Paper 2023/708

Kyber terminates

Manuel Barbosa, University of Porto, INESC TEC
Peter Schwabe, Max Planck Institute for Security and Privacy, Radboud University

The key generation of the lattice-based key-encapsulation mechanism CRYSTALS-Kyber (or short, just Kyber) involves a rejection-sampling routine to produce coefficients modulo $q=3329$ that look uniformly random. The input to this rejection sampling is output of the SHAKE-128 extendable output function (XOF). If this XOF is modelled as a random oracle with infinite output length, it is easy to see that Kyber terminates with probability 1; also, in this model, for any upper bound on the running time, the probability of termination is strictly smaller than 1. In this short note we show that an (unconditional) upper bound for the running time for Kyber exists. Computing a tight upper bound, however, is (likely to be) infeasible. We remark that the result has no real practical value, except that it may be useful for computer-assisted reasoning about Kyber using tools that require a simple proof of termination.

Available format(s)
Public-key cryptography
Publication info
Contact author(s)
mbb @ fc up pt
peter @ cryptojedi org
2023-05-22: approved
2023-05-17: received
See all versions
Short URL
No rights reserved


      author = {Manuel Barbosa and Peter Schwabe},
      title = {Kyber terminates},
      howpublished = {Cryptology ePrint Archive, Paper 2023/708},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.