Introduction
Kyber is an IND-CCA2-secure key encapsulation mechanism (KEM), whose security is based on the hardness of solving the learning-with-errors (LWE) problem over module lattices. Kyber is one of the candidate algorithms submitted to the NIST post-quantum cryptography project. The submission lists three different parameter sets aiming at different security levels. Specifically, Kyber-512 aims at security roughly equivalent to AES-128, Kyber-768 aims at security roughly equivalent to AES-192, and Kyber-1024 aims at security roughly equivalent to AES-256.
For users who are interested in using Kyber, we recommend the following:
- Use Kyber in a so-called hybrid mode in combination with established "pre-quantum" security; for example in combination with elliptic-curve Diffie-Hellman.
- We recommend using the Kyber-768 parameter set, which—according to a very conservative analysis—achieves more than 128 bits of security against all known classical and quantum attacks.
Scientific Background
The design of Kyber has its roots in the seminal LWE-based encryption scheme of Regev. Since Regev's original work, the practical efficiency of LWE encryption schemes has been improved by observing that the secret in LWE can come from the same distribution as the noise and also noticing that "LWE-like" schemes can be built by using a square (rather than a rectangular) matrix as the public key. Another improvement was applying an idea originally used in the NTRU cryptosystem to define the Ring-LWE and Module-LWE problems that used polynomial rings rather than integers. The CCA-secure KEM Kyber is built on top of a CPA-secure cryptosystem that is based on the hardness of Module-LWE.
Performance Overview
The table below gives an indication of the performance of Kyber. All benchmarks were obtained on one core of an Intel Core-i7 4770K (Haswell) CPU. We report benchmarks of two different implementations: a C reference implementation and an optimized implementation using AVX2 vector instructions.
Kyber-512 | |||||
---|---|---|---|---|---|
Sizes (in bytes) | Haswell cycles (ref) | Haswell cycles (avx2) | |||
sk: | 1632 | gen: | 141872 | gen: | 55160 |
pk: | 736 | enc: | 205468 | enc: | 75680 |
ct: | 800 | dec: | 246040 | dec: | 74428 |
Kyber-768 | |||||
Sizes (in bytes) | Haswell cycles (ref) | Haswell cycles (avx2) | |||
sk: | 2400 | gen: | 243004 | gen: | 85472 |
pk: | 1088 | enc: | 332616 | enc: | 112660 |
ct: | 1152 | dec: | 394424 | dec: | 108904 |
Kyber-1024 | |||||
Sizes (in bytes) | Haswell cycles (ref) | Haswell cycles (avx2) | |||
sk: | 3168 | gen: | 368564 | gen: | 121056 |
pk: | 1440 | enc: | 481042 | enc: | 157964 |
ct: | 1504 | dec: | 558740 | dec: | 154952 |