# An Analysis of Hardware Design of MLWE-Based Public-Key Encryption and Key-Establishment Algorithms

^{*}

## Abstract

**:**

## 1. Introduction

## 2. Background

#### 2.1. Public-Key Encryption Algorithm

- Kyber.CPAPKE key-generation function

**s**and

**e**are sampled from a CBD. The public matrix $\hat{\mathbf{A}}$ is generated from a rejection sampler. The public key $pk$ and private key $sk$ are computed as $pk=(\rho ,\hat{\mathbf{t}})$, and $sk=\hat{\mathbf{s}}$, in which $\hat{\mathbf{t}}=\hat{\mathbf{A}}\circ \hat{\mathbf{s}}+\hat{\mathbf{e}}$. The details of the Kyber.CPAPKE key-generation function are described in Algorithm 1. In this algorithm, XOF is an extendable output function instantiated with SHAKE-128. A parse function returns the NTT-representation of the input byte stream. G is a hash function G: ${\mathcal{B}}^{*}\to {\mathcal{B}}^{32}\times {\mathcal{B}}^{32}$. PRF and NTT represent a pseudo-random function and the number theoretic transform, respectively.

Algorithm 1: Kyber PKE key-generation algorithm (Kyber.CPAPKE.KeyGen) [18]. |

Output: Public key $pk\in {\mathcal{B}}^{12\xb7k\xb7n/8+32}$, |

Secret key $sk\in {\mathcal{B}}^{12\xb7k\xb7n/8}$ |

1 $d\leftarrow \in {\mathcal{B}}^{32}$ |

2 $(\rho ,\sigma ):=\mathrm{G}\left(d\right)$ |

3 $N:=0$ |

4 for i from 0 to $k-1$ do |

5 for j from 0 to $k-1$ do |

6 $\hat{\mathbf{A}}\left[i\right]\left[j\right]:=\mathrm{Parse}\left(\mathrm{XOF}(\rho ,j,i)\right)$ |

7 end for |

8 end for |

9 for i from 0 to $k-1$ do |

10 $\mathbf{s}\left[i\right]:={\mathrm{CBD}}_{{\eta}_{1}}\left(\mathrm{PRF}(\sigma ,N)\right)$ |

11 $N:=N+1$ |

12 end for |

13 for i from 0 to $k-1$ do |

14 $\mathbf{e}\left[i\right]:={\mathrm{CBD}}_{{\eta}_{1}}\left(\mathrm{PRF}(\sigma ,N)\right)$ |

15 $N:=N+1$ |

16 end for |

17 $\hat{\mathbf{s}}:=\mathrm{NTT}(\mathrm{s})$ |

18 $\hat{\mathbf{e}}:=\mathrm{NTT}(\mathrm{s})$ |

19 $\hat{\mathbf{t}}:=\hat{\mathbf{A}}\circ \hat{\mathbf{s}}+\hat{\mathbf{e}}$ |

20 $pk:={\mathrm{Encode}}_{12}\left(\hat{\mathbf{t}}\phantom{\rule{3.33333pt}{0ex}}{\mathrm{mod}}^{+}q\right)\left|\right|\rho $ |

21 $sk:={\mathrm{Encode}}_{12}\left(\hat{\mathbf{s}}\phantom{\rule{3.33333pt}{0ex}}{\mathrm{mod}}^{+}q\right)$ |

22 return $(pk,sk)$ |

- Kyber.CPAPKE encryption function

**e**${}_{1}$, and ${e}_{2}$ are sampled from a binomial sampler. The ciphertext c is constructed as $c=({\mathrm{Compress}}_{q}(\mathbf{u},{d}_{u}),$${\mathrm{Compress}}_{v}(v,{d}_{v}))$, where $\mathbf{u}={\mathrm{NTT}}^{-1}({\hat{\mathbf{A}}}^{T}\circ \hat{\mathbf{r}})+{\mathbf{e}}_{1}$ and $v={\mathrm{NTT}}^{-1}({\hat{\mathbf{t}}}^{T}\circ \hat{\mathbf{r}})+{e}_{2}+m$. NTT${}^{-1}$ is the inverse number theoretic transform.

Algorithm 2: Kyber PKE encryption algorithm (Kyber.CPAPKE.Enc($pk,m,r$)) [18]. |

Input: Message $m\in {\mathcal{B}}^{32}$, |

Public key $pk\in {\mathcal{B}}^{12\xb7k\xb7n/8+32}$, |

Random coins $r\in {\mathcal{B}}^{32}$ |

Output: Ciphertext $c\in {\mathcal{B}}^{{d}_{u}\xb7k\xb7n/8+{d}_{v}\xb7n/8}$ |

1 $N:=0$ |

2 $\hat{\mathbf{t}}:={\mathrm{Decode}}_{12}\left(pk\right)$ |

3 $\rho :=pk+12\xb7k\xb7n/8$ |

4 for i from 0 to $k-1$ do |

5 for j from 0 to $k-1$ do |

6 ${\hat{\mathbf{A}}}^{T}\left[i\right]\left[j\right]:=\mathrm{Parse}\left(\mathrm{XOF}(\rho ,i,j)\right)$ |

7 end for |

8 end for |

9 for i from 0 to $k-1$ do |

10 $\mathbf{r}\left[i\right]:={\mathrm{CBD}}_{{\eta}_{1}}\left(\mathrm{PRF}(r,N)\right)$ |

11 $N:=N+1$ |

12 end for |

13 for i from 0 to $k-1$ do |

14 ${\mathbf{e}}_{1}\left[i\right]:={\mathrm{CBD}}_{{\eta}_{2}}\left(\mathrm{PRF}(r,N)\right)$ |

15 $N:=N+1$ |

16 end for |

17 ${e}_{2}:={\mathrm{CBD}}_{{\eta}_{2}}\left(\mathrm{PRF}(r,N)\right)$ |

18 $\hat{\mathbf{r}}:=\mathrm{NTT}(\mathrm{r})$ |

19 $\mathbf{u}:={\mathrm{NTT}}^{-1}({\hat{\mathbf{A}}}^{T}\circ \hat{\mathbf{r}})+{\mathbf{e}}_{1}$ |

20 $v:={\mathrm{NTT}}^{-1}({\hat{\mathbf{t}}}^{T}\circ \hat{\mathbf{r}})+{e}_{2}+{\mathrm{Decompress}}_{q}({\mathrm{Decode}}_{1}\left(m\right),1)$ |

21 ${c}_{1}:={\mathrm{Encode}}_{{d}_{u}}\left({\mathrm{Compress}}_{q}(\mathbf{u},{d}_{u})\right)$ |

22 ${c}_{2}:={\mathrm{Encode}}_{{d}_{v}}\left({\mathrm{Compress}}_{q}(v,{d}_{v})\right)$ |

23 return $c=({c}_{1},{c}_{2})$ |

- Kyber.CPAPKE decryption function

**u**and v are extracted from c.

Algorithm 3: Kyber PKE decryption algorithm (Kyber.CPAPKE.Dec) [18]. |

Input: Ciphertext $c\in {\mathcal{B}}^{{d}_{u}\xb7k\xb7n/8+{d}_{v}\xb7n/8}$, |

Secret key $sk\in {\mathcal{B}}^{12\xb7k\xb7n/8}$ |

Output: Message $m\in {\mathcal{B}}^{32}$ |

1 $\mathbf{u}:={\mathrm{Decompress}}_{q}({\mathrm{Decode}}_{{d}_{u}}\left(c\right),{d}_{u})$ |

2 $v:={\mathrm{Decompress}}_{q}({\mathrm{Decode}}_{{d}_{v}}(c+{d}_{u}\xb7k\xb7n/8),{d}_{v})$ |

3 ${c}_{1}:={\mathrm{Encode}}_{{d}_{u}}\left({\mathrm{Compress}}_{q}(\mathbf{u},{d}_{u})\right)$ |

4 ${c}_{2}:={\mathrm{Encode}}_{{d}_{v}}\left({\mathrm{Compress}}_{q}(v,{d}_{v})\right)$ |

5 $\hat{\mathbf{s}}:={\mathrm{Decode}}_{12}\left(sk\right)$ |

6 $m:={\mathrm{Encode}}_{1}\left({\mathrm{Compress}}_{q}(v-{\mathrm{NTT}}^{-1}({\hat{\mathbf{s}}}^{T}\circ \mathrm{NTT}\left(\mathbf{u}\right)),1)\right)$ |

7 return m |

#### 2.2. Key-Establishment Algorithm

- Kyber.CCAKEM key generation algorithm

Algorithm 4: Kyber KEM key-generation algorithm (Kyber.CCAKEM.KeyGen) [18]. |

Output: Public key $pk\in {\mathcal{B}}^{12\xb7k\xb7n/8+32}$, |

Secret key $sk\in {\mathcal{B}}^{12\xb7k\xb7n/8+96}$ |

1 $z\leftarrow {\mathcal{B}}^{32}$ |

2 $(pk,s{k}^{\prime}):=\mathrm{Kyber}.\mathrm{CPAPKE}.\mathrm{KeyGen}\left(\right)$ |

3 $sk:=\left(s{k}^{\prime}\right|\left|pk\right|\left|\mathrm{H}\left(pk\right)\right|\left|z\right)$ |

4 return $(pk,sk)$ |

- Kyber.CCAKEM encapsulation algorithm

Algorithm 5: Kyber.CCAKEM.Enc($pk$) [18]. |

Input: Public key $pk\in {\mathcal{B}}^{12\xb7k\xb7n/8+32}$ |

Output: Ciphertext $c\in {\mathcal{B}}^{{d}_{u}\xb7k\xb7n/8+{d}_{v}\xb7n/8}$, |

Shared key $K\in {\mathcal{B}}^{*}$ |

1 $m\leftarrow {\mathcal{B}}^{32}$ |

2 $m\leftarrow \mathrm{H}\left(m\right)$ |

3 $(\overline{K},r)\leftarrow \mathrm{G}\left(m\right||\mathrm{H}\left(pk\right))$ |

4 $c:=\mathrm{Kyber}.\mathrm{CPAPKE}.\mathrm{Enc}(pk,m,r)$ |

5 $K:=\mathrm{KDF}\left(\overline{K}\right|\left|\mathrm{H}\left(c\right)\right)$ |

6 return $(c,K)$ |

- Kyber.CCAKEM decapsulation algorithm

Algorithm 6: Kyber.CCAKEM.Dec($c,sk$) [18]. |

Input: Ciphertext $c\in {\mathcal{B}}^{{d}_{u}\xb7k\xb7n/8+{d}_{v}\xb7n/8}$, |

Secret key $sk\in {\mathcal{B}}^{12\xb7k\xb7n/8+96}$ |

Output: Shared key $K\in {\mathcal{B}}^{*}$ |

1 $pk:=sk+12\xb7k\xb7n/8$ |

2 $h:=sk+24\xb7k\xb7n/8+32\in {\mathcal{B}}^{32}$ |

3 $z:=sk+24\xb7k\xb7n/8+64$ |

4 ${m}^{\prime}:=\mathrm{Kyber}.\mathrm{CPAPKE}.\mathrm{Dec}(\mathbf{s},(\mathbf{u},v))$ |

5 $(\overline{K},{r}^{\prime}):=\mathrm{G}({m}^{\prime}\left|\right|h)$ |

6 ${c}^{\prime}:=\mathrm{Kyber}.\mathrm{CPAPKE}.\mathrm{Enc}(pk,{m}^{\prime},{r}^{\prime})$ |

7 $\mathbf{if}\phantom{\rule{3.33333pt}{0ex}}c={c}^{\prime}\phantom{\rule{3.33333pt}{0ex}}\mathbf{then}$ |

8 $\mathbf{return}\phantom{\rule{3.33333pt}{0ex}}K=\mathbf{KDF}\left(\overline{{K}^{\prime}}\right|\left|\mathrm{H}\left(c\right)\right)$ |

9 else |

10 $\mathbf{return}\phantom{\rule{3.33333pt}{0ex}}K=\mathbf{KDF}\left(z\right|\left|\mathrm{H}\right(c\left)\right)$ |

11 endif |

12 return K |

#### 2.3. Arithmetic Operations in CRYSTALS-Kyber

- Number Theoretic Transform

- Modular reduction algorithm

- Sampling

Algorithm 7:${\mathrm{CBD}}_{\eta}:{\mathcal{B}}^{64\eta}\to {R}_{q}$ [18]. |

Input: Byte array $B=({b}_{0},{b}_{1},{b}_{2},\dots ,{b}_{64\eta -1})\in {\mathcal{B}}^{64\eta}$ |

Output: Polynomial $f\in {R}_{q}$ |

1 $({\beta}_{0},\dots ,{\beta}_{512\eta -1}):=\mathrm{BytesToBits}\left(B\right)$ |

2 $\mathbf{for}\phantom{\rule{3.33333pt}{0ex}}i\phantom{\rule{3.33333pt}{0ex}}\mathrm{from}\phantom{\rule{3.33333pt}{0ex}}0\phantom{\rule{3.33333pt}{0ex}}\mathrm{to}\phantom{\rule{3.33333pt}{0ex}}255\phantom{\rule{3.33333pt}{0ex}}\mathbf{do}$ |

3 $a:={\sum}_{j=0}^{\eta -1}{\beta}_{2i\eta +j}$ |

4 $b:={\sum}_{j=0}^{\eta -1}{\beta}_{2i\eta +\eta +j}$ |

5 ${f}_{i}:=a-b$ |

6 end for |

7 return ${f}_{0}+{f}_{1}X+{f}_{2}{X}^{2}+\cdots +{f}_{255}{X}^{255}$ |

## 3. Implementation of CRYSTALS-Kyber

## 4. Discussion

## 5. Conclusions

## Author Contributions

## Funding

## Conflicts of Interest

## References

- Huang, X.; Wang, W. A Novel and Efficient Design for an RSA Cryptosystem with a Very Large Key Size. IEEE Trans. Circuits Syst. II Express Briefs
**2015**, 62, 972–976. [Google Scholar] [CrossRef] - Sun, H.; Wu, M.; Ting, W.; Hinek, M.J. Dual RSA and Its Security Analysis. IEEE Trans. Inf. Theory
**2007**, 53, 2922–2933. [Google Scholar] [CrossRef] - Ma, K.; Liang, H.; Wu, K. Homomorphic Property-Based Concurrent Error Detection of RSA: A Countermeasure to Fault Attack. IEEE Trans. Comput.
**2012**, 61, 1040–1049. [Google Scholar] [CrossRef] - Yang, C.; Chang, T.; Jen, C. A New RSA Cryptosystem Hardware Design Based on Montgomery’s Algorithm. IEEE Trans. Circuits Syst. II Analog. Digit. Signal Process.
**1998**, 45, 908–913. [Google Scholar] [CrossRef] - Sutter, G.D.; Deschamps, J.P.; Imaña, J.L. Efficient Elliptic Curve Point Multiplication using Digit-Serial Binary Field Operations. IEEE Trans. Ind. Electron.
**2013**, 60, 217–225. [Google Scholar] [CrossRef] - Koblitz, N.; Menezes, A.; Vanstone, S. The State of Elliptic Curve Cryptography. Des. Codes Cryptogr.
**2000**, 19, 173–193. [Google Scholar] [CrossRef] - Chelton, W.N.; Benaissa, M. Fast Elliptic Curve Cryptography on FPGA. IEEE Trans. Very Large Scale Integr. (VLSI) Syst.
**2008**, 16, 198–205. [Google Scholar] [CrossRef] - Mahdizadeh, H.; Masoumi, M. Novel Architecture for Efficient FPGA Implementation of Elliptic Curve Cryptographic Processor over GF(2
^{163}). IEEE Trans. Very Large Scale Integr. (VLSI) Syst.**2013**, 21, 2330–2333. [Google Scholar] [CrossRef] - Lee, Y.K.; Sakiyama, K.; Batina, L.; Verbauwhede, I. Elliptic Curve-Based Security Processor for RFID. IEEE Trans. Comput.
**2008**, 57, 1514–1527. [Google Scholar] [CrossRef] [Green Version] - NIST Post-Quantum Cryptography Standardization. Available online: https://csrc.nist.gov/projects/post-quantum-cryptography (accessed on 8 February 2022).
- Bos, J.; Costello, C.; Ducas, L.; Mironov, I.; Naehrig, M.; Nikolaenko, V.; Raghunathan, A.; Stebila, D. Frodo: Take off the Ring! Practical, Quantum-Secure Key Exchange from LWE. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 October 2016; pp. 1006–1018. [Google Scholar] [CrossRef] [Green Version]
- Nguyen Tan, T.; Lee, H. High-Performance Ring-LWE Cryptography Scheme for Biometric Data Security. IEIE Trans. Smart Process. Comput.
**2018**, 7, 97–106. [Google Scholar] [CrossRef] - Rentería-Mejía, C.P.; Velasco-Medina, J. High-Throughput Ring-LWE Cryptoprocessors. IEEE Trans. Very Large Scale Integr. (VLSI) Syst.
**2017**, 25, 2332–2345. [Google Scholar] [CrossRef] - Chen, D.D.; Mentens, N.; Vercauteren, F.; Roy, S.S.; Cheung, R.C.C.; Pao, D.; Verbauwhede, I. High-Speed Polynomial Multiplication Architecture for Ring-LWE and SHE Cryptosystems. IEEE Trans. Circuits Syst. I Regul. Pap.
**2015**, 62, 157–166. [Google Scholar] [CrossRef] - Nguyen Tan, T.; Lee, H. Efficient-Scheduling Parallel Multiplier-Based Ring-LWE Cryptoprocessors. Electronics
**2019**, 8, 413. [Google Scholar] [CrossRef] [Green Version] - Nguyen Tan, T.; Lee, H. High-Secure Low-Latency Ring-LWE Cryptography Scheme for Biomedical Images Storing and Transmitting. In Proceedings of the 2018 IEEE International Symposium on Circuits and Systems (ISCAS), Florence, Italy, 27–30 May 2018; pp. 1–4. [Google Scholar] [CrossRef]
- Nguyen Tan, T.; Nguyen, T.T.B.; Lee, H. High-Efficiency Low-Latency NTT Polynomial Multiplier for Ring-LWE Cryptography. J. Semicond. Technol. Sci. (JSTS)
**2020**, 20, 220–223. [Google Scholar] [CrossRef] - Avanzi, R.; Bos, J.; Ducas, L.; Kiltz, E.; Lepoint, T.; Lyubashevsky, V.; Schanck, J.M.; Schwabe, P.; Seiler, G.; Stehle, D. CRYSTALS-Kyber Algorithm Specifications and Supporting Documentation. Available online: https://pq-crystals.org/kyber/data/kyber-specification-round3-20210131.pdf (accessed on 8 February 2022).
- Ma, L.; Wu, X.; Bai, G. Parallel polynomial multiplication optimized scheme for CRYSTALS-KYBER Post-Quantum Cryptosystem based on FPGA. In Proceedings of the 2021 International Conference on Communications, Information System and Computer Engineering (CISCE), Beijing, China, 14–16 May 2021; pp. 361–365. [Google Scholar] [CrossRef]
- Nguyen, D.T.; Dang, V.B.; Gaj, K. A High-Level Synthesis Approach to the Software/Hardware Codesign of NTT-Based Post-Quantum Cryptography Algorithms. In Proceedings of the 2019 International Conference on Field-Programmable Technology (ICFPT), Tianjin, China, 9–13 December 2019; pp. 371–374. [Google Scholar] [CrossRef]
- Bisheh-Niasar, M.; Azarderakhsh, R.; Mozaffari-Kermani, M. Instruction-Set Accelerated Implementation of CRYSTALS-Kyber. IEEE Trans. Circuits Syst. I Regul. Pap.
**2021**, 68, 4648–4659. [Google Scholar] [CrossRef] - Roy, S.S.; Basso, A. High-Speed Instruction-Set Coprocessor for Lattice-Based Key Encapsulation Mechanism: Saber in Hardware. IACR Trans. Cryptogr. Hardw. Embed. Syst.
**2020**, 4, 443–466. [Google Scholar] [CrossRef] - Huang, Y.; Huang, M.; Lei, Z.; Wu, J. A Pure Hardware Implementation of CRYSTALS-KYBER PQC Algorithm through Resource Reuse. IEICE Electron. Express
**2020**, 17, 20200234. [Google Scholar] [CrossRef] - Xing, Y.; Li, S. A Compact Hardware Implementation of CCA-Secure Key Exchange Mechanism Crystals-Kyber on FPGA. IACR Trans. Cryptogr. Hardw. Embed. Syst.
**2021**, 2, 328–356. [Google Scholar] [CrossRef] - Gupta, N.; Jati, A.; Chauhan, A.K.; Chattopadhyay, A. PQC Acceleration Using GPUs: FrodoKEM, NewHope, and Kyber. IEEE Trans. Parallel Distrib. Syst.
**2021**, 32, 575–586. [Google Scholar] [CrossRef] - Bos, J.; Ducas, L.; Kiltz, E.; Lepoint, T.; Lyubashevsky, V.; Schanck, J.M.; Schwabe, P.; Seiler, G.; Stehle, D. CRYSTALS-Kyber: A CCA-Secure Module-Lattice-Based KEM. In Proceedings of the 2018 IEEE European Symposium on Security and Privacy (EuroS&P), London, UK, 24–26 April 2018; pp. 353–367. [Google Scholar] [CrossRef] [Green Version]
- He, S.; Torkelson, M. Designing Pipeline FFT Processor for OFDM (De)modulation. In Proceedings of the 1998 URSI International Symposium on Signals, Systems, and Electronics, Pisa, Italy, 2 October 1998; pp. 257–262. [Google Scholar] [CrossRef]
- Nguyen, T.T.B.; Lee, H. High-Throughput Low-Complexity Mixed-Radix FFT Processor using a Dual-Path Shared Complex Constant Multiplier. J. Semicond. Technol. Sci. (JSTS)
**2017**, 17, 101–109. [Google Scholar] [CrossRef] [Green Version] - Bisheh-Niasar, M.; Azarderakhsh, R.; Mozaffari-Kermani, M. High-Speed NTT-Based Polynomial Multiplication Accelerator for Post-Quantum Cryptography. In IACR Cryptology ePrint Archive: Report 2021/563. 2021. Available online: https://eprint.iacr.org/2021/563 (accessed on 8 February 2022).
- Zhang, C.; Liu, D.; Liu, X.; Zou, X.; Niu, G.; Liu, B.; Jiang, Q. Towards Efficient Hardware Implementation of NTT for Kyber on FPGAs. In Proceedings of the 2021 IEEE International Symposium on Circuits and Systems (ISCAS), Daegu, Korea, 22–28 May 2021; pp. 1–5. [Google Scholar] [CrossRef]
- Barrett, P. Implementing the Rivest Shamir and Adleman Public Key Encryption Algorithm on a Standard Digital Signal Processor. In Conference on the Theory and Application of Cryptographic Techniques; Springer: Berlin/Heidelberg, Germany, 1986; pp. 311–323. [Google Scholar]
- Montgomery, P.L. Modular Multiplication without Trial Division. Math. Comput.
**1985**, 44, 519–521. [Google Scholar] [CrossRef] - Kundi, D.-S.; Zhang, Y.; Wang, C.; Khalid, A.; O’Neill, M.; Liu, W. Ultra High-Speed Polynomial Multiplications for Lattice-based Cryptography on FPGAs. IEEE Trans. Emerg. Top. Comput.
**2022**. [Google Scholar] [CrossRef] - Regev, O. On Lattices, Learning with Errors, Random Linear Codes, and Cryptography. J. ACM
**2009**, 56, 34. [Google Scholar] [CrossRef] - Brakerski, Z.; Langlois, A.; Peikert, C.; Regev, O.; Stehle, D. Classical Hardness of Learning with Errors. In Proceedings of the Forty-Fifth Annual ACM Symposium on Theory of Computing, Palo Alto, CA, USA, 2–4 June 2013; pp. 575–584. [Google Scholar] [CrossRef] [Green Version]
- Dang, V.B.; Farahmand, F.; Andrzejczak, M.; Mohajerani, K.; Nguyen, D.T.; Gaj, K. Implementation and Benchmarking of Round 2 Candidates in the NIST Post-Quantum Cryptography Standardization Process Using Hardware and Software/Hardware Co-Design Approaches. In IACR Cryptology ePrint Archive: Report 2020/795. 2020. Available online: https://eprint.iacr.org/2020/795 (accessed on 8 February 2022).
- Basu, K.; Soni, D.; Nabeel, M.; Karri, R. NIST Post-Quantum Cryptography—A Hardware Evaluation Study. IACR Cryptology ePrint Archive: Report 2019/047. 2019. Available online: https://eprint.iacr.org/2019/047 (accessed on 8 February 2022).

**Table 1.**Kyber parameter sets [18].

Algorithm | NIST Security Level | Parameters | ||||
---|---|---|---|---|---|---|

$\mathit{n}$ | $\mathit{k}$ | $\mathit{q}$ | (${\mathbf{\eta}}_{\mathbf{1}}$, ${\mathbf{\eta}}_{\mathbf{2}}$) | (${\mathit{d}}_{\mathit{u}}$, ${\mathit{d}}_{\mathit{v}}$) | ||

Kyber-512 | 1 | 256 | 2 | 3329 | (3, 2) | (10, 4) |

Kyber-768 | 3 | 256 | 3 | 3329 | (2, 2) | (10, 4) |

Kyber-1024 | 5 | 256 | 4 | 3329 | (2, 2) | (11, 5) |

**Table 2.**Comparison of Kyber PKE encryption/decryption and Kyber KEM encapsulation/decapsulation algorithms.

Algorithm | Input | Output |
---|---|---|

PKE encryption | Input message $m\in {\mathcal{B}}^{32}$ Public key $pk\in {\mathcal{B}}^{12\xb7k\xb7n/8+32}$ Random coins $r\in {\mathcal{B}}^{32}$ | Ciphertext $c\in {\mathcal{B}}^{{d}_{u}\xb7k\xb7n/8+{d}_{v}\xb7n/8}$ |

KEM encapsulation | Public key $pk\in {\mathcal{B}}^{12\xb7k\xb7n/8+32}$ | Ciphertext $c\in {\mathcal{B}}^{{d}_{u}\xb7k\xb7n/8+{d}_{v}\xb7n/8}$ Shared key $K\in {\mathcal{B}}^{*}$ |

PKE decryption | Ciphertext $c\in {\mathcal{B}}^{{d}_{u}\xb7k\xb7n/8+{d}_{v}\xb7n/8}$ Secret key $sk\in {\mathcal{B}}^{12\xb7k\xb7n/8}$ | Original message $m\in {\mathcal{B}}^{32}$ |

KEM decapsulation | Ciphertext $c\in {\mathcal{B}}^{{d}_{u}\xb7k\xb7n/8+{d}_{v}\xb7n/8}$ Secret key $sk\in {\mathcal{B}}^{12\xb7k\xb7n/8+96}$ | Shared key $K\in {\mathcal{B}}^{*}$ |

**Table 3.**Results of Kyber pure software design on Intel Haswell CPUs and ARM Cortex-M4 CPUs [18].

Algorithm | Function | Time (Clock Cycles) | |
---|---|---|---|

Intel Haswell CPUs | ARM Cortex-M4 CPUs | ||

Kyber-512 | Encapsulation | 154,524 | 561,518 |

Decapsulation | 187,960 | 519,237 | |

Kyber-768 | Encapsulation | 235,260 | 915,676 |

Decapsulation | 274,900 | 853,001 | |

Kyber-1024 | Encapsulation | 346,648 | 1,407,769 |

Decapsulation | 396,584 | 1,326,409 |

**Table 4.**Existing pure software design and software/hardware codesign results of Kyber [36].

Algorithm | Function | Time ($\mathsf{\mu}\mathrm{s}$) | |
---|---|---|---|

Pure Software Design | Software/Hardware Codesign | ||

Kyber-512 | Encapsulation | 332.0 | 15.2 |

Decapsulation | 433.0 | 17.1 | |

Kyber-768 | Encapsulation | 536.7 | 17.8 |

Decapsulation | 670.1 | 20.1 | |

Kyber-1024 | Encapsulation | 787.5 | 22.0 |

Decapsulation | 953.7 | 24.7 |

Parameter | [37] | [23] | [24] | [36] | [29] | [21] |
---|---|---|---|---|---|---|

Device | Virtex-7 | Artix-7 | Artix-7 | Artix-7 | Artix-7 | Artix-7 |

LUTs | 1978 K | 89 K | 7 K | 12 K | 11 K | 18 K |

FFs | 194 K | NA | 5 K | 10 K | 10 K | 5 K |

Slices | NA | NA | 2 K | 4 K | 4 K | 5 K |

DSPs | 0 | 354 | 2 | 8 | 8 | 6 |

BRAMs | 0 | 202 | 3 | 15 | 13 | 15 |

Frequency (MHz) | 67 | 155 | 161 | 210 | 200 | 115 |

Total time ($\mathsf{\mu}$s) | 1169 | 761 | 72 | 35 | 31 | 148 |

Area × Time (LUTs × s) | 2312.28 | 67.73 | 0.50 | 0.42 | 0.34 | 2.66 |

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |

© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Nguyen, T.T.; Nguyen, T.T.B.; Lee, H.
An Analysis of Hardware Design of MLWE-Based Public-Key Encryption and Key-Establishment Algorithms. *Electronics* **2022**, *11*, 891.
https://doi.org/10.3390/electronics11060891

**AMA Style**

Nguyen TT, Nguyen TTB, Lee H.
An Analysis of Hardware Design of MLWE-Based Public-Key Encryption and Key-Establishment Algorithms. *Electronics*. 2022; 11(6):891.
https://doi.org/10.3390/electronics11060891

**Chicago/Turabian Style**

Nguyen, Tuy Tan, Tram Thi Bao Nguyen, and Hanho Lee.
2022. "An Analysis of Hardware Design of MLWE-Based Public-Key Encryption and Key-Establishment Algorithms" *Electronics* 11, no. 6: 891.
https://doi.org/10.3390/electronics11060891