CRYSTALS-Kyber With Lattice Quantizer
Shuiyin Liu, Amin Sakzad
TL;DR
This work reframes key reconciliation from LWE-based encryption to lattice-quantized KRM, providing a dither-free, generic framework that supports arbitrary lattice dimensions and moduli $q$ and derives an explicit upper bound on the decryption failure rate (DFR). By introducing rejection sampling to remove even-$q$ constraints and employing flexible lattice quantizers ($\mathsf{E_8}$, $\mathsf{BW16}$, $\mathsf{Leech24}$), the authors show how to minimize the ciphertext expansion rate (CER) while reducing DFR, enabling large gains over CRYSTALS-Kyber in CER (up to $36.47\%$) and DFR (up to $2^{99}$ factor) with the same security parameters. They provide concrete instances, notably KRM-$\Lambda$, that reuse Kyber's security settings but achieve substantially better efficiency, including shortened plaintext options and potential IND-CCA security via standard transforms. Overall, lattice quantizers offer a practical path to more efficient post-quantum key exchange by simultaneously shrinking CER and DFR without altering the underlying security assumptions.
Abstract
Module Learning with Errors (M-LWE) based key reconciliation mechanisms (KRM) can be viewed as quantizing an M-LWE sample according to a lattice codebook. This paper describes a generic M-LWE-based KRM framework, valid for any dimensional lattices and any modulus $q$ without a dither. Our main result is an explicit upper bound on the decryption failure rate (DFR) of M-LWE-based KRM. This bound allows us to construct optimal lattice quantizers to reduce the DFR and communication cost simultaneously. Moreover, we present a KRM scheme using the same security parameters $(q,k,η_1,η_2)$ as in Kyber. Compared with Kyber, the communication cost is reduced by up to $36.47\%$ and the DFR is reduced by a factor of up to $2^{99}$. The security arguments remain the same as Kyber.