Hall Of Fame

Kyber Parameters

A Kyber public key is a tuple $(A,t)\in {\mathcal{R}}_q^{k\times k}\times {\mathcal{R}}_q^k$, where ${\mathcal{R}}_q={\mathbb{Z}}_q[X]/(X^n+1)$ and $n,q,k\in \mathbb{N}$.
The corresponding secret key is $(s,e)\in {\mathcal{R}}_q^k\times {\mathcal{R}}_q^k$, where $t=As+e$.

The coefficients of both $s$ and $e$ follow a centered binomial distribution with parameter ${\eta }_1\in \mathbb{N}$. Kyber defines additional parameters ${\eta }_2,d_u,d_v$, which determine noise and compression in the encryption algorithm. A Kyber ciphertext is a tuple of the form $(c_1,c_2)\in {\mathcal{R}}_q^k\times {\mathcal{R}}_q$

For all our instances, $d_u=8,d_v=8,{\eta }_1=3,{\eta }_2=3$.

Format of Instances

In our challenges, ring elements $a\in {\mathcal{R}}_q$ are given as arrays of length $n$, in which the coefficients of $a$ are stored in ascending order, e.g.,

$$a=a_0\cdot X^0+a_1\cdot X^1+\cdots +a_{n-1}\cdot X^{n-1}$$

is given as

$$[a_0,a_1,\dots ,a_{n-1}]$$

Consequently, $A=(A_{i,j}{)}_{1\le i\le j\le k}$ is given as a three-dimensional array $A$ of size $k\times k\times n$, where

$$A_{i,j}=A[i][j][0]\cdot X^0+A[i][j][1]\cdot X^1+\cdots +A[i][j][n-1]\cdot X^{n-1}$$

Similary, $t=(t_1,\dots ,t_k)$ is given as a two-dimensional array $t$ of size $k\times n$, where

$$t_i=t[i][0]\cdot X^0+t[i][1]\cdot X^1+\cdots +t[i][n-1]\cdot X^{n-1}$$

Our challenges also contain lists of ciphertexts $((c_1^1,c_2^1),(c_1^2,c_2^2),\dots )$, which are encryptions of UTF-8-encoded human-readable messages.

Estimated Bit-Complexity

The best known attack against Kyber is the primal lattice reduction attack. It models the problem of attacking Kyber as an instance of the (Unique) Shortest Vector Problem, and then uses the BKZ algorithm to recover the secret key.

The complexity of the attack is usually measured in the required BKZ blocksize $\beta$. Given $\beta$, the bit complexity is estimated in the Core-SVP model, which estimates the bit-complexity of the attack as $0.292\beta$. (We note that the Core-SVP model typically underestimates the actual bit complexity of the attack.)

The required blocksizes for the Kyber challenges were estimated with the Leaky LWE Estimator.