Flexible and Compact MLWE-Based KEM

Abstract

In order to resist the security risks caused by quantum computing, post-quantum cryptography (PQC) has been a research focus. Constructing a key encapsulation mechanism (KEM) based on lattices is one of the promising PQC routines. The algebraically structured learning with errors (LWE) problem over power-of-two cyclotomics has been one of the most widely used hardness assumptions for lattice-based cryptographic schemes. However, power-of-two cyclotomic rings may be exploited in the inflexibility of selecting parameters. Recently, trinomial cyclotomic rings of the form ${\mathbb{Z}}_q\left[x\right]/(x^n-x^{n/2}+1)$, where $n=2^k{3}^l$, $k\ge 1,l\ge 0$, have received widespread attention due to their flexible parameter selection. In this paper, we propose Tyber, a variant scheme of the NIST-standardized KEM candidate Kyber over trinomial cyclotomic rings. We provide three parameter sets, aiming at the quantum security of 128, 192, and 256 bits (actually achieving 129, 197, and 276 bits) with matching and negligible error probabilities. When compared to Kyber, our Tyber exhibits stronger quantum security, by 22, 31, and 44 bits, than Kyber for three security levels.

1. Introduction

If practical quantum computers are ever built, the current public-key cryptography, which relies heavily on the hardness assumptions of factoring integers and solving discrete logarithms, will be vulnerable to quantum attacks. Given the escalating risks posed by quantum computing in recent years, the crypto community has shifted its research focus towards post-quantum cryptography (PQC). Constructing cryptographic schemes based on lattices is one of the promising PQC routines. It has driven several nations to launch professional organizations to start the standardizations of PQC schemes.

In 2016, the US National Institute of Standards and Technology (NIST) initiated a standardization competition for post-quantum cryptography primitives, including public-key encryption (PKE), key encapsulation mechanisms (KEMs), and digital signatures. Notably, lattice-based schemes occupied a significant portion of the submissions, accounting for 26 out of 64 in the initial round [1], 12 out of 26 in the second round [2], and ultimately, 7 out of 15 in the third round [3]. In 2022, NIST finally selected lattice-based schemes named Kyber [4] (official name is ML-KEM [5]) and Dilithium [6] (official name is ML-DSA [7]) as the standardized candidates [8].

The Chinese Association for Cryptologic Research (CACR) also initiated a PQC competition to standardize PQC schemes between 2018 and 2019. In the second round of the Chinese National cryptographic algorithms design contest, lattice-based schemes accounted for 11 out of 14 among public-key schemes [9].

Most of these lattice-based schemes are “small lattice systems”, which are based on algebraically structured lattices, such as ideal lattices and module lattices, with polynomial rings as their underlying algebraic structures. The most common one is the cyclotomic ring $\mathbb{Z}\left[x\right]/\left({\mathsf{\Phi }}_m\left(x\right)\right)$, where ${\mathsf{\Phi }}_m\left(x\right)$ is defined as the m-th cyclotomic polynomial.

For the lattice-based schemes, the learning with error (LWE) problem [10] is one of the most common hardness assumptions to construct public-key encryption or key encapsulation mechanisms. But for those “small lattice systems”, they are based on variants of LWE, which are over cyclotomic rings $\mathcal{R}=\mathbb{Z}\left[{\xi }_m\right]\cong \mathbb{Z}\left[x\right]/\left({\mathsf{\Phi }}_m\left(x\right)\right)$, where ${\xi }_m=exp\left(\frac{2\pi i}{m}\right)$ is an m-th root of unity, e.g., a ring learning with error (RLWE) problem [11] or module learning with error (MLWE) problem [12]. The most popular cyclotomic polynomial used in lattice-based crypto is the power-of-two cyclotomic polynomial: ${\mathsf{\Phi }}_m\left(x\right)=x^n+1$, where $m=2^{e+1}$ and $n=\varphi \left(m\right)=2^e$ are power-of-two integers, and $\varphi$ is the Euler function. At this time, its corresponding cyclotomic ring is $\mathbb{Z}\left[x\right]/(x^n+1)$. In fact, the analysis in [11,12] is mainly in the case of $\mathbb{Z}\left[x\right]/(x^n+1)$. Through the NIST round 3, Kyber [4], Saber [13], and Dilithium [6] use $\mathbb{Z}\left[x\right]/(x^{256}+1)$ as their underlying polynomial ring. There are some advantages of choosing power-of-two cyclotomic rings. (1) They are simple but useful: $x^n+1$, where n is a power of two, is one of the simplest cyclotomic rings. And $\mathbb{Z}\left[x\right]/(x^n+1)$ is one of the best understood and the most widely studied cyclotomic rings in algebraic number theory, and there are no improved attacks that have been proposed against the schemes based on {R,M}LWE over $\mathbb{Z}\left[x\right]/(x^n+1)$. (2) Most {R,M}LWE-based schemes use suitable parameters such that number theoretic transform (NTT) can be utilized to compute the polynomial multiplication in ${\mathbb{Z}}_q\left[x\right]/(x^n+1)$. As we know, NTT-based schemes are very efficient due to the remarkable memory efficiency and speed of NTT, outperforming any other algorithm for multiplication in polynomial rings.

However, some disadvantages cannot be ignored in their practical application. The main focus should be on the inflexibility of selecting parameters. Take RLWE-based schemes as an example. The security level is directly influenced by the ring dimension n of RLWE-based schemes. Since n is a power of two, to achieve a higher security level, it is inconvenient to find a polynomial of some particular degree up to the next power of two. To reach 128-bit security, the ring dimension n should be somewhere around 700 [14]. There are two power-of-two integers: 512 and 1024 which are close to 700, but the former integer leads to insufficient security and the latter one leads to redundant security.

A natural question to ask in this point is as follows.

Motivating question 1: Are there ever flexible ways to use other cyclotomic rings rather than power-of-two cyclotomic rings?

Considering 128-bit security in the post-quantum era, it is interesting but meaningful to be able to construct lattice-based schemes over other cyclotomic rings as alternatives. For motivating question 1, the answer to the question is affirmative. The work in [15] shows that for any cyclotomic polynomial ${\mathsf{\Phi }}_m\left(x\right)$, RLWE can work entirely in the ring $\mathbb{Z}\left[x\right]/\left({\mathsf{\Phi }}_m\left(x\right)\right)$. There also have been some schemes using trinomial cyclotomic rings. For example, Falcon Round 1 used $\mathbb{Z}\left[x\right]/(x^n-x^{n/2}+1)$, where $n=3·2^e$[16]. NewHope-Compact, an RLWE-based scheme [17], and NTTRU, an NTRU-like scheme [18], use ${\mathbb{Z}}_q\left[x\right]/(x^{768}-x^{384}+1)$ with a prime q. Scabbard applies ${\mathbb{Z}}_q\left[x\right]/(x^{768}-x^{384}+1)$ with a power-of-two q due to its hardness of ring learning with rounding (RLWR) [19]. Later, the work in [14] instantiated NTRU over some trinomial cyclotomic rings of the form ${\mathbb{Z}}_q\left[x\right]/(x^n-x^{n/2}+1)$ with various n in order to select flexible parameters. The fact is that $x^n-x^{n/2}+1$ is the $3n$-th cyclotomic ring if n is of the form $n=2^k{3}^l$, $k\ge 1,l\ge 0$.

There is a gap for schemes based on module lattices, especially MLWE-based schemes. One exception is that the work in [20] provided a variant scheme of Kyber; however, over power-of-three cyclotomic rings. Actually, no one has applied trinomial cyclotomics to MLWE-based schemes. Undoubtedly, MLWE-based schemes take into account the security of LWE-based schemes and the efficiency of RLWE-based schemes. Therefore, there will be a balance between security and efficiency by adjusting the parameters. Changing the sampling number k is a major way to achieve different security levels for MLWE-based schemes. But, the increase in k will lead to a more complex implementation. In addition, $\mathbb{Z}\left[x\right]/(x^n+1)$ is still widely used in MLWE-based schemes. For example, Kyber, an outstanding representative of MLWE-based schemes, and the only NIST-standardized KEM candidate, is based on the power-of-two cyclotomic ring ${\mathbb{Z}}_{3329}\left[x\right]/(x^{256}+1)$. Kyber’s supporting documentation has mentioned that “One could consider using Kyber with a ring that is not $\mathbb{Z}\left[x\right]/(x^n+1)$”, as $\mathbb{Z}\left[x\right]/(x^n+1)$ may be exploited in the inflexibility of selecting parameters. Such a sentence is also applicable to other MLWE-based schemes. Hence, it leads to the following question.

Motivating question 2: Could we extend the known power-of-two MLWE-based schemes (e.g., Kyber) to the cases over trinomial cyclotomic rings, with appropriate selection of parameters so as to achieve a practical security level and matching error probabilities?

We answer motivating question 2 in the affirmative by proposing a variant scheme of Kyber, named Tyber, which is constructed over trinomial cyclotomic rings ${\mathbb{Z}}_q\left[x\right]/(x^n-x^{n/2}+1)$, where n is a positive integer of the form $n=2^k{3}^l$, with $k\ge 1,l\ge 0$ in this paper. The modulus q is chosen as a prime number, in order to be suitable for NTT. The security level of our Tyber is aimed at NIST security levels I, III, and V, while it can also achieve negligible error probabilities.

1.1. Related Works

There is a line of recent works that use trinomial cyclotomic rings of the form $\mathbb{Z}\left[x\right]/(x^n-x^{n/2}+1)$.

Table 1. Details of related works.

References	Polynomial Rings	Cryptographic Primitives	Hardness Assumption
[16]	${\mathbb{Z}}_{18433}\left[x\right]/(x^{768}-x^{384}+1)$	Digital signature	NTRU
[21,22]	${\mathbb{Z}}_q\left[x\right]/(x^n-x^{n/2}+1),n\in \{648,768,864,972\}$	Digital signature	NTRU
[18]	${\mathbb{Z}}_{7681}\left[x\right]/(x^{768}-x^{384}+1)$	PKE/KEM	NTRU
[14]	${\mathbb{Z}}_q\left[x\right]/(x^n-x^{n/2}+1),n=2^k{3}^{l-1},k\ge 1,l\ge 0$	PKE/KEM	NTRU
[23]	${\mathbb{Z}}_q\left[x\right]/(x^n-x^{n/2}+1),n=2^k{3}^{l-1},k\ge 1,l\ge 0$	PKE/KEM	NTRU
[24]	${\mathbb{Z}}_q\left[x\right]/(x^n-x^{n/2}+1),n=2^k{3}^{l-1},k\ge 1,l\ge 0$	PKE/KEM	module-NTRU
[17]	${\mathbb{Z}}_{3457}\left[x\right]/(x^{768}-x^{384}+1)$	PKE/KEM	RLWE
[25]	${\mathbb{Z}}_{7681}\left[x\right]/(x^{768}-x^{384}+1)$	PKE/KEM	RLWE
[19]	${\mathbb{Z}}_{1024}\left[x\right]/(x^{768}-x^{384}+1)$	PKE/KEM	RLWR
This work	${\mathbb{Z}}_q\left[x\right]/(x^n-x^{n/2}+1),n=2^k{3}^{l-1},k\ge 1,l\ge 0$	PKE/KEM	MLWE

shows their detailed descriptions.

The early version of Falcon, i.e., Falcon Round 1 [16], used ${\mathbb{Z}}_{18433}\left[x\right]/(x^{768}-x^{384}+1)$ for its parameter set of $n=768$. Later, Espitau et al. [21] proposed Mitaka, which is a simpler, parallelizable and maskable variant of Falcon, and its underlying polynomial rings include trinomial cyclotomic rings. Then, the Gaussian sampling and smoothing parameters of Mitaka were studied and optimized in subsequent work [22]. Lyubashevsky and Seiler [18] proposed a variant of NTRU, named NTTRU, by offering a new ring structure ${\mathbb{Z}}_{7681}\left[x\right]/(x^{768}-x^{384}+1)$. There have even been further improvements since then. Duman et al. [14] extended the rings ${\mathbb{Z}}_q\left[x\right]/(x^n-x^{n/2}+1)$ with various n in order to select flexible parameter sets. Additionally, Liang et al. [23] proposed compact and efficient NTRU-based KEMs over trinomial cyclotomic rings with the aid of lattice-based error correction codes. Recently, Bai et al. [24] designed compact PKEs based on the module-NTRU hardness assumption over trinomial cyclotomic rings. As for RLWE-based schemes, Alkim et al. [17] improved NewHope and presented NewHope-Compact by offering a parameter set for NIST security level III, over the trinomial cyclotomic ring ${\mathbb{Z}}_{3457}\left[x\right]/(x^{768}-x^{384}+1)$. Similarly, Liang et al. [25] proposed NewHope-Unified, which used ${\mathbb{Z}}_{7681}\left[x\right]/(x^{768}-x^{384}+1)$ as its underlying ring for $n=768$. This can be extended to the case of RLWR-based schemes. For example, Bermudo Mera et al. [19] introduced a suite of post-quantum KEMs, named Scabbard, and it contained an RLWR-based KEM applying ${\mathbb{Z}}_{1024}\left[x\right]/(x^{768}-x^{384}+1)$.

1.2. Our Contributions

We propose Tyber, a variant scheme of Kyber over trinomial cyclotomic rings of the form ${\mathbb{Z}}_q\left[x\right]/(x^n-x^{n/2}+1)$, where $n=2^k{3}^l$, $k\ge 1,l\ge 0$. Our Tyber includes an IND-CPA secure public key encryption and an IND-CCA secure key encapsulation mechanism. The parameter sets of Tyber are provided, featuring quantum security of 128, 192, and 256 bits (actually achieving 129, 197, and 276 bits) with matching and negligible error probabilities. When compared to Kyber, our Tyber exhibits stronger quantum security, by 22, 31, and 44 bits, than Kyber for three security levels. All analysis and conclusions in this paper can be extended to any other power-of-two MLWE-based schemes.

2. Preliminaries

2.1. Notation and Definitions

Let $\mathbb{Z}$ represent the ring of rational integers, with n and q being positive integers. We define ${\mathbb{Z}}_q$ as the quotient ring $\mathbb{Z}/q\mathbb{Z}$ and it comprises the set $\{0,1,\dots ,q-1\}$. Furthermore, we denote ${\mathbb{Z}}_q^{\times }$ as the group of invertible elements within ${\mathbb{Z}}_q$. For a given real number x, we use the notation $\lceil x\rfloor$ to represent the integer closest to x. Additionally, we introduce the notation $\mathcal{R}$ for the ring $\mathbb{Z}\left[x\right]/(x^n-x^{n/2}+1)$ and ${\mathcal{R}}_q$ for the quotient ring ${\mathbb{Z}}_q\left[x\right]/(x^n-x^{n/2}+1)$. Elements in $\mathcal{R}$ or ${\mathcal{R}}_q$ are polynomials, denoted by regular font letters, such as $f,g,v$. All the vectors in this paper are column vectors by default. Bold lowercase letters represent polynomial vectors over $\mathcal{R}$ or ${\mathcal{R}}_q$ while bold uppercase letters are polynomial matrices. For example, $\mathbf{v}$ and $\mathbf{A}$, whose transposes are denoted by ${\mathbf{v}}^T$ and ${\mathbf{A}}^T$, respectively. A polynomial f in $\mathcal{R}$ (or ${\mathcal{R}}_q$) has two equivalent representations: a power series form $f={\sum }_{i=0}^{n-1}{f}_i{x}^i$ and a column vector form $f={(f_0,f_1,\dots ,f_{n-1})}^T$, where $f_i\in \mathbb{Z}$ (or $f_i\in {\mathbb{Z}}_q$) for $i=0,1,\dots ,n-1$. A function $ϵ:\mathbb{N}\to [0,1]$ is said to be negligible if it satisfies $ϵ\left(\lambda \right)<1/{\lambda }^c$ for any positive c and sufficiently large $\lambda$. Such a function is denoted by negl.

Cyclotomics. Additional information regarding cyclotomic polynomials is available in [26]. Given a positive integer m, the m-th root of unity is denoted by ${\xi }_m=exp\left(\frac{2\pi i}{m}\right)$. The m-th cyclotomic polynomial, labeled ${\mathsf{\Phi }}_m\left(x\right)$, is expressed as ${\mathsf{\Phi }}_m\left(x\right)={\prod }_{j=1,gcd(j,m)=1}^m(x-{\xi }_m^j)$. This type of polynomial is monic, irreducible, and has a degree of $n=\phi \left(m\right)$ over the polynomial ring $\mathbb{Z}\left[x\right]$, where $\phi$ represents the Euler function. The m-th cyclotomic field is $\mathbb{Q}\left({\xi }_m\right)\cong \mathbb{Q}\left[x\right]/\left({\mathsf{\Phi }}_m\left(x\right)\right)$, with its associated ring of integers being $\mathbb{Z}\left[{\xi }_m\right]\cong \mathbb{Z}\left[x\right]/\left({\mathsf{\Phi }}_m\left(x\right)\right)$. Some important types of cyclotomic polynomials are mentioned in this paper: (1) Power-of-two cyclotomic polynomials ${\mathsf{\Phi }}_m\left(x\right)=x^n+1$ with m of the form $m=2^k,k\ge 1$ and $n=\phi \left(m\right)=m/2$; (2) Trinomial cyclotomic polynomials with m of the form $m=2^k{3}^l,k,l\ge 1$ and $n=\phi \left(m\right)=m/3$.

Modular reductions. Let $\alpha$ be a positive integer. We define the modulo operation with signed remainder as follows. For even $\alpha$, $r^{\prime }=r{mod}^{\pm }\alpha$ represents the unique element in the range $-\frac{\alpha }{2}<r^{\prime }\le \frac{\alpha }{2}$ satisfying $r^{\prime }\equiv r(mod\alpha )$. For odd $\alpha$, $r^{\prime }=r{mod}^{\pm }\alpha$ represents the unique element in the range $-\frac{\alpha -1}{2}\le r^{\prime }\le \frac{\alpha -1}{2}$ satisfying $r^{\prime }\equiv r(mod\alpha )$. For any $\alpha$, $r^{\prime }=r{mod}^{+}\alpha$ represents the unique element in the range $0\le r^{\prime }<\alpha$ satisfying $r^{\prime }\equiv r(mod\alpha )$. It is simply written as $rmod\alpha$ if the exact representation is not important.

Sizes of elements. For any element w in the ring ${\mathbb{Z}}_q$, ${\parallel w\parallel }_{\infty }$ represents $|w{mod}^{\pm }q|$. We define the ${\ell }_{\infty }$ norm and the ${\ell }_2$ norm for any vector $w\in \mathcal{R}$ as follows: the ${\ell }_{\infty }$ norm is given by ${max}_i\left|w_i\right|$, while the ${\ell }_2$ norm is computed as $\sqrt{{\sum }_{i=0}^{n-1}{\parallel w_i\parallel }_{\infty }^2}$. Furthermore, for a vector $\mathbf{w}=(w_1,\dots ,w_k)\in {\mathcal{R}}^k$, we introduce the ${\ell }_{\infty }$ norm as ${max}_i{\parallel w_i\parallel }_{\infty }$ and the ${\ell }_2$ norm as $\sqrt{{\sum }_{i=1}^k{\parallel w_i\parallel }_{\infty }^2}$.

Sets and distributions. For a given set D, we utilize the notation $x\stackrel{\$}{\leftarrow }D$ to indicate that x is sampled uniformly from D. Furthermore, when referring to a probability distribution $\Psi$, the notation $x\leftarrow \Psi$ signifies that x is selected in accordance with the distribution $\Psi$. The centered binomial distribution $B_{\eta }$, parameterized by a positive integer $\eta$, is defined as follows: Sample $(a_1,\dots ,a_{\eta },b_1,\dots ,b_{\eta })$ uniformly from ${\{0,1\}}^{2\eta }$ and output the sum ${\sum }_{i=1}^{\eta }(a_i-b_i)$. The distribution ${\overline{B}}_{\eta }$ is defined as $B_{\eta }{mod}^{\pm }3$. Sampling a polynomial $v\leftarrow \Psi$ or a polynomial vector $\mathbf{v}\leftarrow {\Psi }^k$ means sampling each coefficient according to $\Psi$ individually.

Compression function. The compression function is formulated as ${\mathsf{Compress}}_q(x,d)=⌈\frac{2^d}{q}·x⌋{mod}^{+}{2}^d$, while the decompression function is defined as ${\mathsf{Decompress}}_q(x,d)=⌈\frac{q}{2^d}·x⌋$. When they deal with a polynomial (vector), the procedure is applied to each coefficient individually. For any $x\in {\mathbb{Z}}_q$, $x^{\prime }={\mathsf{Decompress}}_q({\mathsf{Compress}}_q(x,d),d)$ is an element close to x, i.e., $|x^{\prime }-x{mod}^{\pm }q|\le \lceil \frac{q}{2^{d+1}}\rfloor$.

Module learning with error (MLWE). Let n be a power of two. The underlying hardness assumption of Kyber [4,27] is module learning with error (MLWE) [12] over the ring $\mathcal{R}$. The hard problem module learning with errors (MLWE) over $\mathcal{R}$ is to distinguish uniform samples $({\mathbf{a}}_i,b_i)\stackrel{\$}{\leftarrow }{\mathcal{R}}_q^k\times {\mathcal{R}}_q$ from the samples $({\mathbf{a}}_i,b_i)\in {\mathcal{R}}_q^k\times {\mathcal{R}}_q$, where ${\mathbf{a}}_i\stackrel{\$}{\leftarrow }{\mathcal{R}}_q^k$ and $b_i={\mathbf{a}}_i^T\mathbf{s}+e_i$ with $\mathbf{s}\leftarrow {\Psi }_1$ and $e_i\leftarrow {\Psi }_2$ for all i. The MLWE problem over $\mathcal{R}$ is hard if the advantage ${\mathbf{Adv}}_{m,k,{\Psi }_1,{\Psi }_2}^{\mathrm{mlwe}}\left(\mathsf{A}\right)$ of any probabilistic polynomial time adversary $\mathsf{A}$ is negligible, where

$$\begin{array}{c}\hfill {\mathbf{Adv}}_{m,k,{\Psi }_1,{\Psi }_2}^{\mathrm{mlwe}}\left(\mathsf{A}\right)=\begin{array}{c}|\mathrm{Pr}\left[b^{\prime }=1:\begin{array}{c}\mathbf{A}\stackrel{\$}{\leftarrow }{\mathcal{R}}_q^{l\times k};(\mathbf{s},\mathbf{e})\leftarrow {\Psi }_1^k\times {\Psi }_2^l;\\ \mathbf{b}=\mathbf{A}\mathbf{s}+\mathbf{e};b^{\prime }\leftarrow \mathsf{A}(\mathbf{A},\mathbf{b})\end{array}\right]\hfill \\ -\mathrm{Pr}\left[b^{\prime }=1:\mathbf{A}\stackrel{\$}{\leftarrow }{\mathcal{R}}_q^{l\times k};\mathbf{b}\leftarrow {\mathcal{R}}_q^l;b^{\prime }\leftarrow \mathsf{A}(\mathbf{A},\mathbf{b})\right]|.\hfill \end{array}\end{array}$$

2.2. Cryptographic Primitives

A public-key encryption scheme contains PKE = (KeyGen, Enc, Dec), with a message space $\mathcal{M}$. The key generation algorithm KeyGen returns a pair of a public key and a secret key $(pk,sk)$. The encryption algorithm Enc takes a public key $pk$ and a message $m\in \mathcal{M}$ to produce a ciphertext c. The deterministic decryption algorithm Dec takes a secret key $sk$ and a ciphertext c, and outputs either a message $m\in \mathcal{M}$ or a special symbol ⊥ to indicate a rejection. The decryption error probability of PKE, which is denoted as $\delta$, is defined as E[${max}_{m\in \mathcal{M}}$Pr[Dec($sk$,Enc($pk,m$))] $\ne m$]$<\delta$. The advantage of an adversary $\mathsf{A}$ against indistinguishability under chosen-plaintext attacks (IND-CPA) for public-key encryption is defined as

$$\begin{array}{c}\hfill \begin{array}{c}\hfill {\mathbf{Adv}}_{\mathrm{PKE}}^{\mathrm{CPA}}\left(\mathsf{A}\right)=\left|\mathrm{Pr}\left[b^{\prime }=b:\begin{array}{c}(pk,sk)\leftarrow \mathrm{KeyGen}\left(\right);\\ (m_0,m_1)\leftarrow \mathsf{A}\left(pk\right);\\ b\stackrel{\$}{\leftarrow }\{0,1\};c^{*}\leftarrow \mathrm{Enc}(pk,m_b);\\ b^{\prime }\leftarrow \mathsf{A}\left(c^{*}\right)\end{array}\right]-\frac{1}{2}\right|.\end{array}\end{array}$$

A key encapsulation mechanism consists of three algorithms, which are defined as KEM = (KeyGen, Encaps, Decaps) with a key space $\mathcal{K}$. The key generation algorithm KeyGen returns a pair of a public key and a secret key $(pk,sk)$. The encapsulation algorithm Encaps takes a public key $pk$ to produce a ciphertext c and a key $K\in \mathcal{K}$. The deterministic decapsulation algorithm Decaps inputs a secret key $sk$ and a ciphertext c, and outputs either a key $K\in \mathcal{K}$ or a special symbol ⊥ to indicate a rejection. The correctness error $\delta$ of KEM is defined as Pr[Decaps$(sk,c)\ne K:(c,K)\leftarrow$ Encaps($pk$)] $<\delta$. The advantage of an adversary $\mathsf{A}$ against indistinguishability under chosen-ciphertext attacks (IND-CCA) for the key encapsulation mechanism is defined as

$$\begin{array}{c}\hfill \begin{array}{c}\hfill {\mathbf{Adv}}_{\mathrm{KEM}}^{\mathrm{CCA}}\left(\mathsf{A}\right)=\left|\mathrm{Pr}\left[b^{\prime }=b:\begin{array}{c}(pk,sk)\leftarrow \mathrm{KeyGen}\left(\right);\\ b\stackrel{\$}{\leftarrow }\{0,1\};\\ (c^{*},K_0^{*})\leftarrow \mathrm{Encaps}\left(pk\right);\\ K_1^{*}\stackrel{\$}{\leftarrow }\mathcal{K};\\ b^{\prime }\leftarrow {\mathsf{A}}^{\mathrm{Decaps}(·)}(pk,c^{*},K_b^{*})\end{array}\right]-\frac{1}{2}\right|.\end{array}\end{array}$$

2.3. Kyber

In 2017, Bos et al. [27] proposed a lattice-based cryptography suite called Cryptographic Suite for Algebraic Lattices (CRYSTALS for short). The algorithms of CRYSTALS are designed based on the MLWE problem over a module lattice, meaning that the algorithms take into account the security of LWE-based schemes and the efficiency of RLWE-based schemes. Among them, Kyber is an IND-CCA secure key encapsulation mechanism (KEM). Kyber follows a common construction framework. Specifically, it has two steps: the first step is to construct an IND-CPA secure public key encryption (Kyber.CPAPKE); The second step is to transform the IND-CPA secure PKE into an IND-CCA secure KEM (Kyber.CCAKEM) by using a variant of Fujisaki–Okamoto transform [28,29]. More precisely, Kyber is based on the MLWE problem over power-of-two cyclotomic ring $\mathbb{Z}\left[x\right]/(x^n+1)$, where n is a power of two. In the first round of the NIST PQC competition, Kyber’s modulus was chosen to be 7681, but it was changed after the first round, and adjusted from 7681 to 3329 [4]. Additionally, Kyber’s secret distribution has been different from the ciphertext noise distribution for Kyber512 since the third round. In 2022, NIST finally selected MLWE-based Kyber (official name is ML-KEM) as the only standardized KEM candidate [8].

3. Our Proposal: Tyber

In this section, we will propose Tyber, a variant scheme of Kyber [4] over trinomial cyclotomic rings ${\mathbb{Z}}_q\left[x\right]/(x^n-x^{n/2}+1)$. The construction of our Tyber is based on [4], and also includes an IND-CPA secure public-key encryption (Tyber.CPAPKE) and an IND-CCA secure key encapsulation mechanism (Tyber.CCAKEM). There are some slight differences between our Tyber and that in [4].

3.1. Concrete Description

Firstly, the formal description of IND-CPA secure public key encryption (Tyber.CPAPKE) of our Tyber is presented in Algorithms 1–3. It can be transformed into its IND-CCA secure key encapsulation mechanism (Tyber.CCAKEM) by using a variant of the Fujisaki–Okamoto transform [28,29]. The detailed description of our Tyber.CCAKEM is presented in Algorithms A1–A3 in Appendix A.

Algorithm 1 Tyber.CPAPKE.KeyGen(): key generation

1: $\mathbf{A}$∼${\mathcal{R}}_q^{k\times k}:=\mathsf{Sam}\left(\rho \right)$ 2: $(\mathbf{s},\mathbf{e})\leftarrow {\Psi }_1^k\times {\Psi }_1^k$ 3: $\mathbf{t}:=\mathbf{A}\mathbf{s}+\mathbf{e}$ 4: return $(pk:=(\mathbf{t},\rho ),sk:=\mathbf{s})$

Algorithm 2 Tyber.CPAPKE.Enc($pk=(\mathbf{t},\rho ),m\in \mathcal{M}$): encryption

1: $\mathbf{A}$∼${\mathcal{R}}_q^{k\times k}:=\mathsf{Sam}\left(\rho \right)$ 2: $(\mathbf{r},{\mathbf{e}}_1,e_2)\leftarrow {\Psi }_1^k\times {\Psi }_2^k\times {\Psi }_2$ 3: $\mathbf{u}:={\mathsf{Compress}}_q({\mathbf{A}}^T\mathbf{r}+{\mathbf{e}}_1,d_u)$ 4: $v:={\mathsf{Compress}}_q({\mathbf{t}}^T\mathbf{r}+e_2+\lceil \frac{q}{2}\rfloor ·m,d_v)$ 5: return $c:=(\mathbf{u},v)$

Algorithm 3 Tyber.CPAPKE.Dec($sk=\mathbf{s},c=(\mathbf{u},v)$): decryption

1: $\mathbf{u}:={\mathsf{Decompress}}_q(\mathbf{u},d_u)$ 2: $v:={\mathsf{Decompress}}_q(v,d_v)$ 3: return $m^{\prime }:={\mathsf{Compress}}_q(v-{\mathbf{s}}^T\mathbf{u},1)$

We restate the definitions of $\mathcal{R}$ and ${\mathcal{R}}_q$: $\mathcal{R}=\mathbb{Z}\left[x\right]/(x^n-x^{n/2}+1)$ and ${\mathcal{R}}_q={\mathbb{Z}}_q\left[x\right]/(x^n-x^{n/2}+1)$, respectively, where n is a positive integer of the form $2^k{3}^l$ with $k\ge 1$ and $l\ge 0$. We introduce $\mathcal{M}$ as the message space for Tyber.CPAPKE, consisting of binary strings of length n, which can be interpreted as polynomials in $\mathcal{R}$ with coefficients in $\{0,1\}$. $\mathsf{Sam}$ is an extendable output function, and takes as input an n-bit string $\rho$, and then, produces $\mathbf{A}$, uniformly random over ${\mathcal{R}}_q^{k\times k}$, in Algorithms 1 and 2. ${\Psi }_1$ and ${\Psi }_2$ are the distributions over $\mathcal{R}$. The definitions of ${\mathsf{Compress}}_q$ and ${\mathsf{Compress}}_q$ can be found in Section 2.1.

3.2. Parameter Sets

The parameter sets of Tyber are given in

Table 2. Parameter sets of Tyber.

Scheme		n	k	q	$\mathsf{\Phi }\left(\mathit{x}\right)$	$({\mathbf{\Psi }}_1,{\mathbf{\Psi }}_2)$	$({\mathit{d}}_{\mathit{u}},{\mathit{d}}_{\mathit{v}})$	$\left|\mathit{pk}\right|$	$\left|\mathit{ct}\right|$	B.W.	(Sec.C,Sec.Q)	$\mathit{\delta }$
Tyber	Tyber648	324	2	2917	$x^n-x^{n/2}+1$	$({\overline{B}}_2,{\overline{B}}_2)$	(9,5)	1004	932	1936	(142,129)	$2^{-129}$
	Tyber972	324	3	3889	$x^n-x^{n/2}+1$	$(B_1,B_1)$	(10,3)	1490	1337	2827	(217,197)	$2^{-204}$
	Tyber1296	324	4	3889	$x^n-x^{n/2}+1$	$(B_1,B_1)$	(10,5)	1976	1823	3799	(305,276)	$2^{-256}$

. We mainly provide parameter sets aimed at quantum security of 128, 192, and 256 bits. The polynomial dimension n is fixed to 324. Actually, n can be any integer of the form $2^k{3}^l,k\ge 1,l\ge 0$, like 256, 384, or 432. We use two moduli: $q=2917$ for $k=2$, and $q=3889$ for $k\in \{3,4\}$. Both two moduli support very fast NTT-based polynomial multiplications when $n=324$ according to the studies in [14,18]. $\mathsf{\Phi }\left(x\right)$ means the underlying cyclotomic polynomial used in the schemes, and we use a trinomial cyclotomic polynomial of the form $x^n-x^{n/2}+1$. ${\Psi }_1$ and ${\Psi }_2$ are the distributions over $\mathcal{R}$. We mainly consider the centered binomial distribution $B_{\eta }$ and the distribution ${\overline{B}}_{\eta }$ with respect to a positive integer $\eta$, as described in Section 2.1. According to the studies in [30], the centered binomial distribution can guarantee a relatively strong theoretical security, while achieving easier and safer implementation.$d_u$ and $d_v$ are the compression parameters. The magnitudes of the public key ($\left|pk\right|$), ciphertext ($\left|ct\right|$), and bandwidth (B.W., i.e., $\left|pk\right|+\left|ct\right|$) are quantified in bytes. The column “(Sec.C,Sec.Q)” means the estimated security level with respect to the primal attack expressed in bits, where “Sec.C” denotes classical security and “Sec.Q” denotes quantum security. We follow the classical and the quantum core-SVP hardness methodology as in Kyber [4] and use the same Python script to calculate security levels. The last column $\delta$ gives the error probabilities, whose details can be found in Section 4.1.

4. Analysis

In this section, we will present a correctness analysis, provable security reduction, and implementation analysis of our scheme.

4.1. Correctness Analysis

The correctness analysis of Tyber.CPAPKE and Tyber.CCAKEM in our scheme is similar to that in [4,27]. Firstly, following the condition of decryption error in [4,27], we have the following theorem.

Theorem 1

(Derived from Theorem 1 in [27]). Let $k,{\Psi }_1,{\Psi }_2,d_u,d_v$ be the values as in Table 2. Let $\mathbf{s},\mathbf{e},\mathbf{r},{\mathbf{e}}_1,e_2$ be random variables according to the same distribution as in Algorithms 1–3. Let ${\mathbf{c}}_u\leftarrow {\psi }_{d_u}^k,c_v\leftarrow {\psi }_{d_v}$ be generated according to the distribution ${\psi }_d$, which is defined as follows: Sampling $y\stackrel{\$}{\leftarrow }\mathcal{R}$, and returning $(y-{\mathsf{Decompress}}_q({\mathsf{Compress}}_q(y,d),d)){mod}^{\pm }q$. Denote

$$\delta =\mathrm{Pr}\left[\parallel {\mathit{e}}^T\mathit{r}-{\mathit{s}}^T({\mathit{e}}_1+{\mathit{c}}_u)+c_v+e_2{\parallel }_{\infty }\ge \lceil q/4\rfloor \right],$$

(1)

then our Tyber.CCAKEM has an error probability of δ.

4.1.1. The Product in $\mathbb{Z}\left[x\right]/(x^n-x^{n/2}+1)$

In order to calculate $\delta$ in Formula (1), the computations of ${\mathbf{e}}^T\mathbf{r}-{\mathbf{s}}^T({\mathbf{e}}_1+{\mathbf{c}}_u)+c_v+e_2$ have to be figured out. Note that all the computations in Formula (1) in Theorem 1 are performed in the rings $\mathcal{R}$ and ${\mathcal{R}}_q$. For example, the inner product ${\mathbf{e}}^T\mathbf{r}$ needs to be computed in the ring ${\mathcal{R}}_q={\mathbb{Z}}_q\left[x\right]/(x^n-x^{n/2}+1)$, where $\mathbf{e},\mathbf{r}\leftarrow {\Psi }_1^k$.

Our way to calculate $\delta$ in Formula (1) is different from that in [4,27], since the form of the product $h=fg\in \mathbb{Z}\left[x\right]/(x^n+1)$ is different from that of $h=fg\in \mathbb{Z}\left[x\right]/(x^n-x^{n/2}+1)$. In the following, we take $\mathbb{Z}\left[x\right]/(x^4+1)$ as an example. The product of $f={\displaystyle \sum _{i=0}^3}{f}_i{x}^i$ and $g={\displaystyle \sum _{i=0}^3}{g}_i{x}^i$ can be represented as

$$h=\left[\begin{array}{c}{h}_0\\ h_1\\ h_2\\ h_3\end{array}\right]=\left[\begin{array}{cccc}{f}_0& -f_3& -f_2& -f_1\\ f_1& f_0& -f_3& -f_2\\ f_2& f_1& f_0& -f_3\\ f_3& f_2& f_1& f_0\end{array}\right]·\left[\begin{array}{c}{g}_0\\ g_1\\ g_2\\ g_3\end{array}\right].$$

(2)

The main characteristic of h is that each coefficient of h is the sum of four numbers, each of which is in the form of $f_i{g}_j$. E.g., the third coefficient $h_3$ in Formula (2) is $h_3=f_3{g}_0+f_2{g}_1+f_1{g}_2+f_0{g}_3$. However, in the ring $\mathbb{Z}\left[x\right]/(x^4-x^2+1)$, the product of f and g can be obtained from

$$h=\left[\begin{array}{c}{h}_0\\ h_1\\ h_2\\ h_3\end{array}\right]=\left[\begin{array}{cccc}{f}_0& -f_3& -f_2& -f_1-f_3\\ f_1& f_0& -f_3& -f_2\\ f_2& f_1+f_3& f_0+f_2& f_1\\ f_3& f_2& f_1+f_3& f_0+f_2\end{array}\right]·\left[\begin{array}{c}{g}_0\\ g_1\\ g_2\\ g_3\end{array}\right],$$

(3)

where the coefficient of h might contain some summands in the form of $f_i{g}_j+(f_i+f_{i^{\prime }})g_{j^{\prime }}$. E.g., the third coefficient $h_3$ in Formula (3) is $h_3=(f_3{g}_0+(f_1+f_3)g_2)+(f_2{g}_1+(f_0+f_2)g_3)$.

Inspired by the methodology in [18], the general representation of the product between $f={\sum }_{i=0}^{n-1}{f}_i{x}^i$ and $g={\sum }_{i=0}^{n-1}{g}_i{x}^i$ in $\mathbb{Z}\left[x\right]/(x^n-x^{n/2}+1)$ is achieved through a matrix–vector multiplication as follows:

$$h=\left[\begin{array}{c}{h}_0\\ h_1\\ ⋮\\ h_{n-1}\end{array}\right]=\left[\begin{array}{cc}\mathbf{L}-\mathbf{U}& -\mathbf{F}-\mathbf{U}\\ \mathbf{F}+\mathbf{U}& \mathbf{F}+\mathbf{L}\end{array}\right]·\left[\begin{array}{c}{g}_0\\ g_1\\ ⋮\\ g_{n-1}\end{array}\right],$$

(4)

where $\mathbf{F},\mathbf{L},\mathbf{U}$ are the Toeplitz matrices of dimension $\frac{n}{2}$, which are defined as follows:

$$\mathbf{F}=\left[\begin{array}{cccc}{f}_{n/2}& f_{n/2-1}& \cdots & f_1\\ f_{n/2+1}& f_{n/2}& \cdots & f_2\\ ⋮& ⋮& \ddots & ⋮\\ f_{n-1}& f_{n-2}& \cdots & f_{n/2}\end{array}\right],$$

$$\mathbf{L}=\left[\begin{array}{cccc}{f}_0& 0& \cdots & 0\\ f_1& f_0& \cdots & 0\\ ⋮& ⋮& \ddots & ⋮\\ f_{n/2-1}& f_{n/2-2}& \cdots & f_0\end{array}\right],\mathbf{U}=\left[\begin{array}{cccc}0& f_{n-1}& \cdots & f_{n/2+1}\\ ⋮& ⋮& \ddots & ⋮\\ 0& 0& \cdots & f_{n-1}\\ 0& 0& \cdots & 0\end{array}\right].$$

The correctness error of Tyber is based on the general form of h. The whole product is divided into two parts through the form of partitioned matrices. As specified in Formula (4), the individual coefficients in the lower half of the resulting product, i.e.,

$$\left[\begin{array}{cc}\mathbf{F}+\mathbf{U}& \mathbf{F}+\mathbf{L}\end{array}\right]·\left[\begin{array}{c}{g}_0\\ g_1\\ ⋮\\ g_{n-1}\end{array}\right],$$

(5)

are obtained from the sum of $n/2$ terms:

$${\sigma }_{i,i^{\prime },j,j^{\prime }}=f_i{g}_j+(f_i+f_{i^{\prime }})g_{j^{\prime }}$$

(6)

The third coefficient $h_3$ in Formula (3) is an example. The coefficient of the l-th row in the upper half, i.e.,

$$\left[\begin{array}{cc}\mathbf{L}-\mathbf{U}& -\mathbf{F}-\mathbf{L}\end{array}\right]·\left[\begin{array}{c}{g}_0\\ g_1\\ ⋮\\ g_{n-1}\end{array}\right],$$

(7)

is the sum of $(n/2-l)$ terms of the form ${\sigma }_{i,i^{\prime },j,j^{\prime }}=f_i{g}_j+(f_i+f_{i^{\prime }})g_{j^{\prime }}$, as in Formula (6), and l terms of the form ${\theta }_{i,i^{\prime },j,j^{\prime }}=f_i{g}_j+f_{i^{\prime }}{g}_{j^{\prime }}$.

As suggested in [18], the first form has a “wider” distribution than the latter form from the random variance point of view. Therefore, our subsequent correctness analysis will be based on the first form for conservative estimation.

4.1.2. Error Probability over $\mathbb{Z}\left[x\right]/(x^n-x^{n/2}+1)$

The detailed procedure of calculating the error probability $\delta$ in Theorem 1 is given here. As for the term ${\mathbf{e}}^T\mathbf{r}-{\mathbf{s}}^T({\mathbf{e}}_1+{\mathbf{c}}_u)+c_v+e_2$ in Formula (1), each coefficient of the product ${\mathbf{e}}^T\mathbf{r}$ is distributed as the sum of $kn/2$ independent random variables of the form ${\sigma }_{i,i^{\prime },j,j^{\prime }}=e_i{r}_j+(e_i+e_{i^{\prime }})r_{j^{\prime }}$, as in Formula (6), where $e_i,e_{i^{\prime }},r_j,r_{j^{\prime }}\leftarrow {\Psi }_1$, since ${\mathbf{e}}^T\mathbf{r}$ is a polynomial inner product including k single polynomial multiplications.

The analysis is the same for the term ${\mathbf{s}}^T({\mathbf{e}}_1+{\mathbf{c}}_u)$, except that they are generated from different distribution $\mathbf{s}\leftarrow {\Psi }_1^k,{\mathbf{e}}_1\leftarrow {\Psi }_2^k,{\mathbf{c}}_u\leftarrow {\psi }_{d_u}^k$, as in Theorem 1.

The sum of the random variances ${\mathbf{e}}^T\mathbf{r}$, ${\mathbf{s}}^T({\mathbf{e}}_1+{\mathbf{c}}_u)$, $c_v$, and $e_2$, is obtained by computing their convolutions, where it uses the symmetry of the centered binomial distribution. The probability that any coefficient of ${\mathbf{e}}^T\mathbf{r}-{\mathbf{s}}^T({\mathbf{e}}_1+{\mathbf{c}}_u)+c_v+e_2$ is greater than $\lceil q/4\rfloor$ is its tail probability with the threshold $\lceil q/4\rfloor$. Finally, the final correctness error $\delta$ is derived by applying the union bound.

As for the three parameter sets in Table 2, we obtain the corresponding error probabilities as $2^{-129}$, $2^{-204}$, and $2^{-256}$, respectively, by using the reasonable but conservative methodology over trinomial cyclotomic rings mentioned above.

4.2. Provable Security Reduction

In the following, we will derive the provable security based on the MLWE assumption, which is similar to that of Kyber [4,27]. Formally, the following theorems guarantee its IND-CPA security and IND-CCA security.

Theorem 2.

Under the MLWE hardness assumption over trinomial cyclotomic rings, the public key encryption of Tyber is IND-CPA secure in the random oracle model.

Proof. 

We complete our proof via a progression of games ${\mathbf{G}}_0$, ${\mathbf{G}}_1$, and ${\mathbf{G}}_2$. Consider an adversary $\mathsf{A}$ who challenges the IND-CPA security experiment. We define ${\mathbf{Succ}}_i$ as the occurrence wherein $\mathsf{A}$ wins in the game ${\mathbf{G}}_i$, specifically, when $\mathsf{A}$ produces an output $b^{\prime }$ that matches the challenge bit b in ${\mathbf{G}}_i$.

Game ${\mathbf{G}}_0$. We define the initial security experiment as Game ${\mathbf{G}}_0$, which serves as the foundation for achieving original IND-CPA security. Thus, ${\mathbf{Adv}}_{\mathrm{PKE}}^{\mathrm{CPA}}\left(\mathsf{A}\right)=|\mathrm{Pr}\left[{\mathbf{Succ}}_0\right]-1/2|$.

Game ${\mathbf{G}}_1$. This game is the same as ${\mathbf{G}}_0$, except replacing $\mathbf{t}:=\mathbf{A}\mathbf{s}+\mathbf{e}$ used in KeyGen by $\mathbf{t}\stackrel{\$}{\leftarrow }{\mathcal{R}}_q^k$. To distinguish ${\mathbf{G}}_1$ from ${\mathbf{G}}_0$ is equivalent to solve an MLWE problem. More precisely, there exists an adversary $\mathsf{B}$ such that $|\mathrm{Pr}\left[{\mathbf{Succ}}_0\right]-\mathrm{Pr}\left[{\mathbf{Succ}}_1\right]|\le {\mathbf{Adv}}_{k,k,{\Psi }_1,{\Psi }_1}^{\mathrm{mlwe}}\left(\mathsf{B}\right)$.

Game ${\mathbf{G}}_2$. This game is identical to ${\mathbf{G}}_1$, except using uniformly random elements from ${\mathcal{R}}_q^k$ and ${\mathcal{R}}_q$ to replace ${\mathbf{A}}^T\mathbf{r}+{\mathbf{e}}_1$ and ${\mathbf{t}}^T\mathbf{r}+e_2$, respectively. Similarly, there exists an adversary $\mathsf{C}$ such that $|\mathrm{Pr}\left[{\mathbf{Succ}}_1\right]-\mathrm{Pr}\left[{\mathbf{Succ}}_2\right]|\le {\mathbf{Adv}}_{k+1,k,{\Psi }_1,{\Psi }_2}^{\mathrm{mlwe}}\left(\mathsf{C}\right)$.

Note that in ${\mathbf{G}}_2$ the information of $m_b$ is perfectly hidden by uniformly random elements, so $\mathrm{Pr}\left[{\mathbf{Succ}}_2\right]=1/2$.

Finally, we obtain ${\mathbf{Adv}}_{\mathrm{PKE}}^{\mathrm{CPA}}\left(\mathsf{A}\right)\le {\mathbf{Adv}}_{k,k,{\Psi }_1,{\Psi }_1}^{\mathrm{mlwe}}\left(\mathsf{B}\right)+{\mathbf{Adv}}_{k+1,k,{\Psi }_1,{\Psi }_2}^{\mathrm{mlwe}}\left(\mathsf{C}\right)$. Therefore, if the MLWE problem over trinomial cyclotomic ring is hard, our PKE is IND-CPA secure.    □

If the underlying PKE is IND-CPA secure, the studies in [29,31] show us that the resulting KEM obtained by using a variant of the Fujisaki–Okamoto transform is IND-CCA secure in both the random oracle model and quantum random oracle model. According to [4,27,29,31], we have the following theorem.

Theorem 3.

Under the MLWE hardness assumption over the trinomial cyclotomic ring $\mathbb{Z}\left[x\right]/(x^n-x^{n/2}+1)$, the key encapsulation mechanism of Tyber is IND-CCA secure in both the random oracle model and quantum random oracle model.

4.3. Implementation Analysis

From an implementation point of view, the fundamental and time-consuming operation is the polynomial multiplication in algebraically structured lattice-based schemes, including Kyber and our Tyber. A more efficient polynomial multiplication algorithm can greatly accelerate the efficiency of the schemes. According to the studies in [14,18], our Tyber can achieve the same efficiency as Kyber.

As shown in Table 2, Tyber uses trinomial cyclotomic rings ${\mathbb{Z}}_q\left[x\right]/(x^n-x^{n/2}+1)$, where $(n=324,q=2917)$ and $(n=324,q=3889)$. As for both parameter tuples, from the work in [18] we can know that there is the isomorphism ${\mathbb{Z}}_q\left[x\right]/(x^n-x^{n/2}+1)\cong {\mathbb{Z}}_q\left[x\right]/(x^{n/2}-{\zeta }_1)\times {\mathbb{Z}}_q\left[x\right]/(x^{n/2}-{\zeta }_2)$, where ${\zeta }_1$ and ${\zeta }_2$ should satisfy ${\zeta }_1+{\zeta }_2=1$ and ${\zeta }_1·{\zeta }_2=1$. We can choose ${\zeta }_1={\zeta }^{162}$ and ${\zeta }_2={\zeta }^{810}$, where $\zeta$ is the primitive $3n$-th (i.e., 972-th) root of unity in ${\mathbb{Z}}_q$. Then, we can utilize the efficient radix-2 NTT and radix-3 NTT techniques from [14]. The former corresponds to the isomorphism ${\mathbb{Z}}_q\left[x\right]/(x^{2s}-{\zeta }^{2\beta })\cong {\mathbb{Z}}_q\left[x\right]/(x^s-{\zeta }^{\beta })\times {\mathbb{Z}}_q\left[x\right]/(x^s+{\zeta }^{\beta })$, and the latter corresponds to the isomorphism ${\mathbb{Z}}_q\left[x\right]/(x^{3s}-{\zeta }^{3\beta })\cong {\mathbb{Z}}_q\left[x\right]/(x^s-{\zeta }^{\beta })\times {\mathbb{Z}}_q\left[x\right]/(x^s-\rho {\zeta }^{\beta })\times {\mathbb{Z}}_q\left[x\right]/(x^s-{\rho }^2{\zeta }^{\beta })$, where $s,\beta$ are positive integers and $\rho$ is the third root of unity. In detail, the final isomorphism can be described as follows:

$${\mathbb{Z}}_q\left[x\right]/(x^n-x^{n/2}+1)\cong \prod _{i\in {\mathbb{Z}}_{3n}^{\times }}{\mathbb{Z}}_q\left[x\right]/(x-{\zeta }^i),$$

where ${\mathbb{Z}}_{3n}^{\times }$ is the group of invertible elements of ${\mathbb{Z}}_{3n}$.

According to the benchmark results in [14,18], the NTT technique mentioned above is as efficient as that of Kyber. Regarding the implementation analysis in this section, we present an implementation analysis that, while not exhaustive, aims to demonstrate the potential efficiency of our schemes in comparison to Kyber.

5. Comparisons

As illustrated in

Table 3. Comparison of schemes.

Scheme		n	k	q	$\mathsf{\Phi }\left(\mathit{x}\right)$	$\left|\mathit{pk}\right|$	$\left|\mathit{ct}\right|$	B.W.	(Sec.C,Sec.Q)	$\mathit{\delta }$
Tyber (Ours)	Tyber648	324	2	2917	$x^n-x^{n/2}+1$	1004	932	1936	(142,129)	$2^{-129}$
	Tyber972	324	3	3889	$x^n-x^{n/2}+1$	1490	1337	2827	(217,197)	$2^{-204}$
	Tyber1296	324	4	3889	$x^n-x^{n/2}+1$	1976	1823	3799	(305,276)	$2^{-256}$
Kyber	Kyber512	256	2	3329	$x^n+1$	800	768	1568	(118,107)	$2^{-139}$
	Kyber768	256	3	3329	$x^n+1$	1184	1088	2272	(183,166)	$2^{-164}$
	Kyber1024	256	4	3329	$x^n+1$	1568	1568	3136	(256,232)	$2^{-174}$

, we provide concise comparisons between our scheme and the NIST-standardized candidate Kyber [4]. n is the polynomial dimension. q is the modulus. $\mathsf{\Phi }\left(x\right)$ means the underlying cyclotomic polynomial used in the schemes. The magnitudes of the public key ($\left|pk\right|$), ciphertext ($\left|ct\right|$), and bandwidth (B.W., i.e., $\left|pk\right|+\left|ct\right|$) are quantified in bytes. “Sec.C” denotes classical security and “Sec.Q” denotes quantum security, both of which are expressed in bits. $\delta$ means the error probability.

Upon comparison, our scheme utilizes trinomial cyclotomic rings, so there is more flexibility when selecting parameters. The dimension n in our scheme can take values of the form $2^k{3}^l,k\ge 1,l\ge 0$. However, Kyber suffers from the inflexibility of selecting parameters due to its underlying power-of-two cyclotomic rings, since n can only be $2^k,k\ge 1$.

Although Kyber has a more compact public key and ciphertext for the three security levels, Kyber actually achieves quantum security of 107, 166, and 232 bits, respectively, which is far less than 128, 192, and 256 bits, respectively. Note that Kyber768 has a quantum security of 166 bits, which has a very large margin for quantum security of 128 bits, resulting in larger security redundancy. Another important point is that the error probability of Kyber1024 is only $2^{-174}$, which actually does not match its security requirement as 232-bit quantum security.

According to Table 3, our scheme stands out with the practical and reliable security guarantees, since our scheme achieves the target quantum security of 128, 192, and 256 bits (actually achieving 129, 197, and 276 bits). The error probabilities of our scheme are precisely calibrated to satisfy the targeted security level for each parameter set, making them negligible in comparison to the specified security level, as they are substantively lower than $2^{-129}$, $2^{-204}$, and $2^{-256}$, respectively. When compared to Kyber, Tyber648, Tyber972, and Tyber1296 exhibit stronger quantum security, by 22, 31, and 44 bits, than Kyber512, Kyber768, and Kyber1024, respectively. In addition, Tyber972 and Tyber1296 demonstrate significantly lower error probabilities when compared to Kyber768 and Kyber1024, respectively.

Note that Tyber uses different moduli, $q=2917$ and $q=3889$, in order to achieve a balanced integrated performance for the three security levels. However, to adapt to different moduli we need two suites of NTT algorithms with different primitive roots of unity, resulting in more complicated implementation and more memory usage. In addition, according to the studies in Section 4.1, the trinomial cyclotomic rings used in Tyber lead to lower error probabilities due to their more complicated structures, but the error probabilities can be controlled in a negligible range by choosing parameter sets carefully.

6. Conclusions and Future Works

To overcome the inflexibility of selecting parameters with respect to MLWE-based schemes over power-of-two cyclotomic rings, in this paper we propose Tyber, a variant scheme of Kyber over trinomial cyclotomic rings, and provide three parameter sets which achieve the target quantum security of 128, 192, and 256 bits (actually achieving 129, 197, and 276 bits) with matching and negligible error probabilities. Tyber exhibits stronger quantum security by 22, 31, and 44 bits than Kyber for the three security levels, respectively. As for the limitation of this work, we only provide the concrete construction and theoretical analysis of Tyber. Therefore, the future works should consist of practical software or hardware implementations, such as C, Cortex-M4 and FPGA implementations.