# Polar Codes for Module-LWE Public Key Encryption: The Case of Kyber

^{1}

^{2}

^{*}

## Abstract

**:**

## 1. Introduction

## 2. Preliminary

#### 2.1. Kyber

- ${R}_{q}$ is the polynomial ring ${\mathbb{Z}}_{q}\left[X\right]/({X}^{n}+1)$;
- ${B}_{\eta}$ is the binomial distribution: $Bi(2\eta ,0.5)-\eta $, centered around 0;
- Decompress${}_{q}(x,d)=\u2308\left(q/{2}^{d}\right)\xb7x\u230b$;
- Compress${}_{q}(x,d)=\u2308\left({2}^{d}/q\right)\xb7x\u230b\phantom{\rule{0.277778em}{0ex}}mod{\phantom{\rule{0.277778em}{0ex}}}^{+}{2}^{d}$;
- “←” will be interpreted as “sampled from”.

**A**$\in {R}_{q}^{k\times k}\leftarrow {B}_{\eta 1}$,**s**,**e**$\in {R}_{q}^{k}\leftarrow {B}_{\eta 1}$,Public Key:**t**= $\mathbf{A}\mathbf{s}+e$, Secret Key: $\mathbf{s}$;**r**$\in R{}_{q}^{k}\leftarrow {B}_{\eta 1},{e}_{1}\in R{}_{q}^{k}\leftarrow {B}_{\mathbf{\eta}2},{e}_{2}\in {R}_{q}\leftarrow {B}_{\mathbf{\eta}2}$,**u**= ${A}^{T}$**r**+**e${}_{1}$**, v =**t**${}^{T}$**r**+e${}_{2}$ + Decompress${}_{q}(m,1)$Transmit Compress${}_{q}$(**u**, d${}_{u}$), Compress${}_{q}$(v,d${}_{v}$);- m = Compress${}_{q}$(Decompress${}_{q}$(v, d${}_{v}$) −
**s**${}^{T}$Decompress${}_{q}$(**u**, 1),d${}_{u}$).

#### 2.2. Polar Codes

**Definition**

**1.**

**Definition**

**2.**

- Channels where $I({W}_{N}^{\left(i\right)})\in (1-\delta ,1]$;
- Channels where $I({W}_{N}^{\left(i\right)})\in [0,\delta )$

#### 2.3. Security against Side Channel Attacks

## 3. Materials and Methods

#### 3.1. Kyber Analysis

**s**,

**u**$\in R{}_{q}^{k}$ and $v\in {R}_{q}$.

**A**$\in {R}_{q}^{kxk}$ and s, e$\in {R}_{q}^{k}$.

**r**, ${\mathbf{e}}_{1}$, ${\mathbf{c}}_{u}$$\in {R}_{q}^{k}$.

**t**, $\mathbf{r}$, ${\mathbf{c}}_{u}$$\in {R}_{q}^{k}$ and ${e}_{2}$, ${c}_{v}$$\in {R}_{q}$.

#### 3.2. Polar Code Selection

#### 3.3. Kyber–Polar Codes Compatibility

## 4. Results

## 5. Discussion

## 6. Conclusions

## Author Contributions

## Funding

## Institutional Review Board Statement

## Informed Consent Statement

## Data Availability Statement

## Conflicts of Interest

## Abbreviations

RSA | Rivest–Shamir–Adleman |

NIST | National Institute of Standards and Technology |

ECC | Error Correcting Code |

LWE | Learning With Error |

RLWE | Ring-Learning With Error |

MLWE | Module-Learning With Error |

BLER | Block Error Rate |

DFR | Decryption Failure Rate |

SCA | Side Channel Attacks |

## References

- Rivest, R.; Shamir, A.; Adleman, L. A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM
**1978**, 21, 120–126. [Google Scholar] [CrossRef] [Green Version] - Shor, P. Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer. SIAM J. Comput.
**1997**, 26, 1484–1509. [Google Scholar] [CrossRef] [Green Version] - Csrc.nist.gov. Post-Quantum Cryptography|CSRC. 2022. Available online: https://csrc.nist.gov/projects/post-quantum-cryptography (accessed on 16 July 2022).
- Bos, J.; Ducas, L.; Kiltz, E.; Lepoint, T.; Lyubashevsky, V.; Schanck, J.; Schwabe, P.; Seiler, G.; Stehle, D. CRYSTALS—Kyber: A CCA-Secure Module-Lattice-Based KEM. In Proceedings of the 2018 IEEE European Symposium on Security and Privacy (EuroS&P), London, UK, 24–26 April 2018. [Google Scholar]
- Shannon, C. A Mathematical Theory of Communication. Bell Syst. Tech. J.
**1948**, 27, 379–423. [Google Scholar] [CrossRef] [Green Version] - Arikan, E. Channel Polarization: A Method for Constructing Capacity-Achieving Codes for Symmetric Binary-Input Memoryless Channels. IEEE Trans. Inf. Theory
**2009**, 55, 305–3073. [Google Scholar] [CrossRef] - D’Anvers, J.P.; Batsleer, S. Multitarget Decryption Failure Attacks and Their Application to Saber and Kyber; Cryptology ePrint Archive, Paper 2021/193; Springer: Cham, Switzerland, 2021. [Google Scholar]
- Wang, J.; Ling, C. How to Construct Polar Codes for Ring-LWE-Based Public Key Encryption. Entropy
**2021**, 23, 938. [Google Scholar] [CrossRef] [PubMed] - Alkim, E.; Ducas, L.; Pöppelmann, T.; Schwabe, P. Post-quantum key exchange—A new hope. In Proceedings of the 25th USENIX Security Symposium (USENIX Security 16), Austin, TX, USA, 10–12 August 2016; pp. 327–343. [Google Scholar]
- Fritzmann, T.; Pöppelmann, T.; Sepulveda, J. Analysis of Error-Correcting Codes for Lattice-Based Key Exchange. In International Conference on Selected Areas in Cryptography—SAC 2018; Springer: Cham, Switzerland, 2019; pp. 369–390. [Google Scholar]
- Regev, O. The Learning with Errors Problem; ACM: New York, NY, USA, 2005. [Google Scholar]
- Bioglio, V.; Condo, C. Design of Polar Codes in 5G New Radio. IEEE Commun. Surv. Tutor.
**2018**, 23, 29–40. [Google Scholar] [CrossRef] [Green Version] - Wang, J.; Ling, C. Polar coding for Ring-LWE-based public key encryption. Cryptogr. Commun.
**2022**, 1–35. [Google Scholar] [CrossRef] - Howe, J.; Prest, T.; Ricosset, T.; Rossi, M. Isochronous Gaussian Sampling: From Inception to Implementation; Post-Quantum Cryptography; Ding, J., Tillich, J.P., Eds.; Springer International Publishing: Cham, Switzerland, 2020; pp. 53–71. [Google Scholar]
- Avanzi, R.; Bos, J.; Ducas, L.; Kiltz, E.; Lepoint, T.; Lyubashevsky, V.; Schanck, J.; Schwabe, P.; Seiler, G.; Stehlé, D. Algorithm Specifications and Supporting Documentation, Version 3.01. 2022. Available online: https://pq-crystals.org/kyber/data/kyber-specification-round3-20210131.pdf (accessed on 17 July 2022).
- Bisheh-Niasar, M.; Azarderakhsh, R.; Mozaffari-Kermani, M. High-Speed NTT-based Polynomial Multiplication Accelerator for Post-Quantum Cryptography. In Proceedings of the IEEE 28th Symposium on Computer Arithmetic (ARITH), Lyngby, Denmark, 14–16 June 2021; pp. 94–101. [Google Scholar]
- Bisheh-Niasar, M.; Azarderakhsh, R.; Mozaffari-Kermani, M. A Monolithic Hardware Implementation of Kyber: Comparing Apples to Apples in PQC Candidates. In International Conference on Cryptology and Information Security in Latin America; Springer: Cham, Switzerland, 2021. [Google Scholar]

n | k | q | ${\mathit{\eta}}_{1}$ | ${\mathit{\eta}}_{2}$ | d${}_{\mathit{u}}$ | d${}_{\mathit{v}}$ | |
---|---|---|---|---|---|---|---|

KYBER768 | 256 | 3 | 3329 | 2 | 2 | 10 | 4 |

# of Trials | Mean | Variance |
---|---|---|

10 | 0.1953 | 6068.48 |

100 | 0.3911 | 5859.28 |

1000 | −0.06599 | 5838.79 |

10,000 | 0.01449 | 5856.93 |

50,000 | 0.0578 | 5854.60 |

100,000 | 0.01642 | 5855.87 |

k | SNR (dB) | DFR | BLER | Primal Attacks | Dual Attacks | Time per |
---|---|---|---|---|---|---|

(Kyber Only) | Classic/Quantum (bits) | Classic/Quantum (bits) | Transmission (s) | |||

3 | 26.75 | 2${}^{-164}$ | 2${}^{-1638}$ | 182/165 | 181/164 | 0.419615 |

4 | 26.2 | 2${}^{-126}$ | 2${}^{-1442}$ | 256/232 | 253/230 | 0.4833 |

5 | 25.75 | 2${}^{-102}$ | 2${}^{-1299}$ | 332/301 | 327/297 | 0.6016 |

6 | 25.35 | 2${}^{-85}$ | 2${}^{-1184}$ | 409/371 | 403/365 | 0.6807 |

7 | 24.95 | 2${}^{-73}$ | 2${}^{-1080}$ | 487/442 | 479/434 | 0.8353 |

8 | 24.6 | 2${}^{-64}$ | 2${}^{-995}$ | 567/514 | 556/504 | 0.9253 |

10 | 23.95 | 2${}^{-51}$ | 2${}^{-856}$ | 727/660 | 715/650 | 1.1895 |

k | $\mathit{\eta}$ | SNR (dB) | DFR | BLER | Primal Attacks | Dual Attacks | Time per |
---|---|---|---|---|---|---|---|

(Kyber Only) | Classic/Quantum (bits) | Classic/Quantum (bits) | Transmission (s) | ||||

3 | 2 | 26.75 | 2${}^{-164}$ | 2${}^{-1638}$ | 182/165 | 181/164 | 0.4196 |

3 | 3 | 25.6 | 2${}^{-83}$ | 2${}^{-1255}$ | 193/175 | 191/174 | 0.4196 |

3 | 4 | 23.9 | 2${}^{-50}$ | 2${}^{-847}$ | 201/182 | 199/181 | 0.4196 |

4 | 2 | 26.2 | 2${}^{-126}$ | 2${}^{-1442}$ | 256/232 | 253/230 | 0.4833 |

4 | 3 | 24.8 | 2${}^{-63}$ | 2${}^{-1043}$ | 270/245 | 267/242 | 0.4833 |

4 | 4 | 23.0 | 2${}^{-37}$ | 2${}^{-687}$ | 281/254 | 278/252 | 0.4834 |

5 | 3 | 24.0 | 2${}^{-50}$ | 2${}^{-866}$ | 349/316 | 345/313 | 0.6016 |

5 | 4 | 22.3 | 2${}^{-29}$ | 2${}^{-584}$ | 362/328 | 359/325 | 0.6016 |

5 | 5 | 20.9 | 2${}^{-18}$ | 2${}^{-421}$ | 373/338 | 369/335 | 0.6016 |

n | k | q | ${\mathit{\eta}}_{1}$ | ${\mathit{\eta}}_{2}$ | d${}_{\mathit{u}}$ | d${}_{\mathit{v}}$ | |
---|---|---|---|---|---|---|---|

KYBER-PC | 256 | 4 | 3329 | 4 | 4 | 10 | 4 |

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |

© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Papadopoulos, I.; Wang, J.
Polar Codes for Module-LWE Public Key Encryption: The Case of Kyber. *Cryptography* **2023**, *7*, 2.
https://doi.org/10.3390/cryptography7010002

**AMA Style**

Papadopoulos I, Wang J.
Polar Codes for Module-LWE Public Key Encryption: The Case of Kyber. *Cryptography*. 2023; 7(1):2.
https://doi.org/10.3390/cryptography7010002

**Chicago/Turabian Style**

Papadopoulos, Iason, and Jiabo Wang.
2023. "Polar Codes for Module-LWE Public Key Encryption: The Case of Kyber" *Cryptography* 7, no. 1: 2.
https://doi.org/10.3390/cryptography7010002