CRYSTALS

Cryptographic Suite for Algebraic Lattices

CRYSTALS-Kyber

Introduction

Kyber is an IND-CCA2-secure key encapsulation mechanism (KEM), whose security is based on the hardness of solving the learning-with-errors (LWE) problem over module lattices. Kyber is one of the candidate algorithms submitted to the NIST post-quantum cryptography project. The submission lists three different parameter sets aiming at different security levels. Specifically, Kyber-512 aims at security roughly equivalent to AES-128, Kyber-768 aims at security roughly equivalent to AES-192, and Kyber-1024 aims at security roughly equivalent to AES-256.

For users who are interested in using Kyber, we recommend the following:

  • Use Kyber in a so-called hybrid mode in combination with established "pre-quantum" security; for example in combination with elliptic-curve Diffie-Hellman.
  • We recommend using the Kyber-768 parameter set, which—according to a very conservative analysis—achieves more than 128 bits of security against all known classical and quantum attacks.

Scientific Background

The design of Kyber has its roots in the seminal LWE-based encryption scheme of Regev. Since Regev's original work, the practical efficiency of LWE encryption schemes has been improved by observing that the secret in LWE can come from the same distribution as the noise and also noticing that "LWE-like" schemes can be built by using a square (rather than a rectangular) matrix as the public key. Another improvement was applying an idea originally used in the NTRU cryptosystem to define the Ring-LWE and Module-LWE problems that used polynomial rings rather than integers. The CCA-secure KEM Kyber is built on top of a CPA-secure cryptosystem that is based on the hardness of Module-LWE.

Performance Overview

The tables below gives an indication of the performance of Kyber. All benchmarks were obtained on one core of an Intel Core-i7 4770K (Haswell) CPU. We report benchmarks of two different implementations: a C reference implementation and an optimized implementation using AVX2 vector instructions.

Kyber-512
Sizes (in bytes) Haswell cycles (ref) Haswell cycles (avx2)
sk: 1632 gen: 118044 gen: 33428
pk: 800 enc: 161440 enc: 49184
ct: 736 dec: 190206 dec: 40564
Kyber-768
Sizes (in bytes) Haswell cycles (ref) Haswell cycles (avx2)
sk: 2400 gen: 217728 gen: 62396
pk: 1184 enc: 272254 enc: 83748
ct: 1088 dec: 315976 dec: 70304
Kyber-1024
Sizes (in bytes) Haswell cycles (ref) Haswell cycles (avx2)
sk: 3168 gen: 331418 gen: 88568
pk: 1568 enc: 396928 enc: 115952
ct: 1568 dec: 451096 dec: 99764

As an update for round 2 of the NIST project we also propose a variant of Kyber that is meant to showcase the performance of Kyber when hardware support for the symmetric primitives is available. This variant, called Kyber-90s, uses AES-256 in counter mode and SHA2 instead of SHAKE.

Kyber-512-90s
Haswell cycles (ref) Haswell cycles (avx2)
gen: 232368 gen: 20004
enc: 285336 enc: 30384
dec: 323452 dec: 24604
Kyber-768-90s
Haswell cycles (ref) Haswell cycles (avx2)
gen: 451018 gen: 30884
enc: 514088 enc: 45892
dec: 556972 dec: 37844
Kyber-1024
Haswell cycles (ref) Haswell cycles (avx2)
gen: 735382 gen: 44040
enc: 810398 enc: 64352
dec: 860272 dec: 54448