Kyber is a

key encapsulation mechanism In cryptography, a key encapsulation mechanism (KEM) is a public-key cryptosystem that allows a sender to generate a short secret key and transmit it to a receiver securely, in spite of eavesdropping and intercepting adversaries. Modern standar ...

(KEM) designed to be resistant to

cryptanalytic Cryptanalysis (from the Greek ''kryptós'', "hidden", and ''analýein'', "to analyze") refers to the process of analyzing information systems in order to understand hidden aspects of the systems. Cryptanalysis is used to breach cryptographic secu ...

attacks with future powerful

quantum computers A quantum computer is a computer that exploits quantum mechanical phenomena. On small scales, physical matter exhibits properties of both particles and waves, and quantum computing takes advantage of this behavior using specialized hardware. C ...

. It is used to establish a

shared secret In cryptography, a shared secret is a piece of data, known only to the parties involved, in a secure communication. This usually refers to the key of a symmetric cryptosystem. The shared secret can be a PIN code, a password, a passphrase, a b ...

between two communicating parties without an ( IND-CCA2) attacker in the transmission system being able to decrypt it. This

asymmetric cryptosystem Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...

uses a variant of the

learning with errors In cryptography, learning with errors (LWE) is a mathematical problem that is widely used to create secure encryption algorithms. It is based on the idea of representing secret information as a set of equations with errors. In other words, LWE is ...

lattice problem In computer science, lattice problems are a class of Mathematical optimization, optimization problems related to mathematical objects called ''Lattice (group), lattices''. The conjectured Intractable problem, intractability of such problems is cen ...

as its basic

trapdoor function In theoretical computer science and cryptography, a trapdoor function is a function (mathematics), function that is easy to compute in one direction, yet difficult to compute in the opposite direction (finding its Inverse function, inverse) wit ...

. It won the NIST competition for the first

post-quantum cryptography Post-quantum cryptography (PQC), sometimes referred to as quantum-proof, quantum-safe, or quantum-resistant, is the development of cryptographic algorithms (usually public-key algorithms) that are currently thought to be secure against a crypt ...

(PQ) standard. NIST calls its standard, numbered FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM).

Properties

The system is based on the module

(M-LWE) problem, in conjunction with

cyclotomic In algebraic number theory, a cyclotomic field is a number field obtained by adjoining a complex root of unity to \Q, the field of rational numbers. Cyclotomic fields played a crucial role in the development of modern algebra and number theory b ...

rings. Recently, there has also been a tight formal mathematical security reduction of the ring-LWE problem to MLWE. Compared to competing PQ methods, it has typical advantages of lattice-based methods, e.g. in regard to runtime as well as the size of the ciphertexts and the key material. Variants with different security levels have been defined: Kyber512 (

NIST The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical s ...

security level 1, ≈ AES 128), Kyber768 (NIST security level 3, ≈AES 192), and Kyber1024 (NIST security level 5, ≈AES 256). At the Kyber768 level, the secret keys are 2400 bytes in size, the public keys 1184, and the ciphertexts 1088. With an accordingly optimized implementation, 4 kilobytes of memory can be sufficient for the cryptographic operations. For a

chat Chat or chats may refer to: Communication * Conversation, particularly casual * Online chat, text message communication over the Internet in real-time * Synchronous conferencing, a formal term for online chat * SMS chat, a form of text messagi ...

encryption scenario using liboqs, replacing the extremely efficient, non-quantum-safe ECDH key exchange using

Curve25519 In cryptography, Curve25519 is an elliptic curve used in elliptic-curve cryptography (ECC) offering 128 bits of security (256-bit key size) and designed for use with the Elliptic-curve Diffie–Hellman (ECDH) key agreement scheme, first described a ...

was found to increase runtime by a factor of about 2.3 (1.5–7), an estimated 2.3-fold (1.4–3.1) increase in energy consumption, and have about 70 times (48–92) more data overhead. Internal hashing operations account for the majority of the runtime, which would thus potentially benefit greatly from corresponding

hardware acceleration Hardware acceleration is the use of computer hardware designed to perform specific functions more efficiently when compared to software running on a general-purpose central processing unit (CPU). Any transformation of data that can be calcula ...

Development

Kyber is derived from a method published in 2005 by Oded Regev, developed by developers from Europe and North America, who are employed by various government universities or research institutions, or by private companies, with funding from the

European Commission The European Commission (EC) is the primary Executive (government), executive arm of the European Union (EU). It operates as a cabinet government, with a number of European Commissioner, members of the Commission (directorial system, informall ...

, Switzerland, the Netherlands, and Germany.
They also developed the related and complementary signature scheme ''Dilithium'', as another component of their "Cryptographic Suite for Algebraic Lattices" (CRYSTALS). Like other PQC-KEM methods, Kyber makes extensive use of cryptographic hash function, hashing internally. In Kyber's case, variants of Keccak (

SHA-3 SHA-3 (Secure Hash Algorithm 3) is the latest member of the Secure Hash Algorithm family of standards, released by NIST on August 5, 2015. Although part of the same series of standards, SHA-3 is internally different from the MD5-like stru ...

/SHAKE) are used here, to generate pseudorandom numbers, among other things. In 2017 the method was submitted to the US

National Institute of Standards and Technology The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into Outline of p ...

(NIST) for its public selection process for a first standard for quantum-safe cryptographic primitives (NISTPQC). It is the only key encapsulation mechanism that has been selected for standardization at the end of the third round of the NIST standardization process. According to a footnote the report announcing the decision, it is conditional on the execution of various

patent A patent is a type of intellectual property that gives its owner the legal right to exclude others from making, using, or selling an invention for a limited period of time in exchange for publishing an sufficiency of disclosure, enabling discl ...

-related agreements, with

NTRU NTRU is an open-source public-key cryptosystem that uses lattice-based cryptography to encrypt and decrypt data. It consists of two algorithms: NTRUEncrypt, which is used for encryption, and NTRUSign, which is used for digital signatures. Unlike ...

being a fallback option. Currently, a fourth round of the standardization process is underway, with the goal of standardizing an additional KEM. In the second phase of the selection process, several parameters of the algorithm were adjusted and the compression of the public keys was dropped. Most recently, NIST paid particular attention to costs in terms of runtime and complexity for implementations that mask runtimes in order to prevent corresponding

side-channel attack In computer security, a side-channel attack is a type of security exploit that leverages information inadvertently leaked by a system—such as timing, power consumption, or electromagnetic or acoustic emissions—to gain unauthorized access to ...

s (SCA).

Evolution

Kyber underwent changes during the NIST standardization process. In particular, in the submission for round 2 (so called ''Kyber v2''), the following features were changed:Roberto Avanzi, Joppe Bos, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, John M. Schanck, Peter Schwabe, Gregor Seiler, Damien Stehlé
CRYSTALS–Kyber
(Round 2 presentation) August 23, 2019. * public key compression removed (due to NIST comments on the security proof); * parameter ''q'' reduced to 3329 (from 7681); * ciphertext compression parameters changed; *

number-theoretic transform In mathematics, the discrete Fourier transform over a ring generalizes the discrete Fourier transform (DFT), of a function whose values are commonly complex numbers, over an arbitrary ring. Definition Let be any ring, let n\geq 1 be an integer, ...

(NTT) definition changed along the lines of NTTRU for faster polynomial multiplication; * noise parameter reduced to for faster noise sampling; * public key representation changed to NTT domain in order to save the NTT operations. Submission to round 3 underwent further tweaks:Roberto Avanzi, Joppe Bos, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, John M. Schanck, Peter Schwabe, Gregor Seiler, Damien Stehlé
CRYSTALS–Kyber
(Round 3 presentation) June 9, 2021. * the use of Fujisaki–Okamoto transformation (FO transform) modified; * noise level increased and ciphertext compression reduced for the level 1 parameter set; * sampling algorithm improved.

Usage

Cloudflare Post-Quantum Key Agreement on Firefox 135

The developers have released a

reference implementation In the software development process, a reference implementation (or, less frequently, sample implementation or model implementation) is a program that implements all requirements from a corresponding specification. The reference implementation ...

into the

public domain The public domain (PD) consists of all the creative work to which no Exclusive exclusive intellectual property rights apply. Those rights may have expired, been forfeited, expressly Waiver, waived, or may be inapplicable. Because no one holds ...

(or under

CC0 A Creative Commons (CC) license is one of several public copyright licenses that enable the free distribution of an otherwise copyrighted "work". A CC license is used when an author wants to give other people the right to share, use, and bui ...

), which is written in C. The

program library In computing, a library is a collection of resources that can be leveraged during software development to implement a computer program. Commonly, a library consists of executable code such as compiled functions and classes, or a library can ...

''liboqs'' of the Open Quantum Safe (OQS) project contains an implementation based on that. OQS also maintains a quantum-safe Provider module for

OpenSSL OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping, and identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS web ...

3.x, and has integrated its code into BoringSSL and

wolfSSL wolfSSL is a small, portable, embedded SSL/TLS library targeted for use by embedded systems developers. It is an open source implementation of TLS (SSL 3.0, TLS 1.0, 1.1, 1.2, 1.3, and DTLS 1.0, 1.2, and 1.3) written in the C programming langu ...

. There are a handful of implementations using various other programming languages from third-party developers, including JavaScript and Java. Various (free) optimized hardware implementations exist, including one that is resistant to side-channel attacks. The German

Federal Office for Information Security The Federal Office for Information Security (, abbreviated as BSI) is the German upper-level federal agency in charge of managing computer and communication security for the German government. Its areas of expertise and responsibility includ ...

is aiming for implementation in Thunderbird, and in this context also an implementation in the Botan program library and corresponding adjustments to the

OpenPGP Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partit ...

standard.

Amazon Web Services Amazon Web Services, Inc. (AWS) is a subsidiary of Amazon.com, Amazon that provides Software as a service, on-demand cloud computing computing platform, platforms and Application programming interface, APIs to individuals, companies, and gover ...

(AWS) integrated Kyber into their Key Management Service (KMS) in 2020 as a hybrid post-quantum key exchange option for TLS connections. In 2023, the encrypted messaging service

Signal A signal is both the process and the result of transmission of data over some media accomplished by embedding some variation. Signals are important in multiple subject fields including signal processing, information theory and biology. In ...

implemented PQXDH, a Kyber-based post-quantum encryption algorithm, to their

Signal Protocol The Signal Protocol (formerly known as the TextSecure Protocol) is a non- federated cryptographic protocol that provides end-to-end encryption for voice and instant messaging conversations. The protocol was developed by Open Whisper Systems in ...

Implementations

* libOQS * IAIK-JCE

References

External links

* * * original method by
FIPS 203 "Module-Lattice-Based Key-Encapsulation Mechanism Standard"
{{ Cryptography navbox , public-key Asymmetric-key algorithms Lattice-based cryptography