NTRU Prime (sntrup761)
NTRU Prime is a lattice-based key encapsulation mechanism built to be deliberately conservative about algebraic structure: it works in a prime-degree number field with a large Galois group and an inert modulus, which strips out the extra ring structure that most efficient lattice schemes rely on. Its main parameter set, sntrup761, was paired with the classical X25519 key exchange to form sntrup761x25519-sha512@openssh.com, and OpenSSH made that hybrid its default key exchange method in release 9.0 on April 8, 2022, well ahead of the finalized NIST standards. That deployment is the reason a cyber pro is far more likely to meet NTRU Prime in a real SSH handshake than to meet most other post-quantum candidates. NTRU Prime is a cousin of classic NTRU and a distinct design from the module-lattice ML-KEM that NIST standardized.
Source: OpenSSH, “OpenSSH 9.0 release notes,” April 8, 2022, openssh.com/txt/release-9.0.
The short version:
- NTRU Prime is a lattice KEM whose design goal is to reduce the attack surface of lattice cryptography by removing the cyclotomic ring structure that most other lattice schemes use.
- It comes in two lines: Streamlined NTRU Prime (the “Quotient NTRU” form, whose main KEM is sntrup761) and NTRU LPRime (the “Product NTRU” form, ntrulpr761). Both share the same prime-degree field.
- sntrup761 is the parameter set the real world adopted. Its public key is 1,158 bytes and its ciphertext is 1,039 bytes, in the same size class as ML-KEM.
- OpenSSH shipped
sntrup761x25519-sha512@openssh.comas its default key exchange in release 9.0 (April 8, 2022), a hybrid of NTRU Prime and X25519, explicitly to blunt capture-now-decrypt-later attacks on recorded SSH sessions. - It resists Shor’s algorithm because its hardness is the geometry of a lattice, not the number-theoretic periodicity Shor exploits against RSA and elliptic-curve cryptography.
- NTRU Prime is not a NIST FIPS standard. It was a NIST third-round alternate, and NIST standardized the module-lattice ML-KEM for the KEM slot instead.
Picture a lock whose security comes from a maze cut into a metal disc. Most lattice schemes cut that maze into a very regular, repeating pattern, because a regular pattern is cheap to manufacture and fast to operate. NTRU Prime deliberately cuts an irregular maze with no repeating symmetry, accepting a little more manufacturing cost in exchange for giving a future attacker fewer patterns to grab onto. The extra structure that makes a lattice scheme fast is the same structure a cryptanalyst studies, so NTRU Prime’s bet is that less structure means fewer footholds.
What is NTRU Prime?
NTRU Prime is a project of lattice-based cryptographic designs whose stated purpose is to reduce the attack surface of lattice cryptography by switching away from cyclotomic rings. The submission team describes the attack picture in lattice cryptography as “extremely complicated,” and NTRU Prime’s response is to make proactive design choices that eliminate whole categories of that complication before an attacker can exploit them.
Three facts pin down its identity:
- Two constructions under one name. NTRU Prime ships two families. Streamlined NTRU Prime uses what the team calls “Quotient NTRU,” the same ratio-of-short-polynomials idea as classic NTRU, and its headline KEM is sntrup761. NTRU LPRime uses “Product NTRU” (the LPR construction, closer to LWE-style schemes), and its counterpart is ntrulpr761. The submission notes that the literature has not settled which of the two is easier for a security reviewer to trust, so it carries both.
- A prime-degree field. Both lines work in the field
(Z/q)[x]/(x^p − x − 1), where the degreepis prime, the modulusqis prime, and the polynomialx^p − x − 1is irreducible over that ring, so the ringR/qis an actual field with no nontrivial subfields. For sntrup761 the concrete choice isp = 761andq = 4591. - Provenance. NTRU Prime grew out of Daniel J. Bernstein and collaborators’ work, formalized in the design paper “NTRU Prime: reducing attack surface at low cost” (SAC 2017), and it entered the NIST post-quantum process as a submission.
Sources: NTRU Prime team, “NTRU Prime” project overview, ntruprime.cr.yp.to; NTRU Prime team, “NTRU Prime: round 3” specification (parameter set sntrup761, field (Z/q)[x]/(x^p − x − 1) with p = 761, q = 4591), ntruprime.cr.yp.to/nist/ntruprime-20201007.pdf.
What does “no ring structure” actually mean here?
It means NTRU Prime picks its underlying algebra specifically so that the shortcuts a cryptanalyst uses against structured lattices have nothing to attach to. The efficient lattice schemes, including ML-KEM, get their speed and their small keys from working over a cyclotomic ring, which carries a lot of internal symmetry. That symmetry is convenient, and it is also exactly what several lines of lattice cryptanalysis have tried to exploit. NTRU Prime’s design paper makes the tradeoff explicit in its own title: “reducing attack surface at low cost.”
The submission spells out the three moves it makes to shrink that surface:
- A large Galois group instead of cyclotomics. Cyclotomic fields have small, richly structured Galois groups. NTRU Prime chooses a field whose Galois group is as large and unstructured as possible, which removes the automorphisms an attacker could use to fold the problem down.
- Rings instead of modules. Where module-lattice schemes stack several ring elements into a vector, NTRU Prime stays in a single ring, avoiding the module layer’s extra structure.
- A prime degree and an inert modulus. Choosing a prime degree
pwithx^p − x − 1irreducible means the ring moduloqis a field with no proper subfields, so there is no smaller field to project the problem into and attack there.
The submission is careful about how strong a claim this is. It notes that cyclotomics “have a lot of structure” and that “nobody has yet found a way” to turn that structure into a general break, so the choice is a hedge against future cryptanalysis rather than a response to a known attack. The whole point of the submission, in its own words, is that “the attack surface in lattice-based cryptography can be” reduced by these choices at a modest performance cost.
Source: NTRU Prime team, “NTRU Prime: round 3” specification, §“NTRU Prime” (large Galois group, prime degree, inert modulus, rings not modules; x^p − x − 1 irreducible so R/q is a field), ntruprime.cr.yp.to/nist/ntruprime-20201007.pdf.
How is NTRU Prime different from classic NTRU?
NTRU Prime and classic NTRU share the same core idea, hiding two short secret polynomials inside their scrambled ratio, but NTRU Prime changes the field they live in specifically to remove structure. Classic NTRU works over a ring Z[x]/(x^N − 1), which factors in ways that give the scheme extra algebraic structure. NTRU Prime replaces that with the prime-degree field (Z/q)[x]/(x^p − x − 1), chosen so the ring is a field with no nontrivial subfields.
| Property | Classic NTRU | NTRU Prime (sntrup761) |
|---|---|---|
| Ring | Z[x]/(x^N − 1), composite structure | (Z/q)[x]/(x^p − x − 1), prime degree, field |
| Design goal | Compact, fast lattice encryption | The same, minus the extra algebraic structure |
| Galois group / symmetry | More structured | Large, deliberately unstructured |
| NIST outcome | Round 3 KEM finalist (merged NTRU), not selected | Round 3 alternate, not selected |
| Real-world footprint | Basis of FN-DSA (FALCON) lattices | OpenSSH default KEX (sntrup761x25519) from 9.0 |
Both are lattice families, and both resist Shor’s algorithm for the same reason. The distinction is that NTRU Prime treats the algebraic structure of the ring as a liability to minimize, while classic NTRU and the module-lattice schemes treat it as a resource to exploit for efficiency. That difference in philosophy is why NTRU Prime is the scheme conservative implementers reached for first.
Source: NTRU Prime team overview and design rationale, ntruprime.cr.yp.to.
Why did OpenSSH make sntrup761x25519 its default?
OpenSSH adopted the hybrid sntrup761x25519-sha512@openssh.com as its default key exchange in release 9.0 because it wanted post-quantum protection for SSH sessions immediately, and it wanted that protection without betting the connection on a young algorithm. The release note states it plainly: OpenSSH uses “the hybrid Streamlined NTRU Prime + x25519 key exchange method by default,” where “the NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future.”
Three things made this the sensible early choice:
- The threat is already live for recorded traffic. OpenSSH gave the reason directly: it made the change “ahead of cryptographically-relevant quantum computers” specifically “to prevent ‘capture now, decrypt later’ attacks where an adversary who can record and store SSH session ciphertext would be able to decrypt it once a sufficiently advanced quantum computer is available.” That is the harvest-now-decrypt-later problem, and SSH sessions to long-lived infrastructure are a high-value target for it.
- Hybrid means no regression. The construction combines NTRU Prime with X25519 so the shared secret is safe if either component holds. If NTRU Prime turned out to have a classical flaw, the proven X25519 layer would still protect the session, so adopting a young post-quantum scheme carried no downside against a classical attacker.
- NTRU Prime’s conservative structure fit the risk tolerance. For a default that would run on millions of servers, the scheme with the smallest algebraic attack surface was a natural pick over a faster but more structured alternative, and this predated the finalized NIST standards.
Source: OpenSSH, “OpenSSH 9.0 release notes,” April 8, 2022 (default hybrid Streamlined NTRU Prime + x25519, capture-now-decrypt-later rationale, X25519 as backstop), openssh.com/txt/release-9.0.
The practical read for an SSH estate is that any host running OpenSSH 9.0 or later has been negotiating a post-quantum-hybrid key exchange by default for years, often without operators noticing. That is the clearest real-world example of post-quantum key exchange already carrying live production traffic.
What are sntrup761’s sizes?
sntrup761 sits in the same size class as ML-KEM, which is what made it practical as a default SSH key exchange where the large keys of a scheme like Classic McEliece would be a non-starter. The byte counts come from the reference implementation.
| Parameter | sntrup761 value |
|---|---|
| Public key | 1,158 bytes |
| Ciphertext | 1,039 bytes |
| Secret key | 1,763 bytes |
| Shared secret | 32 bytes |
Field degree p | 761 (prime) |
Modulus q | 4,591 (prime) |
| Claimed NIST security level | Level 2 |
Source: Open Quantum Safe project, liboqs KEM datasheet, “NTRU-Prime,” reproducing the sntrup761 sizes from the NTRU Prime specification, openquantumsafe.org/liboqs/algorithms/kem/ntruprime.html; field parameters p = 761, q = 4591 from the NTRU Prime round-3 specification, ntruprime.cr.yp.to/nist/ntruprime-20201007.pdf.
The comparison to Classic McEliece is the useful one. Both aim at conservative post-quantum key establishment, but Classic McEliece pays for its conservatism with a public key measured in hundreds of kilobytes to over a megabyte, while NTRU Prime keeps everything near a kilobyte. That is why NTRU Prime could go into a protocol that ships the public key on every handshake, and Classic McEliece could not.
Was NTRU Prime a NIST finalist?
No. In the third round of the NIST Post-Quantum Cryptography Standardization Process, NTRU Prime was named a third-round alternate, not one of the four KEM finalists. Classic NTRU (the merged submission) was a finalist, while NTRU Prime, the prime-ring variant built to reduce substructure, sat in the alternate tier. When NIST closed the round it selected CRYSTALS-KYBER, now ML-KEM, as the KEM to standardize, so neither NTRU nor NTRU Prime became the FIPS KEM.
Source: NIST, NIST IR 8413, Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process, July 2022 (NTRU Prime listed among third-round alternates; CRYSTALS-KYBER selected for the KEM standard).
So NTRU Prime’s standing is a slightly unusual one: it did not win the NIST contest, and it is not a FIPS standard, yet it has more live production deployment through OpenSSH than most of the schemes that outranked it in the process. Standardization status and deployment footprint are two different measures, and NTRU Prime scores differently on each.
Is NTRU Prime quantum-safe?
As far as current research shows, yes. NTRU Prime is a post-quantum design: its security rests on the hardness of finding short vectors in a lattice, which is a geometric problem, not the number-theoretic problem Shor’s algorithm solves.
- It resists Shor’s algorithm. Shor’s breaks RSA and elliptic-curve cryptography by turning factoring and the discrete logarithm into a period-finding problem a quantum computer solves quickly. A lattice’s shortest-vector problem has no such period to find, so Shor’s has nothing to hook into.
- Grover’s algorithm is only a bounded discount. Grover’s speeds up brute-force search quadratically, a real but limited effect, and NTRU Prime’s parameters are chosen with that speedup already priced in.
- The reduced structure is a hedge against classical advances too. The whole design premise is to minimize the algebraic footholds a future cryptanalyst, classical or quantum, could exploit, which is why the sizes are set conservatively rather than for maximum speed.
The honest open question is the same one that hangs over all lattice cryptography: whether some future advance in lattice reduction or structured-lattice cryptanalysis chips at the assumption. NTRU Prime’s answer is to give that future attacker as little structure to work with as the design can manage.
Source: quantum-resistance rationale for lattice KEMs, shared across the family, NIST FIPS 203, August 2024; NTRU Prime attack-surface-reduction rationale, ntruprime.cr.yp.to.
Common misconceptions
- “NTRU Prime is just NTRU with a new name.” They share the short-polynomial idea but not the field. NTRU Prime deliberately swaps the composite-structure ring of classic NTRU for a prime-degree field with no nontrivial subfields, specifically to reduce the algebraic attack surface.
- “NTRU Prime is a NIST standard because OpenSSH uses it.” It is not. NTRU Prime was a NIST third-round alternate, and NIST standardized ML-KEM for the KEM slot. OpenSSH’s adoption is a deployment decision, not a standardization one.
- “sntrup761x25519 is pure post-quantum crypto.” It is a hybrid: NTRU Prime for quantum resistance plus classical X25519 as a backstop, so the session is no weaker than X25519 alone even if NTRU Prime is later found flawed.
- “NTRU Prime has enormous keys like Classic McEliece.” It does not. sntrup761’s public key is about 1.2 KB, in the ML-KEM size class, which is exactly why it could serve as a per-handshake SSH key exchange.
- “Removing structure makes it insecure.” The opposite is the design intent. Less algebraic structure means fewer footholds for cryptanalysis, at the cost of some efficiency, which is the conservative tradeoff NTRU Prime is built around.
Questions people ask
What is NTRU Prime in simple terms? It is a lattice-based key encapsulation mechanism designed to be conservative about algebra: it works in a prime-degree field with no ring or module structure, so a future cryptanalyst has fewer patterns to exploit than in a typical structured-lattice scheme. Its sntrup761 parameter set is the one deployed in the real world.
Why was sntrup761x25519 the OpenSSH default? OpenSSH wanted post-quantum protection against harvest-now-decrypt-later attacks on recorded SSH sessions, and it wanted it without risking the connection on a young algorithm. Pairing NTRU Prime with classical X25519 gave quantum resistance plus a proven classical backstop, and OpenSSH made that hybrid its default key exchange in release 9.0 on April 8, 2022.
Is NTRU Prime the same as ML-KEM? No. Both are lattice-based, but ML-KEM is a module-lattice scheme built for efficiency over a structured ring, while NTRU Prime deliberately avoids that structure by using a prime-degree field. ML-KEM is the NIST FIPS standard; NTRU Prime is not.
Is NTRU Prime a NIST standard? No. It was a third-round alternate in the NIST process, and NIST selected ML-KEM for the KEM standard. NTRU Prime is carried forward through its own project and through deployments like OpenSSH rather than as a FIPS standard.
What is the difference between Streamlined NTRU Prime and NTRU LPRime? They are two constructions in the same field. Streamlined NTRU Prime (sntrup761) uses the “Quotient NTRU” ratio-of-polynomials design, and NTRU LPRime (ntrulpr761) uses the “Product NTRU” (LPR) design. Both share the prime-degree field; sntrup761 is the one OpenSSH deployed.
Is NTRU Prime quantum-safe? Yes, as far as current research shows. Its hardness is a lattice shortest-vector problem, which Shor’s algorithm does not solve, and Grover’s gives only a bounded search speedup that the parameters already absorb.
Do I need to migrate off sntrup761x25519? Not for quantum-safety reasons; it already includes a post-quantum layer. The consideration is standardization alignment: a program standardizing on the NIST FIPS suite may prefer ML-KEM-based hybrids for agility and compliance, but sntrup761x25519 is a legitimately quantum-hardened SSH key exchange in the meantime.
NTRU Prime is the reminder that “what got deployed” and “what got standardized” are not the same list. The most conservative lattice KEM has been quietly protecting SSH sessions since 2022 without a FIPS number to its name. Everything here is the map, given freely. When your team needs its SSH and key-exchange footprint mapped against the standardized algorithms and sequenced for migration, that’s what an alignment briefing is for.
Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.