Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Reducing Ciphertext and Key Sizes for MLWE-Based Cryptosystems

Georg Maringer, Antonia Wachter-Zeh

TL;DR

This work investigates reducing ciphertext and secret-key sizes in MLWE-based KEMs, focusing on Kyber, by treating encryption+decryption as data transmission over a noisy channel. It combines asymptotic capacity analysis with finite-length achievability bounds (normal approximation and the RCU bound) to identify parameter changes that shrink data sizes while preserving security, including l adjustments and ciphertext compression settings. Key findings show asymptotic size reductions of about 25% for Kyber1024 (with a 44% smaller A matrix) and substantial per-block reductions (up to ~39% for Kyber1024 and ~33% for Kyber512) through compression; finite-length results indicate practical reductions of around 25–28% for a single 256-bit AES key exchange. These results offer concrete parameter-tuning guidelines to reduce bandwidth and storage requirements for MLWE-based KEM deployments without compromising cryptographic security.

Abstract

The concatenation of encryption and decryption can be interpreted as data transmission over a noisy communication channel. In this work, we use finite blocklength methods (normal approximation and random coding union bound) as well as asymptotics to show that ciphertext and key sizes of the state-of-the-art post-quantum secure key encapsulation mechanism (KEM) Kyber can be reduced without compromising the security of the scheme. We show that in the asymptotic regime, it is possible to reduce the sizes of ciphertexts and secret keys by 25% for the parameter set Kyber1024 while keeping the bitrate at 1 as proposed in the original scheme. For a single Kyber encryption block used to share a 256-bit AES key, we furthermore show that reductions in ciphertext size of 39% and 33% are possible for Kyber1024 and Kyber512, respectively.

Reducing Ciphertext and Key Sizes for MLWE-Based Cryptosystems

TL;DR

This work investigates reducing ciphertext and secret-key sizes in MLWE-based KEMs, focusing on Kyber, by treating encryption+decryption as data transmission over a noisy channel. It combines asymptotic capacity analysis with finite-length achievability bounds (normal approximation and the RCU bound) to identify parameter changes that shrink data sizes while preserving security, including l adjustments and ciphertext compression settings. Key findings show asymptotic size reductions of about 25% for Kyber1024 (with a 44% smaller A matrix) and substantial per-block reductions (up to ~39% for Kyber1024 and ~33% for Kyber512) through compression; finite-length results indicate practical reductions of around 25–28% for a single 256-bit AES key exchange. These results offer concrete parameter-tuning guidelines to reduce bandwidth and storage requirements for MLWE-based KEM deployments without compromising cryptographic security.

Abstract

The concatenation of encryption and decryption can be interpreted as data transmission over a noisy communication channel. In this work, we use finite blocklength methods (normal approximation and random coding union bound) as well as asymptotics to show that ciphertext and key sizes of the state-of-the-art post-quantum secure key encapsulation mechanism (KEM) Kyber can be reduced without compromising the security of the scheme. We show that in the asymptotic regime, it is possible to reduce the sizes of ciphertexts and secret keys by 25% for the parameter set Kyber1024 while keeping the bitrate at 1 as proposed in the original scheme. For a single Kyber encryption block used to share a 256-bit AES key, we furthermore show that reductions in ciphertext size of 39% and 33% are possible for Kyber1024 and Kyber512, respectively.

Paper Structure

This paper contains 10 sections, 4 theorems, 15 equations, 6 figures.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. MLWE-based Cryptosystems
  4. Ciphertext compression and decompression
  5. Description of MLWE-based public key encryption schemes
  6. Reducing Ciphertext and Key sizes and Asymptotical Setting
  7. Decreasing keys and ciphertexts by modifying $l$
  8. Decreasing the ciphertext size by modifying the compression parameters $d_u$ and $d_v$
  9. Finite-length Achievability Bounds
  10. Conclusion

Key Result

Lemma 1

Let the distribution of the product of two elements be sampled from the centered binomial distribution $\chi_k$ be denoted as $\xi_k$. Let the distribution of one coefficient in $\bm{s}^T(\bm{e'}+\bm{c_{N_u}})$ be labelled as $\eta_k$ and the distribution of $c_{N_v}$ as $\rho_v$. Then, the probabil

Figures (6)

  • Figure 1: MLWE Channel
  • Figure 2: Lower bounds on the capacities of the MLWE channel for Kyber with $l=3$ and $k=14$ achieving the security of the Kyber1024 parameter set
  • Figure 3: Lower bounds on the capacities of the MLWE channels for enhanced ciphertext compression for the Kyber512 and Kyber1024 parameter
  • Figure 4: RCU bound and normal approximation for the Kyber512 parameter set with $d_u=7,d_v=4$ and for the Kyber1024 parameter set with $d_u=8,d_v=3$, required DFRs for Kyber512 (black, dashed) and Kyber1024 (black)
  • Figure 5: RCU bound and normal approximation for Kyber with $l=3$ and $k=14$ achieving the security level of the Kyber1024 parameter set
  • ...and 1 more figures

Theorems & Definitions (11)

  • Definition 1
  • Definition 2
  • Definition 3
  • Remark 1
  • Remark 2
  • Lemma 1: Lemma 3 maringer2022information
  • Theorem 1: Theorem 4 maringer2022information
  • Definition 4
  • Theorem 2: Normal approximation
  • Definition 5
  • ...and 1 more