Kyber

Kyber is a key encapsulation method (KEM) designed to be resistant to cryptanalytic attacks with future powerful quantum computers. It is used to establish a shared secret between two communicating parties without an (IND-CCA2) attacker in the transmission system being able to decrypt it. This asymmetric cryptosystem uses a variant of the presumably NP-hard lattice problem of learning with errors as its basic trapdoor function. It is considered the most promising candidate for a first post-quantum cryptography standard. Kyber is named after the fictional kyber crystals used to power lightsabers in the Star Wars universe (compare [Light-]SABER).

For the fictional crystals, see Lightsaber. For the computing I/O scheduler, see I/O scheduling. For other uses, see Khyber.

Properties

The system is based on module learning with errors (M-LWE) from the field of machine learning, in conjunction with cyclotomic rings.[1] Since recently, there is also a tight formal mathematical security reduction of the ring-LWE problem to MLWE.[2][3] Compared to competing PQ methods, it has typical advantages of lattice-based methods, e.g. in regard to runtime as well as the size of the ciphertexts and the key material.[4] Variants with different security levels have been defined: Kyber512 (NIST security level 1, ≈AES 128), Kyber768 (NIST security level 3, ≈AES 192), and Kyber1024 (NIST security level 5, ≈AES 256).[5] At a complexity of 161 bits, the secret keys are 2400, the public keys 1184, and the ciphertexts 1088 bytes in size.[6][7] With an accordingly optimized implementation, 4 kilobytes of memory can be sufficient for the cryptographic operations.[8] For a chat encryption scenario using liboqs, replacing the extremely efficient, non-quantum-safe ECDH key exchange using Curve25519 was found to increase runtime by a factor of about 2.3 (1.5–7), an estimated 2.3-fold (1.4–3.1) increase in energy consumption, and have about 70 times (48–92) more data overhead.[9] Internal hashing operations account for the majority of the runtime, which would thus potentially benefit greatly from corresponding hardware acceleration.

Development

Kyber is derived from a method published in 2005 by Oded Regev, developed by developers from Europe and North America, who are employed by various government universities or research institutions, or by private companies, with funding from the European Commission, Switzerland, the Netherlands, and Germany.[10] They also developed the related and complementary signature scheme Dilithium, as another component of their "Cryptographic Suite for Algebraic Lattices" (CRYSTALS). Like other PQC-KEM methods, Kyber makes extensive use of hashing internally. In Kyber's case, variants of Keccak (SHA-3/SHAKE) are used here, to generate pseudorandom numbers, among other things.[8] In 2017 the method was submitted to the US National Institute of Standards and Technology (NIST) for its public selection process for a first standard for quantum-safe cryptographic primitives (NISTPQC). It is one of the most promising finalists for the standard that is expected in early 2022.[11] As one of four asymmetric encryption algorithms, it competes with at least two other methods. The McEliece method is based on a different principle and could be standardized additionally.[5] In the second phase of the selection process, several parameters of the algorithm were adjusted and the compression of the public keys was dropped.[8] While the computational complexity of the algorithm is outstandingly low by comparison, NIST could choose NTRU as a more conservative option, should security issues or patent claims arise for Kyber. The French National Centre for Scientific Research's claimed applicability of its Gaborit and Aguilar-Melchor patent is disputed.[12] Most recently, NIST paid particular attention to costs in terms of runtime and complexity for implementations that mask runtimes in order to prevent corresponding Side-channel attacks (SCA).[2]

Usage

The developers have released a reference implementation into the public domain (or under CC0), which is written in C.[13] The program library liboqs of the Open Quantum Safe (OQS) project contains an implementation based[14] on that.[9] OQS also maintains a quantum-safe development branch of OpenSSL,[15] has integrated it into BoringSSL, and its code has also been integrated into WolfSSL.[16] There are a handful of implementations using various other programming languages from third-party developers, including JavaScript and Java.[17][18][19] Various (free) optimized hardware implementations exist, including one that is resistant to side-channel attacks.[20][21] The german Federal Office for Information Security is aiming for implementation in Thunderbird, and in this context also an implementation in the Botan program library and corresponding adjustments to the OpenPGP standard.[22]

References
  1. What was NIST thinking? (PDF-Datei)
  2. Status Report on the Second Round of the NIST PQC Standardization Process (PDF-Datei)
  3. Chris Peikert, Zachary Pepin (2019), "Algebraically Structured LWE, Revisited" (PDF), Theory of Cryptography, Lecture Notes in Computer Science (in German), Cham: Springer International Publishing, vol. 11891, pp. 1–23, doi:10.1007/978-3-030-36030-6_1, ISBN 978-3-030-36029-0, S2CID 199455447
  4. Lattice-based cryptography and Kyber – Andrea Basso (PDF; 2,0 MB)
  5. Overview of NIST Round 3 Post-Quantum cryptography Candidates (PDF; 157 kB)
  6. Jan-Pieter D’Anvers, Angshuman Karmakar, Sujoy Sinha Roy, Frederik Vercauteren (2018), "Kyber: Module-LWR Based Key Exchange, CPA-Secure Encryption and CCA-Secure KEM" (PDF), Progress in Cryptology – AFRICACRYPT 2018, Lecture Notes in Computer Science (in German), Cham: Springer International Publishing, vol. 10831, pp. 282–305, doi:10.1007/978-3-319-89339-6_16, ISBN 978-3-319-89339-6{{citation}}: CS1 maint: multiple names: authors list (link)
  7. https://pq-crystals.org/kyber/data/kyber-specification-round3-20210804.pdf
  8. Leon Botros, Matthias J. Kannwischer, Peter Schwabe (2019), "Memory-Efficient High-Speed Implementation of Kyber on Cortex-M4" (PDF), Progress in Cryptology – AFRICACRYPT 2019, Lecture Notes in Computer Science (in German), Cham: Springer International Publishing, vol. 11627, pp. 209–228, doi:10.1007/978-3-030-23696-0_11, ISBN 978-3-030-23696-0, S2CID 174775508{{citation}}: CS1 maint: multiple names: authors list (link)
  9. Ines Duits (2019-02-05), University of Twente (ed.), The Post-Quantum Signal Protocol: Secure Chat in a Quantum World (PDF) (in German)
  10. https://pq-crystals.org/
  11. Sarah Henderson (2020-07-22). "NIST's Post-Quantum Cryptography Program Enters 'Selection Round'".
  12. non-app-KyberSaber (PDF-Datei)
  13. Kyber/LICENSE at master · pq-crystals/kyber · GitHub
  14. Kyber – Open Quantum Safe
  15. "Post-Quantum TLS". Microsoft Research.
  16. "wolfSSL and libOQS Integration". WolfSSL-Website. 2021-09-01.
  17. "CRYSTALS KYBER Java". GitHub. 25 October 2021.
  18. "CRYSTALS-KYBER JavaScript". GitHub. 11 December 2021.
  19. https://git.schwanenlied.me/yawning/kyber
  20. B. Dang, Kamyar Mohajerani, K. Gaj (2021), High-Speed Hardware Architectures and Fair FPGA Benchmarking (PDF) (in German){{citation}}: CS1 maint: multiple names: authors list (link)
  21. Arpan Jati, Naina Gupta, A. Chattopadhyay, S. Sanadhya (2021), "A Configurable Crystals-Kyber Hardware Implementation with Side-Channel Protection" (PDF), IACR Cryptol. ePrint Arch. (in German){{citation}}: CS1 maint: multiple names: authors list (link)
  22. "E-Vergabe, die Vergabeplattform des Bundes".
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.