Kyber


Kyber is a key encapsulation mechanism designed to be resistant to cryptanalytic attacks with future powerful quantum computers. It is used to establish a shared secret between two communicating parties without an attacker in the transmission system being able to decrypt it. This asymmetric cryptosystem uses a variant of the learning with errors lattice problem as its basic trapdoor function. It won the NIST competition for the first post-quantum cryptography standard. NIST calls its standard, numbered FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism.

Properties

The system is based on the module learning with errors problem, in conjunction with cyclotomic rings. Recently, there has also been a tight formal mathematical security reduction of the ring-LWE problem to MLWE. Compared to competing PQ methods, it has typical advantages of lattice-based methods, e.g. in regard to runtime as well as the size of the ciphertexts and the key material.
Variants with different security levels have been defined: Kyber512, Kyber768, and Kyber1024. At the Kyber768 level, the secret keys are 2400 bytes in size, the public keys 1184, and the ciphertexts 1088.
With an accordingly optimized implementation, 4 kilobytes of memory can be sufficient for the cryptographic operations. For a chat encryption scenario using liboqs, replacing the extremely efficient, non-quantum-safe ECDH key exchange using Curve25519 was found to increase runtime by a factor of about 2.3, an estimated 2.3-fold increase in energy consumption, and have about 70 times more data overhead. Internal hashing operations account for the majority of the runtime, which would thus potentially benefit greatly from corresponding hardware acceleration.

Development

Kyber is derived from a method published in 2005 by Oded Regev, developed by developers from Europe and North America, who are employed by various government universities or research institutions, or by private companies, with funding from the European Commission, Switzerland, the Netherlands, and Germany. They also developed the related and complementary signature scheme Dilithium, as another component of their "Cryptographic Suite for Algebraic Lattices". Like other PQC-KEM methods, Kyber makes extensive use of hashing internally. In Kyber's case, variants of Keccak are used here, to generate pseudorandom numbers, among other things. In 2017 the method was submitted to the US National Institute of Standards and Technology for its public selection process for a first standard for quantum-safe cryptographic primitives. It is the only key encapsulation mechanism that has been selected for standardization at the end of the third round of the NIST standardization process. According to a footnote the report announcing the decision, it is conditional on the execution of various patent-related agreements, with NTRU being a fallback option. Currently, a fourth round of the standardization process is underway, with the goal of standardizing an additional KEM. In the second phase of the selection process, several parameters of the algorithm were adjusted and the compression of the public keys was dropped. Most recently, NIST paid particular attention to costs in terms of runtime and complexity for implementations that mask runtimes in order to prevent corresponding side-channel attacks.

Evolution

Kyber underwent changes during the NIST standardization process. In particular, in the submission for round 2, the following features were changed:
  • public key compression removed ;
  • parameter q reduced to 3329 ;
  • ciphertext compression parameters changed;
  • number-theoretic transform definition changed along the lines of NTRU for faster polynomial multiplication;
  • noise parameter reduced to for faster noise sampling;
  • public key representation changed to NTT domain in order to save the NTT operations.
Submission to round 3 underwent further tweaks:
  • the use of Fujisaki–Okamoto transformation modified;
  • noise level increased and ciphertext compression reduced for the level 1 parameter set;
  • sampling algorithm improved.

    Usage

The developers have released a reference implementation into the public domain, which is written in C. The program library liboqs of the Open Quantum Safe project contains an implementation based on that. OQS also maintains a quantum-safe Provider module for OpenSSL 3.x, and has integrated its code into BoringSSL. The wolfSSL library additionally maintains its own implementation of ML-KEM. There are a handful of implementations using various other programming languages from third-party developers, including JavaScript and Java. Various optimized hardware implementations exist, including one that is resistant to side-channel attacks. The German Federal Office for Information Security is aiming for implementation in Thunderbird, and in this context also an implementation in the Botan program library and corresponding adjustments to the OpenPGP standard.
Amazon Web Services integrated Kyber into their in 2020 as a hybrid post-quantum key exchange option for TLS connections. In 2023, the encrypted messaging service Signal implemented PQXDH, a Kyber-based post-quantum encryption algorithm, to their Signal Protocol.

Implementations