-rw-r--r-- 3192 libntruprime-20240825/doc/readme.md raw
libntruprime is a microlibrary for the [Streamlined NTRU Prime](https://ntruprime.cr.yp.to) cryptosystem. Streamlined NTRU Prime (`sntrup`) is a lattice-based cryptosystem with the following features: * Stability: Almost all details of `sntrup` match a [May 2016](https://ntruprime.cr.yp.to/ntruprime-20160511.pdf) publication. The only exceptions are small changes to encoding and hashing published in [April 2019](https://ntruprime.cr.yp.to/nist/ntruprime-20190330.pdf). * Patent-freeness: April 2019 predates almost all [post-quantum patents](https://patents.google.com/?q=(%22post-quantum%22)). Analyses of various [lattice patents](https://ntruprime.cr.yp.to/faq.html) filed before April 2019 indicate no problems for `sntrup`. * Deployment: The popular OpenSSH tool switched to `sntrup761` by default in [April 2022](https://www.openssh.com/txt/release-9.0), following initial integration of `sntrup` into [TinySSH](https://github.com/janmojzis/tinyssh). * Affordability: Keys and ciphertexts are [about 1KB](https://ntruprime.cr.yp.to/speed.html) for `sntrup761`, and computations are [fast](speed.html). * Careful design: Subject to the requirement of being a small lattice-based cryptosystem, `sntrup` is systematically designed to [eliminate unnecessary complications in security review](https://ntruprime.cr.yp.to/). It eliminates decryption failures, for example, and eliminates cyclotomics. The cryptosystem has never needed a security patch. * Risk management: A much higher `sntrup1277` security level is [fully supported](https://ntruprime.cr.yp.to/speed.html), and is recommended whenever 2KB keys and ciphertexts are affordable, to reduce risks from [improvements in lattice attacks](https://ntruprime.cr.yp.to/warnings.html). * Flexibility: The `sntrup` design allows a full spectrum of tradeoffs between size and security level, so applications with intermediate size limits aren't forced into much lower security levels. [Six different sizes](https://ntruprime.cr.yp.to/speed.html) have been selected for support. libntruprime has a very simple stateless [API](api.html) based on the SUPERCOP API, with wire-format inputs and outputs, providing functions that directly match the KEM operations provided by the `sntrup` specification, such as functions sntrup1277_keypair sntrup1277_enc sntrup1277_dec for the `sntrup1277` KEM. Internally, libntruprime includes implementations designed to work portably across CPUs, and implementations designed for [higher performance](speed.html) on Intel/AMD CPUs with AVX2 instructions. libntruprime includes automatic run-time selection of implementations. libntruprime is intended to be called by larger multi-function libraries (such as traditional cryptographic libraries), including libraries in other languages via FFI. The idea is that libntruprime takes responsibility for the details of `sntrup` computation, including optimization, timing-attack protection, and (in ongoing work) verification, freeing up the calling libraries to concentrate on application-specific needs such as protocol integration. Applications can also call libntruprime directly.