OpenSSLNTRU integrates transparent post-quantum key exchange into applications that use the OpenSSL cryptographic library. At the protocol level, OpenSSLNTRU is a TLS 1.3 modification similar to the Google-Cloudflare CECPQ2 experiment, but OpenSSLNTRU provides performance advantages, security advantages, and software-engineering advantages:

• OpenSSLNTRU adds support for KEM in TLS 1.3 to OpenSSL, including also an optional reference implementation of a post-quantum KEM. A separate OpenSSL ENGINE, OpenSSLNTRU's new engntru, overrides the reference implementation with an optimized implementation. This decoupling shields OpenSSL from the fast-moving ecosystem of optimized post-quantum software.

• engntru, in turn, uses a simpler interface to call a separate library, OpenSSLNTRU's new libsntrup761, for the optimized implementation. This shields the optimized library developer from the OpenSSL interface details, and will allow the same optimized library to be reused for OpenSSL 3 and other cryptographic libraries.

• libsntrup761 sets new speed records for key generation in Quotient NTRU cryptosystems. This makes sntrup761, the main post-quantum component of OpenSSLNTRU, not just slightly smaller but also faster than ntruhrss701, the post-quantum component of CECPQ2, while providing higher Core-SVP security and removing concerns about cyclotomic structure.

The following table shows the performance details. All cycle counts are Haswell cycles, and the 156317 is the new key-generation speed.

	ntruhrss701	sntrup761
key+ciphertext traffic	2276 bytes	2197 bytes
keygen time	269191 cycles	156317 cycles
enc time	26510 cycles	46914 cycles
dec time	63375 cycles	56241 cycles
pre-quantum Core-SVP security	2^136	2^153
post-quantum Core-SVP security	2^125	2^139
cyclotomic concerns	yes	no

Our engntru also provides an optimized implementation for a second NTRU Prime parameters set, sntrup857, at an even higher Core-SVP security level. This implementation is backed by OpenSSLNTRU's new libsntrup857.

Software

In support of Open Science, we provide several free and open-source software (FOSS) contributions. Check the Demo page for detailed instructions about the following software.

• openssl-1.1.1f-ntru.patch
• openssl-1.1.1g-ntru.patch
• openssl-1.1.1k-ntru.patch
• openssl-1.1.1k-ntru-add_ref_sntrup761.patch
• openssl-1.1.1m-ntru.patch

• openssl-1.1.1m-ntru-add_ref_sntrup761.patch

• libsntrup761-20200415.tar.gz

• libsntrup761-20210608.tar.gz

• libsntrup857-20210608.tar.gz

• engntru-20200415.tar.gz

• engntru-20210608.tar.gz

• tls_timer-20210608.tar.gz

Contributors (alphabetical order)

• Daniel J. Bernstein, University of Illinois at Chicago, USA; Ruhr University Bochum, Germany
• Billy Bob Brumley, Tampere University, Finland
• Ming-Shing Chen, Ruhr University Bochum, Germany
• Nicola Tuveri, Tampere University, Finland

Acknowledgments

This work was supported by the Cisco University Research Program under the "Post-quantum networking" project.

This work was supported by the U.S. National Science Foundation under grant 1913167. "Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation."

This project has received funding from the European Research Council (ERC) under the European Union's Horizon 2020 research and innovation programme (grant agreement No 804476).

---

Version: This is version 2021.12.14 of the "Intro" web page.