Cybersecurity

Table 6 Parameters for NIST-PQC round 3 LWE-based schemes

From: Hybrid dual attack on LWE with arbitrary secrets

Name	Parameters					Security
	n	k	q	\(\sigma\)	\(m^*\)	Secret dist.	Level	Claim
	n	k	q	\(\sigma\)	\(m^*\)	Secret dist.	Level	Classical	Quantum
Kyber	256	2	3329	1.2	768	see Table 7	1	118	107
	256	3	3329	1	1024		3	182	165
	256	4	3329	1	1280		5	256	232
Saber	256	2	\(2^{13}\)	2.29	768	see Table 8	1	118	107
	256	3	\(2^{13}\)	2.29	1024		3	189	172
	256	4	\(2^{13}\)	2.29	1280		5	260	236
Dilithium	256	4	8380417	\(\sqrt{2}\)	1280	Uniform in \([-2,2]\)	2	123	112
	256	5	8380417	\(\sqrt{20/3}\)	1536	Uniform in \([-4,4]\)	3	182	165
	256	7	8380417	\(\sqrt{2}\)	2048	Uniform in \([-2,2]\)	5	252	229
Frodo	640	–	\(2^{15}\)	2.8	640	see Table 9	1	150	137
	976	–	\(2^{16}\)	2.3	976		3	215	196
	1344	–	\(2^{16}\)	1.4	1344		5	280	255
NTRULPrime	653	–	4621	\(\sqrt{2/3}\)	909	\(\#(\pm 1)=252\)	1	130	118
	761	–	4591	\(\sqrt{2/3}\)	1017	\(\#(\pm 1)=250\)	2	155	140
	857	–	5167	\(\sqrt{2/3}\)	1113	\(\#(\pm 1)=281\)	2	176	160
	953	–	6343	\(\sqrt{2/3}\)	1209	\(\#(\pm 1)=345\)	3	197	178
	1013	–	7177	\(\sqrt{2/3}\)	1269	\(\#(\pm 1)=392\)	4	210	190
	1277	–	7879	\(\sqrt{2/3}\)	1533	\(\#(\pm 1)=429\)	5	271	245

* The parameters are the secret dimension n, MLWE rank k, modulo q, standard deviation of the error \(\sigma\) and the distribution of secret \({\mathbf {s}}\).
* \(m^*\) is the maximum number of allowed samples for each scheme.
* Frodo uses the Frodo model; all the rest schemes use core-SVP model

Back to article page