NTRU is an

open-source Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use and view the source code, design documents, or content of the product. The open source model is a decentrali ...

public-key cryptosystem Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic a ...

that uses

lattice-based cryptography Lattice-based cryptography is the generic term for constructions of cryptographic primitives that involve lattices, either in the construction itself or in the security proof. Lattice-based constructions support important standards of post-quant ...

to encrypt and decrypt data. It consists of two algorithms:

NTRUEncrypt The NTRUEncrypt public key cryptosystem, also known as the NTRU encryption algorithm, is an NTRU lattice-based cryptography, lattice-based alternative to RSA (algorithm), RSA and elliptic curve cryptography (ECC) and is based on the lattice proble ...

, which is used for encryption, and

NTRUSign NTRUSign, also known as the NTRU Signature Algorithm, is an NTRU public-key cryptography digital signature algorithm based on the GGH signature scheme. The original version of NTRUSign was Polynomial Authentication and Signature Scheme (PASS), a ...

, which is used for digital signatures. Unlike other popular public-key cryptosystems, it is resistant to attacks using

Shor's algorithm Shor's algorithm is a quantum algorithm for finding the prime factors of an integer. It was developed in 1994 by the American mathematician Peter Shor. It is one of the few known quantum algorithms with compelling potential applications and strong ...

. NTRUEncrypt was patented, but it was placed in the public domain in 2017. NTRUSign is patented, but it can be used by software under the

GPL The GNU General Public Licenses (GNU GPL or simply GPL) are a series of widely used free software licenses, or ''copyleft'' licenses, that guarantee end users the freedom to run, study, share, or modify the software. The GPL was the first c ...

History

The first version of the system, which was called NTRU, was developed in 1996 by mathematicians Jeffrey Hoffstein,

Jill Pipher Jill Catherine Pipher (born December 14, 1955, in Harrisburg, Pennsylvania) is an American mathematician. She served as president of the American Mathematical Society (AMS, 2019–2020). and president of the Association for Women in Mathematics ( ...

, and Joseph H. Silverman. That same year, the developers of NTRU joined with

Daniel Lieman Daniel commonly refers to: * Daniel (given name), a masculine given name and a surname * List of people named Daniel * List of people with surname Daniel * Daniel (biblical figure) * Book of Daniel, a biblical apocalypse, "an account of the activ ...

and founded the company NTRU Cryptosystems, Inc., and were given a patent on the cryptosystem. The name "NTRU", chosen for the company and soon applied to the system as well, was originally derived from the pun ''Number Theorists 'R' Us'' or, alternatively, stood for ''Number Theory Research Unit''. In 2009, the company was acquired by Security Innovation, a software security corporation. In 2013, Damien Stehle and Ron Steinfeld created a provably secure version of NTRU, which is being studied by a post-quantum crypto group chartered by the European Commission. In May 2016,

Daniel Bernstein Daniel Bernstein is a composer for video games and movies. Born in Leningrad in the Soviet Union (now part of Russia), he received a B.S. in computer science and an M.A. in music composition from the University of Virginia. Bernstein started in ...

, Chitchanok Chuengsatiansup,

Tanja Lange Tanja Lange is a German cryptographer and number theorist at the Eindhoven University of Technology. She is known for her research on post-quantum cryptography. Education and career Lange earned a diploma in mathematics in 1998 from the Technica ...

and Christine van Vredendaal released NTRU Prime, which adds defenses against a potential attack on NTRU by eliminating algebraic structure they considered worrisome. However, after more than 20 years of scrutiny, no concrete approach to attack the original NTRU by exploiting its algebraic structure has been found so far. NTRU became a finalist in the third round of

NIST The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical s ...

's Post-Quantum Cryptography Standardization project, whereas NTRU Prime became an alternate candidate.

Performance

At equivalent cryptographic strength, NTRU performs costly private-key operations much faster than RSA does. The time of performing an RSA private operation increases as the cube of the key size, whereas that of an NTRU operation increases quadratically. In 2010, the Department of Electrical Engineering, University of Leuven, noted that "

sing Singing is the art of creating music with the voice. It is the oldest form of musical expression, and the human voice can be considered the first musical instrument. The definition of singing varies across sources. Some sources define singi ...

a modern GTX280 GPU, a throughput of up to encryptions per second can be reached at a

security level In cryptography, security level is a measure of the strength that a cryptographic primitive — such as a cipher or hash function — achieves. Security level is usually expressed as a number of " bits of security" (also security strength ...

of 256 bits. Comparing this to a symmetric cipher (not a very common comparison), this is only around 20 times slower than a recent AES implementation."

Resistance to quantum-computer-based attacks

Unlike RSA and

elliptic-curve cryptography Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys to provide equivalent security, compared to cryptosystems based on modula ...

, NTRU is not known to be vulnerable to attacks on

quantum computer A quantum computer is a computer that exploits quantum mechanical phenomena. On small scales, physical matter exhibits properties of both particles and waves, and quantum computing takes advantage of this behavior using specialized hardware. ...

s. The

National Institute of Standards and Technology The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into Outline of p ...

wrote in a 2009 survey that "

here Here may refer to: Music * ''Here'' (Adrian Belew album), 1994 * ''Here'' (Alicia Keys album), 2016 * ''Here'' (Cal Tjader album), 1979 * ''Here'' (Edward Sharpe album), 2012 * ''Here'' (Idina Menzel album), 2004 * ''Here'' (Merzbow album), ...

are viable alternatives for both public key encryption and signatures that are not vulnerable to Shor's Algorithm" and that " fthe various lattice based cryptographic schemes that have been developed, the NTRU family of cryptographic algorithms appears to be the most practical". The European Union's PQCRYPTO project (

Horizon 2020 The Framework Programmes for Research and Technological Development, also called Framework Programmes or abbreviated FP1 to FP9, are funding programmes created by the European Union/European Commission to support and foster research in the Europe ...

ICT-645622) is evaluating the provably secure Stehle–Steinfeld version of NTRU (not original NTRU algorithm itself) as a potential European standard. However the Stehle–Steinfeld version of NTRU is "significantly less efficient than the original scheme".

Standardization

* The standard IEEE Std 1363.1, issued in 2008, standardizes lattice-based public-key cryptography, especially NTRUEncrypt. * The standard X9.98 standardizes lattice-based public-key cryptography, especially NTRUEncrypt, as part of th
X9
standards for the financial services industry. * The PQCRYPTO project of the European Commission is considering standardization of the provably secure Stehle–Steinfeld version of NTRU.

Implementations

Originally, NTRU was only available as a proprietary, for-pay library, and open-source authors were threatened with legal action. It was not until 2011 that the first open-source implementation appeared, and in 2013, Security Innovation exempted open-source projects from having to get a patent license and released an NTRU reference implementation under the GPL v2. Implementations: * OpenSSH by default uses NTRU combined with the X25519 ECDH key exchange since August 2022, included in version 9.0. * The

-licensed reference implementation * A BSD-licensed library * bouncycastle * Lokinet was the first

onion router Onion routing is a technique for anonymous communication over a computer network. In an onion network, messages are encapsulated in layers of encryption, analogous to the layers of an onion. The encrypted data is transmitted through a series of ...

implementing NTRU algorithm for its intraweb and End-2-End Encrypted events. * GoldBug Messenger was the first chat and E-mail client with NTRU algorithm under open-source license, which is based on the Spot-On Encryption Suite Kernels. * Additionally,

wolfSSL wolfSSL is a small, portable, embedded SSL/TLS library targeted for use by embedded systems developers. It is an open source implementation of TLS (SSL 3.0, TLS 1.0, 1.1, 1.2, 1.3, and DTLS 1.0, 1.2, and 1.3) written in the C programming langu ...

provides support for NTRU cipher suites in a lightweight C implementation.

References

{{Reflist

External links

NTRU NIST submission

NTRU Prime NIST submission
Lattice-based cryptography Post-quantum cryptography 1996 introductions