What Is CRYSTALS-Kyber?
CRYSTALS-Kyber is a post-quantum key encapsulation mechanism (KEM) standardized by NIST as FIPS 203 in August 2024. It is based on the hardness of the Module Learning With Errors (MLWE) lattice problem and is the first NIST-approved KEM resistant to attacks by quantum computers. Kyber was selected from 82 submissions in the NIST PQC competition (2017-2024) and finalized as FIPS 203 on August 13, 2024. Its security relies on lattice-based cryptography — specifically the Module-LWE problem — which has no known polynomial-time quantum algorithm. Three parameter sets exist: Kyber512 (~AES-128 security), Kyber768 (~AES-192), Kyber1024 (~AES-256).
TL;DR: CRYSTALS-Kyber is a post-quantum key encapsulation mechanism (KEM) standardized by NIST as FIPS 203 in August 2024. It is based on the hardness of the Module Learning With Errors (MLWE) lattice problem and is the first NIST-approved KEM resistant to attacks by quantum computers. For full context including dates, sources, and the BMIC implication, see below.
- Is Kyber the same as Dilithium? No. Kyber is a KEM (FIPS 203). Dilithium is a digital signature (FIPS 204). Both are CRYSTALS-family.
- Has Kyber been broken? No. Side-channel issues in implementations exist but the algorithm is unbroken.
- Who uses Kyber? Cloudflare, Chrome, iMessage, AWS KMS, BMIC.
- Is Kyber faster than RSA? Yes, significantly faster for key exchange.
- What is the Kyber key size? Kyber768 public key: 1,184 bytes; ciphertext: 1,088 bytes.
Full Answer
Kyber was developed by an international team led by Peter Schwabe (Radboud University) and was selected by NIST as the primary post-quantum KEM in July 2022, then finalized as FIPS 203 in August 2024 after public review.
Mechanism: Kyber generates a public/private key pair. The encapsulator uses the public key to produce a ciphertext and a shared secret. The decapsulator uses the private key to recover the same shared secret. The shared secret is then used to seed a symmetric cipher (typically AES-256-GCM).
Security: based on Module Learning With Errors. No known quantum algorithm breaks MLWE in polynomial time. Conservative parameter sets (Kyber768/1024) are recommended for long-term security.
Adoption: Cloudflare, Google Chrome, and Apple iMessage have deployed Kyber in TLS 1.3 hybrid mode. BMIC integrates Kyber at the protocol level for blockchain transactions — the first Layer 1 to do so per FIPS 203.