-4096-821 implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2,BMI2               | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## NTRU-HPS-4096-1229 implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## NTRU-HRSS-701 implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2,BMI2               | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## NTRU-HRSS-1373 implementation characteristics
+
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | clean                    | All                         | All                             | None                    | True                               | True                                           | False                |
+
+Are implementations chosen based on runtime CPU feature detection? **Yes**.
+
+## Explanation of Terms
+
+- **Large Stack Usage**: Implementations identified as having such may cause failures when running in threads or in constrained environments.

docs/algorithms/kem/ntru.yml

@@ -0,0 +1,188 @@
+name: NTRU
+type: kem
+principal-submitters:
+- John M. Schanck
+auxiliary-submitters:
+- Cong Chen
+- Oussama Danba
+- Jeffrey Hoffstein
+- Andreas Hülsing
+- Joost Rijneveld
+- Tsunekazu Saito
+- Peter Schwabe
+- William Whyte
+- Keita Xagawa
+- Takashi Yamakawa
+- Zhenfei Zhang
+crypto-assumption: NTRU in Z[x]/(q, x^n-1) with prime n and power-of-two q
+website: https://ntru.org/
+nist-round: 3
+spec-version: NIST Round 3 submission
+upstream-ancestors:
+- https://github.com/jschanck/ntru/tree/a43a4457
+parameter-sets:
+- name: NTRU-HPS-2048-509
+  claimed-nist-level: 1
+  claimed-security: IND-CCA2
+  length-public-key: 699
+  length-ciphertext: 699
+  length-secret-key: 935
+  length-shared-secret: 32
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+    upstream: primary-upstream
+  - upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+      - bmi2
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+    upstream: primary-upstream
+- name: NTRU-HPS-2048-677
+  claimed-nist-level: 3
+  claimed-security: IND-CCA2
+  length-public-key: 930
+  length-ciphertext: 930
+  length-secret-key: 1234
+  length-shared-secret: 32
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+    upstream: primary-upstream
+  - upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+      - bmi2
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+    upstream: primary-upstream
+- name: NTRU-HPS-4096-821
+  claimed-nist-level: 5
+  claimed-security: IND-CCA2
+  length-public-key: 1230
+  length-ciphertext: 1230
+  length-secret-key: 1590
+  length-shared-secret: 32
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+    upstream: primary-upstream
+  - upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+      - bmi2
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+    upstream: primary-upstream
+- name: NTRU-HPS-4096-1229
+  claimed-nist-level: 5
+  claimed-security: IND-CCA2
+  length-public-key: 1842
+  length-ciphertext: 1842
+  length-secret-key: 2366
+  length-shared-secret: 32
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+    upstream: primary-upstream
+- name: NTRU-HRSS-701
+  claimed-nist-level: 3
+  claimed-security: IND-CCA2
+  length-public-key: 1138
+  length-ciphertext: 1138
+  length-secret-key: 1450
+  length-shared-secret: 32
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+    upstream: primary-upstream
+  - upstream-id: avx2
+    supported-platforms:
+    - architecture: x86_64
+      operating_systems:
+      - Linux
+      - Darwin
+      required_flags:
+      - avx2
+      - bmi2
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+    upstream: primary-upstream
+- name: NTRU-HRSS-1373
+  claimed-nist-level: 5
+  claimed-security: IND-CCA2
+  length-public-key: 2401
+  length-ciphertext: 2401
+  length-secret-key: 2983
+  length-shared-secret: 32
+  implementations-switch-on-runtime-cpu-features: true
+  implementations:
+  - upstream-id: clean
+    supported-platforms: all
+    common-crypto:
+    - SHA3: liboqs
+    no-secret-dependent-branching-claimed: true
+    no-secret-dependent-branching-checked-by-valgrind: true
+    large-stack-usage: false
+    upstream: primary-upstream
+primary-upstream:
+  spdx-license-identifier: CC0-1.0
+  source: https://github.com/PQClean/PQClean/commit/4c9e5a3aa715cc8d1d0e377e4e6e682ebd7602d6