Kyber

Introduction
Kyber is an IND-CCA2-secure key encapsulation mechanism (KEM), whose safety relies
on the hardness of fixing the learning-with-errors (LWE) downside over module lattices.
Kyber is among the finalists within the
NIST post-quantum cryptography project.
The submission lists three totally different parameter units aiming at totally different safety ranges.
Particularly, Kyber-512 goals at safety roughly equal to AES-128,
Kyber-768 goals at safety roughly equal to AES-192, and
Kyber-1024 goals at safety roughly equal to AES-256.
For customers who’re serious about utilizing Kyber, we suggest the next:
-
Use Kyber in a so-called hybrid mode together with established
“pre-quantum” safety; for instance together with elliptic-curve Diffie-Hellman. -
We suggest utilizing the Kyber-768 parameter set,
which—in accordance with a really conservative evaluation—achieves
greater than 128 bits of safety towards all recognized classical and quantum assaults.
Scientific Background
The design of Kyber has its roots within the seminal
LWE-based encryption scheme of Regev.
Since Regev’s unique work, the sensible effectivity of LWE encryption schemes has been improved
by observing that the key in LWE can come from the
same distribution
because the noise and likewise noticing that “LWE-like” schemes
might be constructed by utilizing a sq. (slightly than an oblong) matrix as the general public key.
One other enchancment was making use of an concept initially used within the
NTRU cryptosystem
to outline the Ring-LWE and Module-LWE
issues that used polynomial rings slightly than integers.
The CCA-secure KEM Kyber is constructed on prime of a CPA-secure cryptosystem that’s primarily based on the hardness of Module-LWE.
Customers of Kyber
Kyber is already being built-in into libraries and programs by business. For instance,
Efficiency Overview
The tables beneath offers a sign of the efficiency of Kyber.
All benchmarks had been obtained on one core of an Intel Core-i7 4770K (Haswell) CPU.
We report benchmarks of two totally different implementations: a C reference
implementation and an optimized implementation utilizing AVX2 vector directions.
For benchmarks on an ARM Cortex-M4 microcontroller, see the
benchmarks reported by the pqm4 project.
Kyber-512 | |||||
---|---|---|---|---|---|
Sizes (in bytes) | Haswell cycles (ref) | Haswell cycles (avx2) | |||
sk: | 1632 | gen: | 122684 | gen: | 33856 |
pk: | 800 | enc: | 154524 | enc: | 45200 |
ct: | 768 | dec: | 187960 | dec: | 34572 |
Kyber-768 | |||||
Sizes (in bytes) | Haswell cycles (ref) | Haswell cycles (avx2) | |||
sk: | 2400 | gen: | 199408 | gen: | 52732 |
pk: | 1184 | enc: | 235260 | enc: | 67624 |
ct: | 1088 | dec: | 274900 | dec: | 53156 |
Kyber-1024 | |||||
Sizes (in bytes) | Haswell cycles (ref) | Haswell cycles (avx2) | |||
sk: | 3168 | gen: | 307148 | gen: | 73544 |
pk: | 1568 | enc: | 346648 | enc: | 97324 |
ct: | 1568 | dec: | 396584 | dec: | 79128 |
As an replace for spherical 2 of the NIST undertaking we additionally proposed a variant of Kyber that’s meant to showcase
the efficiency of Kyber when {hardware} help for the symmetric primitives is accessible.
This variant, referred to as Kyber-90s, makes use of AES-256 in counter mode and SHA2 as an alternative of SHAKE.
Kyber-512-90s | |||||
---|---|---|---|---|---|
Haswell cycles (ref) | Haswell cycles (avx2) | ||||
gen: | 213156 | gen: | 21880 | ||
enc: | 213156 | enc: | 28592 | ||
dec: | 277612 | dec: | 20980 | ||
Kyber-768-90s | |||||
Haswell cycles (ref) | Haswell cycles (avx2) | ||||
gen: | 389760 | gen: | 30460 | ||
enc: | 432764 | enc: | 40140 | ||
dec: | 473984 | dec: | 30108 | ||
Kyber-1024-90s | |||||
Haswell cycles (ref) | Haswell cycles (avx2) | ||||
gen: | 636380 | gen: | 43212 | ||
enc: | 672644 | enc: | 56556 | ||
dec: | 724144 | dec: | 44328 |