Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

KyFrog: A High-Security LWE-Based KEM Inspired by ML-KEM

Victor Duarte Melo, Willian J. Buchanan

TL;DR

KyFrog tackles the need for post-quantum KEMs with exceptionally large security margins by adopting an LWE-based construction with $n=1024$, $q=1103$, and Gaussian noise $\sigma_s=\sigma_e=1.4$, paired with a Fujisaki–Okamoto transform. It prioritizes security margin over ciphertext efficiency, yielding an estimated 325-bit classical and quantum security at the cost of a ~0.5 MiB ciphertext. A dedicated parameter-search tool, KyFrog Hunter, automates conservative exploration of admissible settings, producing a concrete open-source reference implementation and reproducible benchmarks. The work provides a practical demonstration of deploying highly conservative cryptographic parameters for long-term archival and key-wrapping use, while acknowledging trade-offs in bandwidth and outlining future work in compression, protocol integration, and broader parameter exploration.

Abstract

KyFrog is a conservative Learning-with-Errors (LWE) key-encapsulation mechanism designed to explore an alternative operating point compared to schemes with relatively small public keys and ciphertexts. KyFrog uses a larger dimension ($n = 1024$) and a small prime modulus $q = 1103$, together with narrow error distributions with standard deviations $σ_s = σ_e = 1.4$, to target approximately $2^{325}$ classical and quantum security against state-of-the-art lattice attacks under standard cost models, as estimated using the Lattice Estimator. The price paid for this security margin is an extremely large KEM ciphertext (about 0.5 MiB), while public and secret keys remain in the same ballpark as ML-KEM. We describe the design rationale, parameter search methodology, and implementation details of KyFrog, and we compare its asymptotic security and concrete parameter sizes with the ML-KEM standard. All code and data for this work are released as free and open-source software, with the full C++23 implementation and experimental scripts available at: https://github.com/victormeloasm/kyfrog

KyFrog: A High-Security LWE-Based KEM Inspired by ML-KEM

TL;DR

KyFrog tackles the need for post-quantum KEMs with exceptionally large security margins by adopting an LWE-based construction with , , and Gaussian noise , paired with a Fujisaki–Okamoto transform. It prioritizes security margin over ciphertext efficiency, yielding an estimated 325-bit classical and quantum security at the cost of a ~0.5 MiB ciphertext. A dedicated parameter-search tool, KyFrog Hunter, automates conservative exploration of admissible settings, producing a concrete open-source reference implementation and reproducible benchmarks. The work provides a practical demonstration of deploying highly conservative cryptographic parameters for long-term archival and key-wrapping use, while acknowledging trade-offs in bandwidth and outlining future work in compression, protocol integration, and broader parameter exploration.

Abstract

KyFrog is a conservative Learning-with-Errors (LWE) key-encapsulation mechanism designed to explore an alternative operating point compared to schemes with relatively small public keys and ciphertexts. KyFrog uses a larger dimension () and a small prime modulus , together with narrow error distributions with standard deviations , to target approximately classical and quantum security against state-of-the-art lattice attacks under standard cost models, as estimated using the Lattice Estimator. The price paid for this security margin is an extremely large KEM ciphertext (about 0.5 MiB), while public and secret keys remain in the same ballpark as ML-KEM. We describe the design rationale, parameter search methodology, and implementation details of KyFrog, and we compare its asymptotic security and concrete parameter sizes with the ML-KEM standard. All code and data for this work are released as free and open-source software, with the full C++23 implementation and experimental scripts available at: https://github.com/victormeloasm/kyfrog

Paper Structure

This paper contains 51 sections, 13 equations, 4 figures, 3 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Motivation for a "paranoid" KEM
  3. Overview of the paper
  4. Background
  5. The Learning-with-Errors Problem
  6. Module-LWE and structured lattices
  7. CRYSTALS-Kyber and ML-KEM
  8. Security notions for KEMs
  9. Security estimation for lattice KEMs
  10. Related work on conservative parameter choices
  11. Design Goals and Threat Model
  12. Design goals
  13. Threat model
  14. The KyFrog Construction
  15. Core parameters
  16. ...and 36 more sections

Figures (4)

  • Figure 1: Ciphertext sizes for ML-KEM and KyFrog. KyFrog's ciphertext is roughly 0.5 MiB, several orders of magnitude larger than ML-KEM fips203kyber.
  • Figure 2: Candidate density per $q$-range in KyFrog Hunter. The final KyFrog modulus $q=1103$ lies in a region with a significantly higher density of acceptable parameter sets compared to most other ranges tested albrecht-lattice-estimator.
  • Figure 3: Approximate classical security (bits) versus public key size (bytes) for ML-KEM and KyFrog. KyFrog achieves a higher estimated security level with a public key slightly smaller than ML-KEM-1024 fips203kyberalbrecht-lattice-estimator.
  • Figure 4: Public and secret key sizes for ML-KEM and KyFrog. KyFrog's public key is slightly smaller than ML-KEM-1024, while its secret key lies between ML-KEM-768 and ML-KEM-1024 fips203kyber.