CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM

Abstract: Rapid advances in quantum computing, together with the announcement by the National Institute of Standards and Technology (NIST) to define new standards for digitalsignature, encryption, and key-establishment protocols, have created significant interest in post-quantum cryptographic schemes. This paper introduces Kyber (part of CRYSTALS-Cryptographic Suite for Algebraic Lattices-a package submitted to NIST post-quantum standardization effort in November 2017), a portfolio of post-quantum cryptographic primitiv… Show more

“…Using the above observation we can estimate a bound on the error probability: Similar to Bos et al [16], a tight upper bound on the value of δ is calculated using a Python script. To be able to practically compute the distribution of ∆v = v − v ∈ R p , Bos et al assume independence between the terms s s s T e e e and e e e T s s s, which is not necessarily the case.…”

“…Lattice based cryptography is one of the most promising candidates that are resilient to all known quantum attacks. Examples include NTRU based schemes [29,45,11] and protocols based on the (ring)-Learning With Errors (LWE) problem: Alkim et al [4] presented 'A New Hope', based on the ring-LWE problem; Bos et al [17] introduced an alternative scheme called 'Frodo' based solely on LWE, but suffers from higher bandwidth and computational complexity; Bhattacharya et al [12] improved upon the bandwidth of 'Frodo', by basing their protocol on LWR whilst still avoiding the use of rings; Bos et al [16] presented a CCA-secure Mod-LWE based key exchange called 'Kyber' which takes the middle road between 'Frodo' and 'a New Hope' by using modules. Concurrently to our work, Jin et al described a generic key exchange for Ring-LWE, Mod-LWE, LWE and LWR in [33], and Baan et al [8] described a LWR, Ring-LWR key exchange.…”

“…We propose the use of a combination of Toom-Cook and Karatsuba polynomial multiplication to mitigate this disadvantage. -Modules [36,16]: the module versions of the problems (see Section 2) allow to interpolate between the original pure LWE/LWR problems and their ring versions, lowering computational complexity and bandwidth compared to LWE/LWR, while introducing protection against attacks on the ring structure of Ring-LWE/LWR and flexibility to move to higher security levels without any need to change the underlying arithmetic.…”

Saber: Module-LWR Based Key Exchange, CPA-Secure Encryption and CCA-Secure KEM

“…Using the above observation we can estimate a bound on the error probability: Similar to Bos et al [16], a tight upper bound on the value of δ is calculated using a Python script. To be able to practically compute the distribution of ∆v = v − v ∈ R p , Bos et al assume independence between the terms s s s T e e e and e e e T s s s, which is not necessarily the case.…”

“…Lattice based cryptography is one of the most promising candidates that are resilient to all known quantum attacks. Examples include NTRU based schemes [29,45,11] and protocols based on the (ring)-Learning With Errors (LWE) problem: Alkim et al [4] presented 'A New Hope', based on the ring-LWE problem; Bos et al [17] introduced an alternative scheme called 'Frodo' based solely on LWE, but suffers from higher bandwidth and computational complexity; Bhattacharya et al [12] improved upon the bandwidth of 'Frodo', by basing their protocol on LWR whilst still avoiding the use of rings; Bos et al [16] presented a CCA-secure Mod-LWE based key exchange called 'Kyber' which takes the middle road between 'Frodo' and 'a New Hope' by using modules. Concurrently to our work, Jin et al described a generic key exchange for Ring-LWE, Mod-LWE, LWE and LWR in [33], and Baan et al [8] described a LWR, Ring-LWR key exchange.…”

“…We propose the use of a combination of Toom-Cook and Karatsuba polynomial multiplication to mitigate this disadvantage. -Modules [36,16]: the module versions of the problems (see Section 2) allow to interpolate between the original pure LWE/LWR problems and their ring versions, lowering computational complexity and bandwidth compared to LWE/LWR, while introducing protection against attacks on the ring structure of Ring-LWE/LWR and flexibility to move to higher security levels without any need to change the underlying arithmetic.…”

Saber: Module-LWR Based Key Exchange, CPA-Secure Encryption and CCA-Secure KEM

“…In June 2017, Bos-Ducas-Kiltz-Lepoint-Lyubashevsky-Schanck-SchwabeStehlé [28] announced 119652 cycles for encapsulation and 125736 cycles for decapsulation using a new public-key cryptosystem "Kyber". (Preliminary speeds announced in January 2017 [9] were slower.)…”

NTRU Prime: Reducing Attack Surface at Low Cost

“…Then, we present Kyber [1], a key encapsulation mechanism, and Dilithium [2], a digital signature, part of CRYSTALS-Cryptographic Suite for Algebraic Lattices-, a portfolio of cryptographic primitives based on the Module-LWE and Module-SIS hardness assumptions submitted to the NIST call for post-quantum standards.…”

Progress in Cryptology – INDOCRYPT 2017