| ▲ | tptacek 5 days ago | |||||||||||||
NTRU Prime (sntrup) is there mostly as a quirk of history (mlkem wasn't available when SSH went down the road of doing PQ). You can use either, but my guess is using sntrup is going to be a little like how GPG used to default to CAST as its cipher. | ||||||||||||||
| ▲ | chasil 5 days ago | parent | next [-] | |||||||||||||
NTRU Prime was written by Dan Bernstein, who also had a strong hand in the creation of ed25519 elliptic curve keys, and the chacha20-poly1305 AEAD cipher. https://news.ycombinator.com/item?id=37520065 https://www.metzdowd.com/pipermail/cryptography/2016-March/0... The first version of NTRU Prime in an SSH server was implemented in TinySSH and later adopted by OpenSSH. Bernstein provided new guidance, and OpenSSH developed an updated algorithm that TinySSH implemented in return. The NIST approval process was fraught, and Bernstein ended up filing a lawsuit over treatment that he received. I don't know how that has progressed. https://news.ycombinator.com/item?id=32360533 While Kyber may have been the winning algorithm, there will be great preference in the community for Bernstein's NTRU Prime. | ||||||||||||||
| ||||||||||||||
| ▲ | throw0101a 5 days ago | parent | prev [-] | |||||||||||||
> NTRU Prime (sntrup) is there mostly as a quirk of history (mlkem wasn't available when SSH went down the road of doing PQ). ML-KEM (originally "CRYSTALS-Kyber") was available, it's just the Tiny/OpenSSH folks decided not to choose that particular algorithm (for reasons beyond my pay grade). NIST announced their competition in 2016 with the submission deadline being in 2017: * https://en.wikipedia.org/wiki/NIST_Post-Quantum_Cryptography... TinySSH added SNTRUP in 2018, with OpenSSH following in 2019/2020: * https://blog.josefsson.org/2023/05/12/streamlined-ntru-prime... SSH just happened to pick one of the candidates that NIST decided not to go with. | ||||||||||||||
| ||||||||||||||