search

Argyle-Software / kyber

A rust implementation of the Kyber post-quantum KEM
https://docs.rs/pqc_kyber/
Apache License 2.0
164 stars 37 forks source link

Is this final Kyber? #54

Open adamierymenko opened 1 year ago

adamierymenko commented 1 year ago

To what extent is Kyber still in flux or is the current standard solid?

https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/C0D3W1KoINY

Of course maybe there's no way to know... just curious if you know or not.

mberry commented 1 year ago

Only know what is said in the mailing lists or pq conferences. There is talk of replacing the various symmetric crypto algorithms with cSHAKE, from an implementation and simplicity point of view I can certainly get behind that.

Whether NIST removes Kyber512 or 90's mode from I'm still planning to support the current variants in this repo going forward unless there is a security risk doing so. Standardisation is great but happy to accommodate those who want alternatives.

mberry commented 9 months ago

FIPS 203 - ML KEM

I have a private branch looking at the differences, still waiting on test vectors.

How to proceed with the migration in the rust codebase at this late stage is another question altogether.

mberry commented 9 months ago

I would honestly be keen on some bikeshedding at this point and how to integrate both current Kyber and ML-KEM in this crate, the differences codewise are quite small but they aren't interoperable.

bingmatv commented 3 months ago

@mberry What specification does version 0.7.1 use? Does v0.7.1 use Round 3 parameters or FIPS-203 parameters? Because NSA (National Security Agency) decreased key length of DES, where IBM version of DES uses 128-bit key, but after NSA modified IBM parameters, DES has only 56-bit keys. It's possible that FIPS-203 reduced Kyber security, so I suggest using NIST Round3 parameters.