name: Kyber
type: kem
principal-submitters:
- Peter Schwabe
auxiliary-submitters:
- Roberto Avanzi
- Joppe Bos
- Léo Ducas
- Eike Kiltz
- Tancrède Lepoint
- Vadim Lyubashevsky
- John M. Schanck
- Gregor Seiler
- Damien Stehlé
crypto-assumption: Module LWE+R with base ring Z[x]/(3329, x^256+1)
website: https://pq-crystals.org/
nist-round: 3
spec-version: NIST Round 3 submission
primary-upstream:
  source: https://github.com/pq-crystals/kyber/commit/faf5c3fe33e0b61c7c8a7888dd862bf5def17ad2
    with copy_from_upstream patches
  spdx-license-identifier: CC0-1.0
optimized-upstreams:
  pqclean-aarch64:
    source: https://github.com/PQClean/PQClean/commit/e2d82cc58dcbc75dcce9ecf70e91465a00c2a4d8
      with copy_from_upstream patches
    spdx-license-identifier: CC0-1.0
parameter-sets:
- name: Kyber512
  claimed-nist-level: 1
  claimed-security: IND-CCA2
  length-public-key: 800
  length-ciphertext: 768
  length-secret-key: 1632
  length-shared-secret: 32
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: ref
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      - Darwin
      required_flags:
      - avx2
      - bmi2
      - popcnt
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: pqclean-aarch64
    upstream-id: aarch64
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Linux
      - Darwin
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
- name: Kyber512-90s
  claimed-nist-level: 1
  claimed-security: IND-CCA2
  length-public-key: 800
  length-ciphertext: 768
  length-secret-key: 1632
  length-shared-secret: 32
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: ref
    supported-platforms: all
    common-crypto:
    - AES: pqcrystals-kyber_common_ref
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      - Darwin
      required_flags:
      - aes
      - avx2
      - bmi2
      - popcnt
      - sse2
      - ssse3
    common-crypto:
    - AES: pqcrystals-kyber_common_aes
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
- name: Kyber768
  claimed-nist-level: 3
  claimed-security: IND-CCA2
  length-public-key: 1184
  length-ciphertext: 1088
  length-secret-key: 2400
  length-shared-secret: 32
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: ref
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      - Darwin
      required_flags:
      - avx2
      - bmi2
      - popcnt
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: pqclean-aarch64
    upstream-id: aarch64
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Linux
      - Darwin
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
- name: Kyber768-90s
  claimed-nist-level: 3
  claimed-security: IND-CCA2
  length-public-key: 1184
  length-ciphertext: 1088
  length-secret-key: 2400
  length-shared-secret: 32
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: ref
    supported-platforms: all
    common-crypto:
    - AES: pqcrystals-kyber_common_ref
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      - Darwin
      required_flags:
      - aes
      - avx2
      - bmi2
      - popcnt
      - sse2
      - ssse3
    common-crypto:
    - AES: pqcrystals-kyber_common_aes
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
- name: Kyber1024
  claimed-nist-level: 5
  claimed-security: IND-CCA2
  length-public-key: 1568
  length-ciphertext: 1568
  length-secret-key: 3168
  length-shared-secret: 32
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: ref
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      - Darwin
      required_flags:
      - avx2
      - bmi2
      - popcnt
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: pqclean-aarch64
    upstream-id: aarch64
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Linux
      - Darwin
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
- name: Kyber1024-90s
  claimed-nist-level: 5
  claimed-security: IND-CCA2
  length-public-key: 1568
  length-ciphertext: 1568
  length-secret-key: 3168
  length-shared-secret: 32
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: ref
    supported-platforms: all
    common-crypto:
    - AES: pqcrystals-kyber_common_ref
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      - Darwin
      required_flags:
      - aes
      - avx2
      - bmi2
      - popcnt
      - sse2
      - ssse3
    common-crypto:
    - AES: pqcrystals-kyber_common_aes
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false