Paper 2018/677

Module-lattice KEM Over a Ring of Dimension 128 for Embedded Systems

François Gérard


Following the development of quantum computing, the demand for post-quantum alternatives to current cryptosystems has firmly increased recently. The main disadvantage of those schemes is the amount of resources needed to implement them in comparison to their classical counterpart. In conjunction with the growth of the Internet of Things, it is crucial to know if post-quantum algorithms can evolve in constraint environments without incurring an unacceptable performance penalty. In this paper, we propose an instantiation of a module-lattice-based KEM working over a ring of dimension 128 using a limited amount of memory at runtime. It can be seen as a lightweight version of Kyber or a module version of Frodo. We propose parameters targeting popular 8-bit AVR microcontrollers and security level 1 of NIST. Our implementation fits in around 2 KB of RAM while still providing reasonable efficiency and 128 bits of security, but at the cost of a reduced correctness.

Note: A flaw in this work as been pointed out by Leo Ducas. The CCA secure transformation cannot be applied to a scheme with such a low correctness. Hence, only results about the CPA version of the KEM are relevant.

Available format(s)
Publication info
Preprint. MINOR revision.
KEM Module lattices AVR embedded
Contact author(s)
fragerar @ ulb ac be
2018-07-19: revised
2018-07-13: received
See all versions
Short URL
Creative Commons Attribution


      author = {François Gérard},
      title = {Module-lattice KEM Over a Ring of Dimension 128 for Embedded Systems},
      howpublished = {Cryptology ePrint Archive, Paper 2018/677},
      year = {2018},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.