> NTRU Prime (sntrup) is there mostly as a quirk of history (mlkem wasn't available when SSH went down the road of doing PQ).

ML-KEM (originally "CRYSTALS-Kyber") was available, it's just the Tiny/OpenSSH folks decided not to choose that particular algorithm (for reasons beyond my pay grade).

NIST announced their competition in 2016 with the submission deadline being in 2017:

* https://en.wikipedia.org/wiki/NIST_Post-Quantum_Cryptography...

TinySSH added SNTRUP in 2018, with OpenSSH following in 2019/2020:

* https://blog.josefsson.org/2023/05/12/streamlined-ntru-prime...

SSH just happened to pick one of the candidates that NIST decided not to go with.

▲

tptacek 5 days ago | parent [-]

I'm simply repeating what Damien Miller said.

https://news.ycombinator.com/item?id=32366614

I'm curious where you got the idea that they had mlkem available to them? They disagree with you.

	▲	throw0101a 5 days ago \| parent [-]
		From the link: > We (OpenSSH) haven't "disregarded" the winning variants, we added NTRU before the standardisation process was finished and we'll almost certainly add the NIST finalists fairly soon. Nothing in his statements talks about 'availability', just a particular choice (from the ideas floating around at the time). CRYSTALS-Kyber (now ML-KEM) was available at the same time as SNTRUP because they were both candidates in the NIST competition. NTRU (Prime) is listed as round three finalist / alternate (along with CRYSTALS-Kyber): * https://en.wikipedia.org/wiki/NIST_Post-Quantum_Cryptography... Given that they were both candidates in the same competition, they would have been available at the same time. Tiny/OpenSSH simply chose a candidate that ended up not winning (I'm not criticizing / judging their choice: they made a call, and it happened to be a different call than NIST).