Comment by chasil
2 days ago
NTRU Prime was written by Dan Bernstein, who also had a strong hand in the creation of ed25519 elliptic curve keys, and the chacha20-poly1305 AEAD cipher.
https://news.ycombinator.com/item?id=32360533
While Kyber may have been the winning algorithm, there will be great preference in the community for Bernstein's NTRU Prime.
> While Kyber may have been the winning algorithm, there will be great preference in the community for Bernstein's NTRU Prime.
There's IETF WG drafts for use of Kyber / ML-KEM, but none for NTRU, so I'm not sure about that:
* https://datatracker.ietf.org/doc/draft-ietf-tls-mlkem/
* https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/
* https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-desig...
* https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-ml...
And given that NTRU made it to the third round, and NTRU Prime is labelled as an alternative, I'm not how strong a claim Bernstein can make to being ill-treated by NIST.
The djb suites are well-represented both in TLS and SSH.
While NTRU Prime is not implemented in TLS, if it has even half the lifespan of DSA in SSH then it will be quite long lived.
The context of the conversation is "Bernstein's NTRU Prime", which is not present for TLS in any draft, and for SSH there are only personal / non-WG drafts.
So while some SSH folks just happened to pick NTRU after looking at the options at a particular point in time, some of the other most widely deployed systems (TLS, IPsec) will not be using it. So I'm not quite sure how defendable the "great preference" claim is.
3 replies →
No, there won't. The world will standardize on MLKEM, at least until some important new piece of knowledge is uncovered. The process wasn't at all fraught. Who's the highest-profile cryptographer or cryptography engineer you can think of who took Bernstein's claims about the process seriously?