Paper 2023/708
Kyber terminates
Abstract
The key generation of the lattice-based key-encapsulation mechanism CRYSTALS-Kyber (or short, just Kyber) involves a rejection-sampling routine to produce coefficients modulo $q=3329$ that look uniformly random. The input to this rejection sampling is output of the SHAKE-128 extendable output function (XOF). If this XOF is modelled as a random oracle with infinite output length, it is easy to see that Kyber terminates with probability 1; also, in this model, for any upper bound on the running time, the probability of termination is strictly smaller than 1. In this short note we show that an (unconditional) upper bound for the running time for Kyber exists. Computing a tight upper bound, however, is (likely to be) infeasible. We remark that the result has no real practical value, except that it may be useful for computer-assisted reasoning about Kyber using tools that require a simple proof of termination.
Metadata
- Available format(s)
- Category
- Public-key cryptography
- Publication info
- Preprint.
- Contact author(s)
-
mbb @ fc up pt
peter @ cryptojedi org - History
- 2023-05-22: approved
- 2023-05-17: received
- See all versions
- Short URL
- https://ia.cr/2023/708
- License
-
CC0
BibTeX
@misc{cryptoeprint:2023/708, author = {Manuel Barbosa and Peter Schwabe}, title = {Kyber terminates}, howpublished = {Cryptology {ePrint} Archive, Paper 2023/708}, year = {2023}, url = {https://eprint.iacr.org/2023/708} }