[buu700]

For Cyph[1], we went with SPHINCS[2] for signing and a combination of McEliece (specifically McBits[3]), NTRU[4], and SIDH[5] for public key encryption.

We also considered QcBits[6] as a more space-efficient alternative to McEliece, but it just seemed too new / not well understood for our tastes, and last I saw there was a recent attack on it that hadn't been mitigated yet. Definitely keeping an eye on it for the future though.

---

1: https://www.cyph.com/castle

2: https://sphincs.cr.yp.to

3: https://tungchou.github.io/mcbits

4: https://github.com/NTRUOpenSourceProject/ntru-crypto

5: https://github.com/Microsoft/PQCrypto-SIDH

6: https://tungchou.github.io/qcbits

[A2017U1]

Note: there's a few dozen NTRU entries in the post quantum comp.

[buu700]

We're using the implementation I linked with parameter set EES743EP1.