NTRU Prime

See the introduction regarding proactively minimizing the complexity of a thorough security review, and see the general warnings regarding lattice-based cryptography.

Script to compute various security estimates

See the warnings in the script regarding overestimates, potential overestimates, underestimates, and potential underestimates:

See also the "NTRU Prime: round 3" document for more detailed warnings.

The script computes 16 security estimates in the following 4 dimensions:

The estimates that assume free memory, ignore hybrid attacks, and ignore enumeration are often called "pre-quantum Core-SVP" and "post-quantum Core-SVP". Core-SVP is often incorrectly claimed to be a "conservative lower bound" on attack costs. NIST appears to rely on Core-SVP estimates. The Core-SVP estimates calculated by this script are typically 1 or 2 bits below Core-SVP estimates calculated by other available scripts, because this script carries out a somewhat more thorough search through attack parameters.

The following table shows pre-quantum Core-SVP for a selection of sizes for Streamlined NTRU Prime and NTRU LPRime. Post-quantum Core-SVP is about 10% below pre-quantum Core-SVP.

System Core-SVP ciphertext bytes public-key bytes
sntrup653 129 897 994
ntrulpr653 130 1025 897
sntrup761 153 1039 1158
ntrulpr761 155 1167 1039
sntrup857 175 1184 1322
ntrulpr857 176 1312 1184
sntrup953 196 1349 1505
ntrulpr953 197 1477 1349
sntrup1013 209 1455 1623
ntrulpr1013 210 1583 1455
sntrup1277 270 1847 2067
ntrulpr1277 271 1975 1847

Version: This is version 2020.10.31 of the "Security" web page.