**Tight Analysis of Decrypton Failure Probability of Kyber in Reality**

*Boyue Fang and Weize Wang and Yunlei Zhao*

**Abstract: **Kyber is a candidate in the third round of the National Institute of Standards and Technology (NIST) Post-Quantum Cryptography (PQC) Standardization. However, because of the protocol's independence assumption, the bound on the decapsulation failure probability resulting from the original analysis is not tight. In this work, we give a rigorous mathematical analysis of the actual failure probability calculation, and provides the Kyber security estimation in reality rather than only in a statistical sense. Our analysis does not make independency assumptions on errors, and is with respect to concrete public keys in reality. Through sample test and experiments, we also illustrate the difference between the actual failure probability and the result given in the proposal of Kyber. The experiments show that, for Kyber-512 and 768, the failure probability resulting from the original paper is relatively conservative, but for Kyber-1024, the failure probability of some public keys is worse than claimed. This failure probability calculation for concrete public keys can also guide the selection of public keys in the actual application scenarios. What's more, we measure the gap between the upper bound of the failure probability and the actual failure probability, then give a tight estimate. Our work can also re-evaluate the traditional $1-\delta$ correctness in the literature, which will help re-evaluate some candidates' security in NIST post-quantum cryptographic standardization.

**Category / Keywords: **public-key cryptography / Post-Quantum Cryptography, Learning with Errors, Key Encapsulation Mechanism, Decryption Failure

**Date: **received 21 Feb 2022

**Contact author: **byfang16 at fudan edu cn

**Available format(s): **PDF | BibTeX Citation

**Version: **20220225:073934 (All versions of this report)

**Short URL: **ia.cr/2022/212

[ Cryptology ePrint archive ]