Reference and AVX2 optimized implementations of NTRU KEM, accompanying the CHES2017 paper "High-speed key encapsulation from NTRU"
Switch branches/tags
Nothing to show
Clone or download
joostrijneveld Fix secret-dependent memory pattern in inversions
In the reference code, the distance with which coefficients
are rotated depends on secret input. To prevent leaking these
patterns, we now rotate by all power-of-two offsets, and use
cmov calls to compose the correct rotations.

This also addresses conditionals that may lead to branching
on some compilers.
Latest commit bbd42b3 Oct 16, 2018

High-speed key encapsulation from NTRU

This code package contains the source code that accompanies the paper "High-speed key encapsulation from NTRU". It contains a C reference implementation and an optimized AVX2 implementation, in the respective directories. When referring to this implementation, please refer to the original publication:

Andreas Hülsing, Joost Rijneveld, John Schanck, and Peter Schwabe. High-speed key encapsulation from NTRU. Cryptographic Hardware and Embedded Systems – CHES 2017, LNCS 10529, pp. 232-252, Springer, 2017.

Note that the source code differs slightly from the NTRU-HRSS-KEM scheme that was submitted to NIST's Post-Quantum Cryptography project in November 2017. For the updated scheme, refer to the repository for the NIST submission instead.