MLKEM768 offers better performance and smaller keys, while SNTRUP761 has stronger security assumptions and better resilience against potential cryptanalysis.
NTRU Prime (sntrup) is there mostly as a quirk of history (mlkem wasn't available when SSH went down the road of doing PQ). You can use either, but my guess is using sntrup is going to be a little like how GPG used to default to CAST as its cipher.
NTRU Prime was written by Dan Bernstein, who also had a strong hand in the creation of ed25519 elliptic curve keys, and the chacha20-poly1305 AEAD cipher.
And given that NTRU made it to the third round, and NTRU Prime is labelled as an alternative, I'm not how strong a claim Bernstein can make to being ill-treated by NIST.
No, there won't. The world will standardize on MLKEM, at least until some important new piece of knowledge is uncovered. The process wasn't at all fraught. Who's the highest-profile cryptographer or cryptography engineer you can think of who took Bernstein's claims about the process seriously?
> NTRU Prime (sntrup) is there mostly as a quirk of history (mlkem wasn't available when SSH went down the road of doing PQ).
ML-KEM (originally "CRYSTALS-Kyber") was available, it's just the Tiny/OpenSSH folks decided not to choose that particular algorithm (for reasons beyond my pay grade).
NIST announced their competition in 2016 with the submission deadline being in 2017:
MLKEM768 offers better performance and smaller keys, while SNTRUP761 has stronger security assumptions and better resilience against potential cryptanalysis.
NTRU Prime (sntrup) is there mostly as a quirk of history (mlkem wasn't available when SSH went down the road of doing PQ). You can use either, but my guess is using sntrup is going to be a little like how GPG used to default to CAST as its cipher.
NTRU Prime was written by Dan Bernstein, who also had a strong hand in the creation of ed25519 elliptic curve keys, and the chacha20-poly1305 AEAD cipher.
https://news.ycombinator.com/item?id=32360533
While Kyber may have been the winning algorithm, there will be great preference in the community for Bernstein's NTRU Prime.
> While Kyber may have been the winning algorithm, there will be great preference in the community for Bernstein's NTRU Prime.
There's IETF WG drafts for use of Kyber / ML-KEM, but none for NTRU, so I'm not sure about that:
* https://datatracker.ietf.org/doc/draft-ietf-tls-mlkem/
* https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/
* https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-desig...
* https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-ml...
And given that NTRU made it to the third round, and NTRU Prime is labelled as an alternative, I'm not how strong a claim Bernstein can make to being ill-treated by NIST.
2 replies →
No, there won't. The world will standardize on MLKEM, at least until some important new piece of knowledge is uncovered. The process wasn't at all fraught. Who's the highest-profile cryptographer or cryptography engineer you can think of who took Bernstein's claims about the process seriously?
> NTRU Prime (sntrup) is there mostly as a quirk of history (mlkem wasn't available when SSH went down the road of doing PQ).
ML-KEM (originally "CRYSTALS-Kyber") was available, it's just the Tiny/OpenSSH folks decided not to choose that particular algorithm (for reasons beyond my pay grade).
NIST announced their competition in 2016 with the submission deadline being in 2017:
* https://en.wikipedia.org/wiki/NIST_Post-Quantum_Cryptography...
TinySSH added SNTRUP in 2018, with OpenSSH following in 2019/2020:
* https://blog.josefsson.org/2023/05/12/streamlined-ntru-prime...
SSH just happened to pick one of the candidates that NIST decided not to go with.
I'm simply repeating what Damien Miller said.
https://news.ycombinator.com/item?id=32366614
I'm curious where you got the idea that they had mlkem available to them? They disagree with you.
1 reply →