| |
| ▲ | chasil 5 days ago | parent | next [-] | | NTRU Prime was written by Dan Bernstein, who also had a strong hand in the creation of ed25519 elliptic curve keys, and the chacha20-poly1305 AEAD cipher. https://news.ycombinator.com/item?id=37520065 https://www.metzdowd.com/pipermail/cryptography/2016-March/0... The first version of NTRU Prime in an SSH server was implemented in TinySSH and later adopted by OpenSSH. Bernstein provided new guidance, and OpenSSH developed an updated algorithm that TinySSH implemented in return. The NIST approval process was fraught, and Bernstein ended up filing a lawsuit over treatment that he received. I don't know how that has progressed. https://news.ycombinator.com/item?id=32360533 While Kyber may have been the winning algorithm, there will be great preference in the community for Bernstein's NTRU Prime. | | |
| ▲ | throw0101a 5 days ago | parent | next [-] | | > While Kyber may have been the winning algorithm, there will be great preference in the community for Bernstein's NTRU Prime. There's IETF WG drafts for use of Kyber / ML-KEM, but none for NTRU, so I'm not sure about that: * https://datatracker.ietf.org/doc/draft-ietf-tls-mlkem/ * https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/ * https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-desig... * https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-ml... And given that NTRU made it to the third round, and NTRU Prime is labelled as an alternative, I'm not how strong a claim Bernstein can make to being ill-treated by NIST. | | |
| ▲ | chasil 5 days ago | parent [-] | | The djb suites are well-represented both in TLS and SSH. While NTRU Prime is not implemented in TLS, if it has even half the lifespan of DSA in SSH then it will be quite long lived. | | |
| ▲ | throw0101a 4 days ago | parent [-] | | The context of the conversation is "Bernstein's NTRU Prime", which is not present for TLS in any draft, and for SSH there are only personal / non-WG drafts. So while some SSH folks just happened to pick NTRU after looking at the options at a particular point in time, some of the other most widely deployed systems (TLS, IPsec) will not be using it. So I'm not quite sure how defendable the "great preference" claim is. | | |
| ▲ | chasil 4 days ago | parent [-] | | The first SSH server that chose it was TinySSH. Have you ever visited their site? https://tinyssh.org/ I use this in a variety of ways, thousands of logins per day. I don't see much love for AES. | | |
| ▲ | throw0101a 4 days ago | parent [-] | | > The first SSH server that chose it was TinySSH. Yes, I know. I mention this timeline in another one of my comments: * https://news.ycombinator.com/item?id=44866802 > I use this in a variety of ways, thousands of logins per day. I don't see much love for AES. So? Given its focus on low(er)-performance systems, perhaps on chips without AES-NI, it's no surprise that TinySSH does not have AES. Further, Dropbear, another implementation often used on smaller footprints, does have AES and recently added ML-KEM: * https://github.com/mkj/dropbear/commit/1748ccae5090d511753c0... PuTTY added ML-KEM in 0.83 earlier this year. So I'm not sure how talking about a niche SSH implementation supports your claim that "there will be great preference in the community for Bernstein's NTRU Prime." The evidence appears to me that implementation have been adding NIST's choice(s) since they have become available. | | |
|
|
|
| |
| ▲ | tptacek 5 days ago | parent | prev [-] | | No, there won't. The world will standardize on MLKEM, at least until some important new piece of knowledge is uncovered. The process wasn't at all fraught. Who's the highest-profile cryptographer or cryptography engineer you can think of who took Bernstein's claims about the process seriously? |
| |
| ▲ | throw0101a 5 days ago | parent | prev [-] | | > NTRU Prime (sntrup) is there mostly as a quirk of history (mlkem wasn't available when SSH went down the road of doing PQ). ML-KEM (originally "CRYSTALS-Kyber") was available, it's just the Tiny/OpenSSH folks decided not to choose that particular algorithm (for reasons beyond my pay grade). NIST announced their competition in 2016 with the submission deadline being in 2017: * https://en.wikipedia.org/wiki/NIST_Post-Quantum_Cryptography... TinySSH added SNTRUP in 2018, with OpenSSH following in 2019/2020: * https://blog.josefsson.org/2023/05/12/streamlined-ntru-prime... SSH just happened to pick one of the candidates that NIST decided not to go with. | | |
| ▲ | tptacek 5 days ago | parent [-] | | I'm simply repeating what Damien Miller said. https://news.ycombinator.com/item?id=32366614 I'm curious where you got the idea that they had mlkem available to them? They disagree with you. | | |
| ▲ | throw0101a 5 days ago | parent [-] | | From the link: > We (OpenSSH) haven't "disregarded" the winning variants, we added NTRU before the standardisation process was finished and we'll almost certainly add the NIST finalists fairly soon. Nothing in his statements talks about 'availability', just a particular choice (from the ideas floating around at the time). CRYSTALS-Kyber (now ML-KEM) was available at the same time as SNTRUP because they were both candidates in the NIST competition. NTRU (Prime) is listed as round three finalist / alternate (along with CRYSTALS-Kyber): * https://en.wikipedia.org/wiki/NIST_Post-Quantum_Cryptography... Given that they were both candidates in the same competition, they would have been available at the same time. Tiny/OpenSSH simply chose a candidate that ended up not winning (I'm not criticizing / judging their choice: they made a call, and it happened to be a different call than NIST). |
|
|
|
