Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [kyber]

Kyber is a Key Encapsulation Mechanism (KEM) based on the Module Learning with Errors (MLWE) problem. It is an example of lattice-based cryptography and is part of the Crystals family together with the signature scheme Dilithium.

Kyber is a Key Encapsulation Mechanism (KEM) based on the Module Learning with Errors (MLWE) problem. It is an example of lattice-based cryptography and is part of the Crystals family together with the signature scheme Dilithium. It has been standardized and published as FIPS-203. It currently has three levels of parameterisation: Kyber512, Kyber 768 and Kyber1024 that are intended to meet the same levels of security as AES128, AES192 and AES256 respectively.

92 questions
17
votes
4 answers

Kyber and Dilithium explained to primary school students?

Kyber and Dilithium are post-quantum cryptographic designs, but the resources are hard to understand. Is it possible to explain those ciphers to children?
Flan1335
  • 381
  • 2
  • 6
13
votes
1 answer

Why did NIST select Kyber and Dilithium?

NIST selected Kyber for key agreement and Dilithium for digital signature applications some days ago. But IDF's MATZOV group, in their paper, broke Kyber and Dilithium and brought the security levels of these schemes below the thresholds defined by…
Daniel
  • 131
  • 1
  • 3
8
votes
0 answers

How are the constants found in the AVX2 implementation of CRYSTALS-KYBER round 2 generated?

The post-quantum lattice-based cryptosystem CRYSTALS-KYBER which has made it to the second round of NIST PQC includes two implementations: 1) a baseline reference implementation in C and 2) an optimized AVX2 implementation. The code repository can…
caesar
  • 315
  • 1
  • 7
6
votes
0 answers

How did Kyber's authors compute the error probability $\delta$?

I'm studying the specification of Kyber that was submitted to NIST PQC Round 3. However, I cannot figure out how they compute the error probability $\delta$ for Kyber 512, 768 and 1024. I have read the Kyber paper (written with respect to round 1),…
Shara
  • 181
  • 2
5
votes
1 answer

Why was the value of modulus (q) chosen small in KYBER and large in DILITHIUM?

In the KYBER key agreement algorithm, the mathematical condition dictates that $n|q-1$ and for the NTT implementation, the value of $q$ was chosen to be $3329$. In the DILITHIUM digital signature algorithm, the condition $2n|q-1$ must hold. However,…
R_Jalaei
  • 515
  • 2
  • 12
5
votes
1 answer

Attacks exploiting decryption failures in KYBER

I am going through the portion mentioned under the heading Original KYBER analysis inside Section 5.5 titled Attacks exploiting decryption failures. $${\sf Pr}[\|v\|> k\sigma \sqrt{m}]< k^m e^{\frac{m}{2}(1-k^2)} \hskip5em (1)$$ Equation $1$ is used…
Swaminathan V
  • 161
  • 8
5
votes
1 answer

Compare Saber and Kyber, about their techniques of message bit layout in encryption

I'd like to discuss message bit layout in the Saber and $KYBER$'s IND-CPA encryptions.(Details of these two schemes follows behind these question paragraphs). From my understanding, both Saber and $KYBER$ somehow place the secret message to the…
Sharon
  • 95
  • 9
4
votes
0 answers

Which parts of CRYSTALS-Kyber and CRYSTALS-Dilithium are compatible?

The papers CRYSTALS-Kyber and CRYSTALS-Dilithium both have been written by quite different authors. It seems that at least the key generation is very different from each other. CRYSTALS mainly seems to be a suite of algorithms based on the hardness…
Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
4
votes
2 answers

Weak public keys in Kyber kem

Given that public key security is very important in the Kyber KEM algorithm and if this is not observed, various attacks can be applied to the discovery of the Kyber key. The question is how to identify weak Kyber public keys (structurally, or In…
R_Jalaei
  • 515
  • 2
  • 12
4
votes
1 answer

How to Derive the Decapsulation Failure Rates for ML-KEM in PQC standards?

I am studying post-quantum key encapsulation mechanisms and came across the decapsulation failure rates for ML-KEM listed in Table 1 of a reference document(FIPS-203). The table specifies failure rates for different parameter sets as…
smith
  • 105
  • 2
4
votes
1 answer

How decryption failure reveals information about the secret key?

I have been studying the CRYSTALS-KYBER cryptosystem and came across the description of a Decryption Failure Attack in the paper. The specific part (Section 5.5 https://pq-crystals.org/kyber/data/kyber-specification-round3-20210804.pdf) that caught…
ABCD
  • 95
  • 4
4
votes
1 answer

High Hamming Weight Attack on Kyber

I was reading LAC (https://eprint.iacr.org/2018/1009.pdf). They mention about high-hamming weight attacks on the Centered Binomial Distribution (CBD). To counter this, they propose CBD with fixed hamming weight. To prevent high hamming weigh…
Swaminathan V
  • 161
  • 8
4
votes
1 answer

Implementation of centered binomial distribution in Kyber Key Encapsulation Mechanism?

In the implementation of centered binomial distribution of crystals-kyber, the authors load 24-bits of buffer to a 32 bit integer and then they and the answer with 0x00249249. The complete operations are below: t = load24_littleendian(buf+3*i) d =…
Muhammad Awais
  • 97
  • 4
4
votes
1 answer

Questions on difference distribution in Kyber

I have two elementary questions related to the special distribution $|x'-x \text{ mod}^{\pm} \, q| \leq B_q := \left\lceil \frac{q}{2^{d+1}} \right\rfloor$ in Kyber. The first question is about the paper and the second question is about a section in…
P_Gate
  • 453
  • 3
  • 9
4
votes
2 answers

Question on the proof of correctness in CRYSTALS-Kyber

I am currently trying to follow the proof of correctness in the CRYSTALS-Kyber paper. The following is an excerpt of the proof: On the one hand, I am interested in how exactly one justifies/argues that $\mathbf{y}$ is pseudorandom, based on the…
P_Gate
  • 453
  • 3
  • 9
1
2 3 4 5 6