name: Kyber
type: kem
principal-submitters:
- Peter Schwabe
auxiliary-submitters:
- Roberto Avanzi
- Joppe Bos
- Léo Ducas
- Eike Kiltz
- Tancrède Lepoint
- Vadim Lyubashevsky
- John M. Schanck
- Gregor Seiler
- Damien Stehlé
crypto-assumption: Module LWE+R with base ring Z[x]/(3329, x^256+1)
website: https://pq-crystals.org/
nist-round: 3
spec-version: NIST Round 3 submission
primary-upstream:
  source: https://github.com/pq-crystals/kyber/commit/441c0519a07e8b86c8d079954a6b10bd31d29efc
    with copy_from_upstream patches
  spdx-license-identifier: CC0-1.0 or Apache-2.0
optimized-upstreams:
  oldpqclean-aarch64:
    source: https://github.com/PQClean/PQClean/commit/8e220a87308154d48fdfac40abbb191ac7fce06a
      with copy_from_upstream patches
    spdx-license-identifier: CC0-1.0 and (CC0-1.0 or Apache-2.0) and (CC0-1.0 or MIT)
      and MIT
formally-verified-upstreams:
  libjade:
    source: https://github.com/formosa-crypto/libjade/tree/release/2023.05-2 with
      copy_from_upstream patches
    spdx-license-identifier: CC0-1.0 OR Apache-2.0
parameter-sets:
- name: Kyber512
  claimed-nist-level: 1
  claimed-security: IND-CCA2
  length-public-key: 800
  length-ciphertext: 768
  length-secret-key: 1632
  length-shared-secret: 32
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: ref
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      - Darwin
      required_flags:
      - avx2
      - bmi2
      - popcnt
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: oldpqclean-aarch64
    upstream-id: aarch64
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Linux
      - Darwin
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
  - upstream: libjade
    upstream-id: ref
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      - Darwin
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
  - upstream: libjade
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      - Darwin
      required_flags:
      - avx2
      - bmi2
      - popcnt
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
- name: Kyber768
  claimed-nist-level: 3
  claimed-security: IND-CCA2
  length-public-key: 1184
  length-ciphertext: 1088
  length-secret-key: 2400
  length-shared-secret: 32
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: ref
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      - Darwin
      required_flags:
      - avx2
      - bmi2
      - popcnt
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: oldpqclean-aarch64
    upstream-id: aarch64
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Linux
      - Darwin
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
  - upstream: libjade
    upstream-id: ref
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      - Darwin
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
  - upstream: libjade
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      - Darwin
      required_flags:
      - avx2
      - bmi2
      - popcnt
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false
- name: Kyber1024
  claimed-nist-level: 5
  claimed-security: IND-CCA2
  length-public-key: 1568
  length-ciphertext: 1568
  length-secret-key: 3168
  length-shared-secret: 32
  implementations-switch-on-runtime-cpu-features: true
  implementations:
  - upstream: primary-upstream
    upstream-id: ref
    supported-platforms: all
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: primary-upstream
    upstream-id: avx2
    supported-platforms:
    - architecture: x86_64
      operating_systems:
      - Linux
      - Darwin
      required_flags:
      - avx2
      - bmi2
      - popcnt
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: true
    large-stack-usage: false
  - upstream: oldpqclean-aarch64
    upstream-id: aarch64
    supported-platforms:
    - architecture: ARM64_V8
      operating_systems:
      - Linux
      - Darwin
    common-crypto:
    - SHA3: liboqs
    no-secret-dependent-branching-claimed: true
    no-secret-dependent-branching-checked-by-valgrind: false
    large-stack-usage: false