Cryptographic Suite for Algebraic Lattices



Kyber is an IND-CCA2-secure key encapsulation mechanism (KEM), whose security is based on the hardness of solving the learning-with-errors (LWE) problem over module lattices. Kyber is one of the candidate algorithms submitted to the NIST post-quantum cryptography project. The submission lists three different parameter sets aiming at different security levels. Specifically, Kyber-512 aims at security roughly equivalent to AES-128, Kyber-768 aims at security roughly equivalent to AES-192, and Kyber-1024 aims at security roughly equivalent to AES-256.

For users who are interested in using Kyber, we recommend the following:

  • Use Kyber in a so-called hybrid mode in combination with established "pre-quantum" security; for example in combination with elliptic-curve Diffie-Hellman.
  • We recommend using the Kyber-768 parameter set, which—according to a very conservative analysis—achieves more than 128 bits of security against all known classical and quantum attacks.

Scientific Background

The design of Kyber has its roots in the seminal LWE-based encryption scheme of Regev. Since Regev's original work, the practical efficiency of LWE encryption schemes has been improved by observing that the secret in LWE can come from the same distribution as the noise and also noticing that "LWE-like" schemes can be built by using a square (rather than a rectangular) matrix as the public key. Another improvement was applying an idea originally used in the NTRU cryptosystem to define the Ring-LWE and Module-LWE problems that used polynomial rings rather than integers. The CCA-secure KEM Kyber is built on top of a CPA-secure cryptosystem that is based on the hardness of Module-LWE.

Performance Overview

The table below gives an indication of the performance of Kyber. All benchmarks were obtained on one core of an Intel Core-i7 4770K (Haswell) CPU. We report benchmarks of two different implementations: a C reference implementation and an optimized implementation using AVX2 vector instructions.

Sizes (in bytes) Haswell cycles (ref) Haswell cycles (avx2)
sk: 1632 gen: 141872 gen: 55160
pk: 736 enc: 205468 enc: 75680
ct: 800 dec: 246040 dec: 74428
Sizes (in bytes) Haswell cycles (ref) Haswell cycles (avx2)
sk: 2400 gen: 243004 gen: 85472
pk: 1088 enc: 332616 enc: 112660
ct: 1152 dec: 394424 dec: 108904
Sizes (in bytes) Haswell cycles (ref) Haswell cycles (avx2)
sk: 3168 gen: 368564 gen: 121056
pk: 1440 enc: 481042 enc: 157964
ct: 1504 dec: 558740 dec: 154952