fbpx
Wikipedia

Kyber

December 18, 2023

For the fictional crystals, see Lightsaber. For the computing I/O scheduler, see I/O scheduling. For other uses, see Khyber (disambiguation).

Kyber is a key encapsulation mechanism (KEM) designed to be resistant to cryptanalytic attacks with future powerful quantum computers. It is used to establish a shared secret between two communicating parties without an (IND-CCA2) attacker in the transmission system being able to decrypt it. This asymmetric cryptosystem uses a variant of the learning with errors lattice problem as its basic trapdoor function. It won the NIST competition for the first post-quantum cryptography (PQ) standard.[1]

Properties edit

The system is based on the module learning with errors (M-LWE) problem, in conjunction with cyclotomic rings.[2] Recently, there has also been a tight formal mathematical security reduction of the ring-LWE problem to MLWE.[3][4] Compared to competing PQ methods, it has typical advantages of lattice-based methods, e.g. in regard to runtime as well as the size of the ciphertexts and the key material.[5] Variants with different security levels have been defined: Kyber512 (NIST security level 1, ≈AES 128), Kyber768 (NIST security level 3, ≈AES 192), and Kyber1024 (NIST security level 5, ≈AES 256).[6] At a complexity of 161 bits, the secret keys are 2400, the public keys 1184, and the ciphertexts 1088 bytes in size.[7][8] With an accordingly optimized implementation, 4 kilobytes of memory can be sufficient for the cryptographic operations.[9] For a chat encryption scenario using liboqs, replacing the extremely efficient, non-quantum-safe ECDH key exchange using Curve25519 was found to increase runtime by a factor of about 2.3 (1.5–7), an estimated 2.3-fold (1.4–3.1) increase in energy consumption, and have about 70 times (48–92) more data overhead.[10] Internal hashing operations account for the majority of the runtime, which would thus potentially benefit greatly from corresponding hardware acceleration.

Development edit

Kyber is derived from a method published in 2005 by Oded Regev, developed by developers from Europe and North America, who are employed by various government universities or research institutions, or by private companies, with funding from the European Commission, Switzerland, the Netherlands, and Germany.[11] They also developed the related and complementary signature scheme Dilithium, as another component of their "Cryptographic Suite for Algebraic Lattices" (CRYSTALS). Like other PQC-KEM methods, Kyber makes extensive use of hashing internally. In Kyber's case, variants of Keccak (SHA-3/SHAKE) are used here, to generate pseudorandom numbers, among other things.[9] In 2017 the method was submitted to the US National Institute of Standards and Technology (NIST) for its public selection process for a first standard for quantum-safe cryptographic primitives (NISTPQC). It is the only key encapsulation mechanism that has been selected for standardization at the end of the third round of the NIST standardization process.[3] According to a footnote the report announcing the decision, it is conditional on the execution of various patent-related agreements, with NTRU being a fallback option. Currently, a fourth round of the standardization process is underway, with the goal of standardizing an additional KEM. In the second phase of the selection process, several parameters of the algorithm were adjusted and the compression of the public keys was dropped.[9] Most recently, NIST paid particular attention to costs in terms of runtime and complexity for implementations that mask runtimes in order to prevent corresponding side-channel attacks (SCA).[3]

Evolution edit

During the NIST standardization process, Kyber has undergone changes. In particular, in the submission for round 2 (so called Kyber v2), the following features have been changed:[12]

  • public key compression removed (due to NIST comments on the security proof);
  • parameter q reduced to 3329 (from 7681);
  • ciphertext compression parameters changed;
  • number-theoretic transform (NTT) definition changed along the lines of NTTRU for faster polynomial multiplication;
  • noise parameter reduced to   for faster noise sampling;
  • public key representation is changed to NTT domain in order to save the NTT operations.

Submission to round 3 underwent further tweaks:[13]

  • the use of Fujisaki-Okamoto transformation (FO transform) modified;
  • noise level increased and ciphertext compression reduced for the level 1 parameter set;
  • sampling algorithm improved.

Usage edit

The developers have released a reference implementation into the public domain (or under CC0), which is written in C.[14] The program library liboqs of the Open Quantum Safe (OQS) project contains an implementation based[15] on that.[10] OQS also maintains a quantum-safe development branch of OpenSSL,[16] has integrated it into BoringSSL, and its code has also been integrated into WolfSSL.[17] There are a handful of implementations using various other programming languages from third-party developers, including JavaScript and Java.[18][19][20] Various (free) optimized hardware implementations exist, including one that is resistant to side-channel attacks.[21][22] The German Federal Office for Information Security is aiming for implementation in Thunderbird, and in this context also an implementation in the Botan program library and corresponding adjustments to the OpenPGP standard.[23] In 2023, the encrypted messaging service Signal implemented PQXDH, a Kyber-based post-quantum encryption algorithm, to their Signal Protocol which is used by WhatsApp and others.[24][25]

References edit

  1. ^ Moody, Dustin (2022). "Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process" (PDF). Gaithersburg, MD: NIST IR 8413. doi:10.6028/nist.ir.8413. S2CID 247903639. {{cite journal}}: Cite journal requires |journal= (help)
  2. ^ What was NIST thinking? (PDF-Datei)
  3. ^ a b c Status Report on the Second Round of the NIST PQC Standardization Process (PDF-Datei)
  4. ^ Chris Peikert, Zachary Pepin (2019), "Algebraically Structured LWE, Revisited" (PDF), Theory of Cryptography, Lecture Notes in Computer Science (in German), Cham: Springer International Publishing, vol. 11891, pp. 1–23, doi:10.1007/978-3-030-36030-6_1, ISBN 978-3-030-36029-0, S2CID 199455447
  5. ^ Lattice-based cryptography and SABER – Andrea Basso (PDF; 2,0 MB)
  6. ^ Overview of NIST Round 3 Post-Quantum cryptography Candidates (PDF; 157 kB)
  7. ^ Joppe Bos, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, John M. Schanck, Peter Schwabe, Gregor Seiler, and Damien Stehlé (2018), "CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM", 2018 IEEE European Symposium on Security and Privacy, EuroS&P 2018., IEEE, pp. 353-367, doi:10.1109/EuroSP.2018.00032, ISBN 978-1-5386-4228-3, S2CID 20449721{{citation}}: CS1 maint: multiple names: authors list (link)
  8. ^ https://pq-crystals.org/kyber/data/kyber-specification-round3-20210804.pdf[bare URL PDF]
  9. ^ a b c Leon Botros, Matthias J. Kannwischer, Peter Schwabe (2019), "Memory-Efficient High-Speed Implementation of Kyber on Cortex-M4" (PDF), Progress in Cryptology – AFRICACRYPT 2019, Lecture Notes in Computer Science (in German), Cham: Springer International Publishing, vol. 11627, pp. 209–228, doi:10.1007/978-3-030-23696-0_11, ISBN 978-3-030-23696-0, S2CID 174775508{{citation}}: CS1 maint: multiple names: authors list (link)
  10. ^ a b Ines Duits (2019-02-05), University of Twente (ed.), The Post-Quantum Signal Protocol: Secure Chat in a Quantum World (PDF) (in German)
  11. ^ https://pq-crystals.org/[bare URL]
  12. ^ Roberto Avanzi, Joppe Bos, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, John M. Schanck, Peter Schwabe, Gregor Seiler, Damien Stehlé. CRYSTALS–Kyber (Round 2 presentation) August 23, 2019.
  13. ^ Roberto Avanzi, Joppe Bos, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, John M. Schanck, Peter Schwabe, Gregor Seiler, Damien Stehlé. CRYSTALS–Kyber (Round 3 presentation) June 9, 2021.
  14. ^ Kyber/LICENSE at master · pq-crystals/kyber · GitHub
  15. ^ . Archived from the original on 2021-04-20. Retrieved 2022-01-13.
  16. ^ "Post-Quantum TLS". Microsoft Research.
  17. ^ "wolfSSL and libOQS Integration". WolfSSL-Website. 2021-09-01.
  18. ^ "CRYSTALS KYBER Java". GitHub. 25 October 2021.
  19. ^ "CRYSTALS-KYBER JavaScript". GitHub. 11 December 2021.
  20. ^ . Archived from the original on 2021-07-28. Retrieved 2022-01-13. {{cite web}}: External link in |title= (help)
  21. ^ B. Dang, Kamyar Mohajerani, K. Gaj (2021), High-Speed Hardware Architectures and Fair FPGA Benchmarking (PDF) (in German){{citation}}: CS1 maint: multiple names: authors list (link)
  22. ^ Arpan Jati, Naina Gupta, A. Chattopadhyay, S. Sanadhya (2021), "A Configurable Crystals-Kyber Hardware Implementation with Side-Channel Protection" (PDF), IACR Cryptol. ePrint Arch. (in German){{citation}}: CS1 maint: multiple names: authors list (link)
  23. ^ "E-Vergabe, die Vergabeplattform des Bundes".
  24. ^ "Add Kyber KEM and implement PQXDH protocol". GitHub.
  25. ^ "Signal Messenger Introduces PQXDH Quantum-Resistant Encryption". The Hacker News. Retrieved 2023-09-22.

External links edit

  • Official website
  • kyber on GitHub
  • original method by Oded Regev (2005), "On lattices, learning with errors, random linear codes, and cryptography", Proceedings of the Thirty-Seventh Annual ACM Symposium on Theory of Computing (STOC '05) (in German), Baltimore, MD, USA: ACM Press, p. 84, doi:10.1145/1060590.1060603, ISBN 978-1-58113-960-0, S2CID 53223958

December 18, 2023
kyber, fictional, crystals, lightsaber, computing, scheduler, scheduling, other, uses, khyber, disambiguation, encapsulation, mechanism, designed, resistant, cryptanalytic, attacks, with, future, powerful, quantum, computers, used, establish, shared, secret, b. For the fictional crystals see Lightsaber For the computing I O scheduler see I O scheduling For other uses see Khyber disambiguation Kyber is a key encapsulation mechanism KEM designed to be resistant to cryptanalytic attacks with future powerful quantum computers It is used to establish a shared secret between two communicating parties without an IND CCA2 attacker in the transmission system being able to decrypt it This asymmetric cryptosystem uses a variant of the learning with errors lattice problem as its basic trapdoor function It won the NIST competition for the first post quantum cryptography PQ standard 1 Contents 1 Properties 2 Development 2 1 Evolution 3 Usage 4 References 5 External linksProperties editThe system is based on the module learning with errors M LWE problem in conjunction with cyclotomic rings 2 Recently there has also been a tight formal mathematical security reduction of the ring LWE problem to MLWE 3 4 Compared to competing PQ methods it has typical advantages of lattice based methods e g in regard to runtime as well as the size of the ciphertexts and the key material 5 Variants with different security levels have been defined Kyber512 NIST security level 1 AES 128 Kyber768 NIST security level 3 AES 192 and Kyber1024 NIST security level 5 AES 256 6 At a complexity of 161 bits the secret keys are 2400 the public keys 1184 and the ciphertexts 1088 bytes in size 7 8 With an accordingly optimized implementation 4 kilobytes of memory can be sufficient for the cryptographic operations 9 For a chat encryption scenario using liboqs replacing the extremely efficient non quantum safe ECDH key exchange using Curve25519 was found to increase runtime by a factor of about 2 3 1 5 7 an estimated 2 3 fold 1 4 3 1 increase in energy consumption and have about 70 times 48 92 more data overhead 10 Internal hashing operations account for the majority of the runtime which would thus potentially benefit greatly from corresponding hardware acceleration Development editKyber is derived from a method published in 2005 by Oded Regev developed by developers from Europe and North America who are employed by various government universities or research institutions or by private companies with funding from the European Commission Switzerland the Netherlands and Germany 11 They also developed the related and complementary signature scheme Dilithium as another component of their Cryptographic Suite for Algebraic Lattices CRYSTALS Like other PQC KEM methods Kyber makes extensive use of hashing internally In Kyber s case variants of Keccak SHA 3 SHAKE are used here to generate pseudorandom numbers among other things 9 In 2017 the method was submitted to the US National Institute of Standards and Technology NIST for its public selection process for a first standard for quantum safe cryptographic primitives NISTPQC It is the only key encapsulation mechanism that has been selected for standardization at the end of the third round of the NIST standardization process 3 According to a footnote the report announcing the decision it is conditional on the execution of various patent related agreements with NTRU being a fallback option Currently a fourth round of the standardization process is underway with the goal of standardizing an additional KEM In the second phase of the selection process several parameters of the algorithm were adjusted and the compression of the public keys was dropped 9 Most recently NIST paid particular attention to costs in terms of runtime and complexity for implementations that mask runtimes in order to prevent corresponding side channel attacks SCA 3 Evolution edit During the NIST standardization process Kyber has undergone changes In particular in the submission for round 2 so called Kyber v2 the following features have been changed 12 public key compression removed due to NIST comments on the security proof parameter q reduced to 3329 from 7681 ciphertext compression parameters changed number theoretic transform NTT definition changed along the lines of NTTRU for faster polynomial multiplication noise parameter reduced to h 2 displaystyle eta 2 nbsp for faster noise sampling public key representation is changed to NTT domain in order to save the NTT operations Submission to round 3 underwent further tweaks 13 the use of Fujisaki Okamoto transformation FO transform modified noise level increased and ciphertext compression reduced for the level 1 parameter set sampling algorithm improved Usage editThe developers have released a reference implementation into the public domain or under CC0 which is written in C 14 The program library liboqs of the Open Quantum Safe OQS project contains an implementation based 15 on that 10 OQS also maintains a quantum safe development branch of OpenSSL 16 has integrated it into BoringSSL and its code has also been integrated into WolfSSL 17 There are a handful of implementations using various other programming languages from third party developers including JavaScript and Java 18 19 20 Various free optimized hardware implementations exist including one that is resistant to side channel attacks 21 22 The German Federal Office for Information Security is aiming for implementation in Thunderbird and in this context also an implementation in the Botan program library and corresponding adjustments to the OpenPGP standard 23 In 2023 the encrypted messaging service Signal implemented PQXDH a Kyber based post quantum encryption algorithm to their Signal Protocol which is used by WhatsApp and others 24 25 References edit Moody Dustin 2022 Status Report on the Third Round of the NIST Post Quantum Cryptography Standardization Process PDF Gaithersburg MD NIST IR 8413 doi 10 6028 nist ir 8413 S2CID 247903639 a href Template Cite journal html title Template Cite journal cite journal a Cite journal requires journal help What was NIST thinking PDF Datei a b c Status Report on the Second Round of the NIST PQC Standardization Process PDF Datei Chris Peikert Zachary Pepin 2019 Algebraically Structured LWE Revisited PDF Theory of Cryptography Lecture Notes in Computer Science in German Cham Springer International Publishing vol 11891 pp 1 23 doi 10 1007 978 3 030 36030 6 1 ISBN 978 3 030 36029 0 S2CID 199455447 Lattice based cryptography and SABER Andrea Basso PDF 2 0 MB Overview of NIST Round 3 Post Quantum cryptography Candidates PDF 157 kB Joppe Bos Leo Ducas Eike Kiltz Tancrede Lepoint Vadim Lyubashevsky John M Schanck Peter Schwabe Gregor Seiler and Damien Stehle 2018 CRYSTALS Kyber A CCA Secure Module Lattice Based KEM 2018 IEEE European Symposium on Security and Privacy EuroS amp P 2018 IEEE pp 353 367 doi 10 1109 EuroSP 2018 00032 ISBN 978 1 5386 4228 3 S2CID 20449721 a href Template Citation html title Template Citation citation a CS1 maint multiple names authors list link https pq crystals org kyber data kyber specification round3 20210804 pdf bare URL PDF a b c Leon Botros Matthias J Kannwischer Peter Schwabe 2019 Memory Efficient High Speed Implementation of Kyber on Cortex M4 PDF Progress in Cryptology AFRICACRYPT 2019 Lecture Notes in Computer Science in German Cham Springer International Publishing vol 11627 pp 209 228 doi 10 1007 978 3 030 23696 0 11 ISBN 978 3 030 23696 0 S2CID 174775508 a href Template Citation html title Template Citation citation a CS1 maint multiple names authors list link a b Ines Duits 2019 02 05 University of Twente ed The Post Quantum Signal Protocol Secure Chat in a Quantum World PDF in German https pq crystals org bare URL Roberto Avanzi Joppe Bos Leo Ducas Eike Kiltz Tancrede Lepoint Vadim Lyubashevsky John M Schanck Peter Schwabe Gregor Seiler Damien Stehle CRYSTALS Kyber Round 2 presentation August 23 2019 Roberto Avanzi Joppe Bos Leo Ducas Eike Kiltz Tancrede Lepoint Vadim Lyubashevsky John M Schanck Peter Schwabe Gregor Seiler Damien Stehle CRYSTALS Kyber Round 3 presentation June 9 2021 Kyber LICENSE at master pq crystals kyber GitHub Kyber Open Quantum Safe Archived from the original on 2021 04 20 Retrieved 2022 01 13 Post Quantum TLS Microsoft Research wolfSSL and libOQS Integration WolfSSL Website 2021 09 01 CRYSTALS KYBER Java GitHub 25 October 2021 CRYSTALS KYBER JavaScript GitHub 11 December 2021 Yawning Kyber https Pq crystals org Kyber Index SHTML Gogs Archived from the original on 2021 07 28 Retrieved 2022 01 13 a href Template Cite web html title Template Cite web cite web a External link in code class cs1 code title code help B Dang Kamyar Mohajerani K Gaj 2021 High Speed Hardware Architectures and Fair FPGA Benchmarking PDF in German a href Template Citation html title Template Citation citation a CS1 maint multiple names authors list link Arpan Jati Naina Gupta A Chattopadhyay S Sanadhya 2021 A Configurable Crystals Kyber Hardware Implementation with Side Channel Protection PDF IACR Cryptol ePrint Arch in German a href Template Citation html title Template Citation citation a CS1 maint multiple names authors list link E Vergabe die Vergabeplattform des Bundes Add Kyber KEM and implement PQXDH protocol GitHub Signal Messenger Introduces PQXDH Quantum Resistant Encryption The Hacker News Retrieved 2023 09 22 External links editOfficial website kyber on GitHub original method by Oded Regev 2005 On lattices learning with errors random linear codes and cryptography Proceedings of the Thirty Seventh Annual ACM Symposium on Theory of Computing STOC 05 in German Baltimore MD USA ACM Press p 84 doi 10 1145 1060590 1060603 ISBN 978 1 58113 960 0 S2CID 53223958 Retrieved from https en wikipedia org w index php title Kyber amp oldid 1186977406, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.