libntruprime is a microlibrary for the
Streamlined NTRU Prime
cryptosystem.
Streamlined NTRU Prime (sntrup
) is a lattice-based cryptosystem with the following features:
- Stability:
Almost all details of
sntrup
match a May 2016 publication. The only exceptions are small changes to encoding and hashing published in April 2019. - Patent-freeness:
April 2019 predates almost all
post-quantum patents.
Analyses of various lattice patents
filed before April 2019 indicate no problems for
sntrup
. - Deployment:
The popular OpenSSH tool switched to
sntrup761
by default in April 2022, following initial integration ofsntrup
into TinySSH. - Affordability:
Keys and ciphertexts are about 1KB
for
sntrup761
, and computations are fast. - Careful design:
Subject to the requirement of being a small lattice-based cryptosystem,
sntrup
is systematically designed to eliminate unnecessary complications in security review. It eliminates decryption failures, for example, and eliminates cyclotomics. The cryptosystem has never needed a security patch. - Risk management: A much higher
sntrup1277
security level is fully supported, and is recommended whenever 2KB keys and ciphertexts are affordable, to reduce risks from improvements in lattice attacks. - Flexibility:
The
sntrup
design allows a full spectrum of tradeoffs between size and security level, so applications with intermediate size limits aren't forced into much lower security levels. Six different sizes have been selected for support.
libntruprime has a very simple stateless API
based on the SUPERCOP API,
with wire-format inputs and outputs,
providing functions
that directly match the KEM operations provided by the sntrup
specification,
such as functions
sntrup1277_keypair
sntrup1277_enc
sntrup1277_dec
for the sntrup1277
KEM.
Internally, libntruprime includes implementations designed to work portably across CPUs, and implementations designed for higher performance on Intel/AMD CPUs with AVX2 instructions. libntruprime includes automatic run-time selection of implementations.
libntruprime is intended to be
called by larger multi-function libraries
(such as traditional cryptographic libraries),
including libraries in other languages via FFI.
The idea is that libntruprime takes responsibility
for the details of sntrup
computation,
including optimization, timing-attack protection, and (in ongoing work) verification,
freeing up the calling libraries to concentrate on
application-specific needs such as protocol integration.
Applications can also call libntruprime directly.
Version: This is version 2024.08.25 of the "Intro" web page.