Paper 2024/1979

On the Security of LWE-based KEMs under Various Distributions: A Case Study of Kyber

Mingyao Shao, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China, School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China, Key Laboratory of Cyberspace Security Defense, Beijing, China
Yuejun Liu, School of Cyber Science and Engineering, Nanjing University of Science and Technology, Nanjing, China
Yongbin Zhou, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China, School of Cyber Science and Engineering, Nanjing University of Science and Technology, Nanjing, China, School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China, Key Laboratory of Cyberspace Security Defense, Beijing, China
Yan Shao, School of Cyber Science and Engineering, Nanjing University of Science and Technology, Nanjing, China
Abstract

Evaluating the security of LWE-based KEMs involves two crucial metrics: the hardness of the underlying LWE problem and resistance to decryption failure attacks, both significantly influenced by the secret key and error distributions. To mitigate the complexity and timing vulnerabilities of Gaussian sampling, modern LWE-based schemes often adopt either the uniform or centered binomial distribution (CBD). This work focuses on Kyber to evaluate its security under both distributions. Compared with the CBD, the uniform distribution over the same range enhances the LWE hardness but also increases the decryption failure probability, amplifying the risk of decryption failure attacks. We introduce a majority-voting-based key recovery method, and carry out a practical decryption failure attack on Kyber512 in this scenario with a complexity of $2^{37}$. Building on this analysis, we propose uKyber, a variant of Kyber that employs the uniform distribution and parameter adjustments under the asymmetric module-LWE assumption. Compared with Kyber, uKyber maintains comparable hardness and decryption failure probability while reducing ciphertext sizes. Furthermore, we propose a multi-value sampling technique to enhance the efficiency of rejection sampling under the uniform distribution. These properties make uKyber a practical and efficient alternative to Kyber for a wide range of cryptographic applications.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Preprint.
Keywords
LWE-based KEMsKyberhardnessdecryption failurecentered binomial distributionuniform distribution
Contact author(s)
shaomingyao @ iie ac cn
History
2024-12-12: approved
2024-12-06: received
See all versions
Short URL
https://ia.cr/2024/1979
License
Creative Commons Attribution-NonCommercial-ShareAlike
CC BY-NC-SA

BibTeX 

@misc{cryptoeprint:2024/1979,
      author = {Mingyao Shao and Yuejun Liu and Yongbin Zhou and Yan Shao},
      title = {On the Security of {LWE}-based {KEMs} under Various Distributions: A Case Study of Kyber},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1979},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1979}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.