| Title | CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM |
| Publication Type | Conference Paper |
| Year of Publication | 2018 |
| Authors | Bos, J., Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky, V., Schanck, J. M., Schwabe, P., Seiler, G., Stehle, D. |
| Conference Name | 2018 IEEE European Symposium on Security and Privacy (EuroS P) |
| Date Published | apr |
| Keywords | authenticated-key-exchange schemes, black box encryption, CCA-secure KEM, CCA-secure module-lattice-based KEM, ciphertext sizes, composability, CPA-secure public-key encryption scheme, cryptographic protocols, CRYSTALS - Kyber, digital signature, Electronic mail, Encryption, key encapsulation, key sizes, key-encapsulation mechanism, key-establishment protocols, Lattices, learning with errors, Metrics, module lattices, post quantum cryptography, post-quantum cryptographic primitives, post-quantum cryptographic schemes, postquantum security, Protocols, pubcrawl, Public key, public key cryptography, quantum computing, quantum cryptography, quantum random oracle models, Resiliency |
| Abstract | Rapid advances in quantum computing, together with the announcement by the National Institute of Standards and Technology (NIST) to define new standards for digitalsignature, encryption, and key-establishment protocols, have created significant interest in post-quantum cryptographic schemes. This paper introduces Kyber (part of CRYSTALS - Cryptographic Suite for Algebraic Lattices - a package submitted to NIST post-quantum standardization effort in November 2017), a portfolio of post-quantum cryptographic primitives built around a key-encapsulation mechanism (KEM), based on hardness assumptions over module lattices. Our KEM is most naturally seen as a successor to the NEWHOPE KEM (Usenix 2016). In particular, the key and ciphertext sizes of our new construction are about half the size, the KEM offers CCA instead of only passive security, the security is based on a more general (and flexible) lattice problem, and our optimized implementation results in essentially the same running time as the aforementioned scheme. We first introduce a CPA-secure public-key encryption scheme, apply a variant of the Fujisaki-Okamoto transform to create a CCA-secure KEM, and eventually construct, in a black-box manner, CCA-secure encryption, key exchange, and authenticated-key-exchange schemes. The security of our primitives is based on the hardness of Module-LWE in the classical and quantum random oracle models, and our concrete parameters conservatively target more than 128 bits of postquantum security. |
| DOI | 10.1109/EuroSP.2018.00032 |
| Citation Key | bos_crystals_2018 |
CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM