ROUND 3 OFFICIAL COMMENT: NTRU Prime

[D. J. Bernstein‏]

[This is an official comment regarding all of the lattice KEMs, but to
avoid repetition is being filed just once.]

The attached document "Risks of lattice KEMs" (also available from
https://ntruprime.cr.yp.to/warnings.html)

* surveys recent attack advances;

* classifies ongoing risks, fully defining the risk table shown in
https://ntruprime.cr.yp.to/warnings.html;

* reviews incorrect claims that proofs control these risks;

* analyzes performance, since performance issues can exacerbate
security risks; and

* compares the KEMs according to the official NISTPQC evaluation
criteria.

The document is authored by the NTRU Prime Risk-Management Team and is
hereby added to the NTRU Prime submission. The document has the
following abstract:

Lattice-based KEMs under consideration within the NIST Post-Quantum
Cryptography Standardization Project (NISTPQC) are much more risky
than commonly acknowledged. In applications where performance
constraints force the use of a lattice-based KEM, the least risky
option available is NTRU Prime, specifically Streamlined NTRU Prime
(sntrup) at the largest size that fits those performance constraints.

---Dan