About NTRU

Introduction

The concept of NTRU was introduced in 1996 by Jeffrey Hoffstein, Jill Pipher, and Joseph H. Silverman. Since its inception, it has undergone significant development by numerous researchers, resulting in multiple variants. The NTRU Key Encapsulation Mechanism (KEM) outlined in this document is based on the Round 3 submission of NIST’s Post-Quantum Cryptography project. The term NTRU, in this context, refers to the specific variants on which the KEM is based—namely, NTRU-HPS and NTRU-HRSS. NTRU is constructed using a generic transformation from a deterministic public key encryption (DPKE) scheme into a KEM, achieving a tight IND-CCA security proof in both classical and quantum random oracle model.

Advantages

NTRU offers several advantages.

Well studied

The OW-CPA security of the underlying DPKE is well studied.

Fast

The encapsulation of NTRU-HRSS is faster than that of ML-KEM.

Patent free

All patents related to NTRU have expired.

Flexible

NTRU can be flexibly parameterized to accommodate a wide range of use cases, offering customizable options for security level, key and ciphertext sizes, and computational efficiency.

Compact

The ntruhps2048677 parameter set, which achieves 128-bit security, has public keys and ciphertexts of only 930 bytes.

Simple

The transformation to IND-CCA-secure KEM is simple compared to the Fujisaki-Okamoto transformation taken in many post-quantum KEMs.