name: NTRU
type: kem
principal-submitters:
- John M. Schanck
auxiliary-submitters:
- Cong Chen
- Oussama Danba
- Jeffrey Hoffstein
- Andreas Hülsing
- Joost Rijneveld
- Tsunekazu Saito
- Peter Schwabe
- William Whyte
- Keita Xagawa
- Takashi Yamakawa
- Zhenfei Zhang
crypto-assumption: NTRU in Z[x]/(q, x^n-1) with prime n and power-of-two q
website: https://ntru.org/
nist-round: 3
spec-version: NIST Round 3 submission
upstream-ancestors:
- https://github.com/jschanck/ntru/tree/a43a4457
parameter-sets:
- name: NTRU-HPS-2048-509
  claimed-nist-level: 1
  claimed-security: IND-CCA2
  length-public-key: 699
  length-ciphertext: 699
  length-secret-key: 935
  length-shared-secret: 32
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream-id: clean
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
    upstream: primary-upstream
  - upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      - Darwin
      required_flags:
      - avx2
      - bmi2
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
    upstream: primary-upstream
- name: NTRU-HPS-2048-677
  claimed-nist-level: 3
  claimed-security: IND-CCA2
  length-public-key: 930
  length-ciphertext: 930
  length-secret-key: 1234
  length-shared-secret: 32
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream-id: clean
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
    upstream: primary-upstream
  - upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      - Darwin
      required_flags:
      - avx2
      - bmi2
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
    upstream: primary-upstream
- name: NTRU-HPS-4096-821
  claimed-nist-level: 5
  claimed-security: IND-CCA2
  length-public-key: 1230
  length-ciphertext: 1230
  length-secret-key: 1590
  length-shared-secret: 32
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream-id: clean
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
    upstream: primary-upstream
  - upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      - Darwin
      required_flags:
      - avx2
      - bmi2
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
    upstream: primary-upstream
- name: NTRU-HPS-4096-1229
  claimed-nist-level: 5
  claimed-security: IND-CCA2
  length-public-key: 1842
  length-ciphertext: 1842
  length-secret-key: 2366
  length-shared-secret: 32
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream-id: clean
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
    upstream: primary-upstream
- name: NTRU-HRSS-701
  claimed-nist-level: 3
  claimed-security: IND-CCA2
  length-public-key: 1138
  length-ciphertext: 1138
  length-secret-key: 1450
  length-shared-secret: 32
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream-id: clean
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
    upstream: primary-upstream
  - upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      - Darwin
      required_flags:
      - avx2
      - bmi2
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
    upstream: primary-upstream
- name: NTRU-HRSS-1373
  claimed-nist-level: 5
  claimed-security: IND-CCA2
  length-public-key: 2401
  length-ciphertext: 2401
  length-secret-key: 2983
  length-shared-secret: 32
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream-id: clean
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
    upstream: primary-upstream
primary-upstream:
  spdx-license-identifier: CC0-1.0
  source: https://github.com/PQClean/PQClean/commit/4c9e5a3aa715cc8d1d0e377e4e6e682ebd7602d6