The "Cryptographic Suite for Algebraic Lattices" (CRYSTALS) encompasses two cryptographic primitives: Kyber, an IND-CCA2-secure key-encapsulation mechanism (KEM); and Dilithium, a strongly EUF-CMA-secure digital signature algorithm. Both algorithms are based on hard problems over module lattices, are designed to withstand attacks by large quantum computers, and have been submitted to the NIST post-quantum cryptography project.
Module lattices can be thought of as lattices that lie between the ones used in the definitions of the LWE problem, and those used for the Ring-LWE problem. If the ring underlying the module has a sufficiently high degree (like 256), then these lattices inherit all the efficiency of the ones used in the Ring-LWE problem, and additionally have the following advantages, when used in our cryptographic algorithms:
- The only operations required for Kyber and
Dilithium for all security levels are variants of Keccak,
additions/multiplications in Zq for a fixed q,
and the NTT (number theoretic transform)
for the ring Zq[X]/(X256+1).
This means that increasing/decreasing the security level involves virtually no re-implementation of the schemes in software or hardware. Changing a few parameters is all that one needs to convert an optimized implementation for one security level into an optimized implementation for a different one.
- The lattices used in Kyber and Dilithium have less algebraic structure than those used for Ring-LWE and are closer to the unstructured lattices used in LWE. It is therefore conceivable that if algebraic attacks against Ring-LWE appear (there are none that we are aware of at this point), then they may be less effective against schemes like Kyber and Dilithium.
- 2017-12-30: CRYSTALS website is online
The design and implementation of Kyber and Dilithium have been supported by
- the European Commission through the ICT program under contract ICT-645622 (PQCRYPTO);
- the European Commission through the ICT program under contract ICT-644729 (SAFEcrypto);
- the Swiss National Science Foundation through the 2014 transfer ERC Starting Grant CRETP2-166734 (FELICITY);
- the Netherlands Organization for Scientific Research (NWO) through Veni grant 639.021.645 (Cryptanalysis of Lattice-based Cryptography);
- the European Commission through the ERC Starting Grant ERC-2013-StG-335086 (LATTAC).
Institutions involved in the design of Kyber and Dilithium:
- Roberto Avanzi, ARM Limited (DE)
- Joppe Bos, NXP Semiconductors (BE)
- Léo Ducas, CWI Amsterdam (NL)
- Eike Kiltz, Ruhr University Bochum (DE)
- Tancrède Lepoint, SRI International (US)
- Vadim Lyubashevsky, IBM Research Zurich (CH)
- John M. Schanck, University of Waterloo (CA)
- Peter Schwabe, Radboud University (NL)
- Gregor Seiler, IBM Research Zurich (CH)
- Damien Stehle, ENS Lyon (FR)