Skip to main content

Table 6 Parameters for NIST-PQC round 3 LWE-based schemes

From: Hybrid dual attack on LWE with arbitrary secrets

Name Parameters Security
n k q \(\sigma\) \(m^*\) Secret dist. Level Claim
Classical Quantum
Kyber 256 2 3329 1.2 768 see Table 7 1 118 107
256 3 3329 1 1024 3 182 165
256 4 3329 1 1280 5 256 232
Saber 256 2 \(2^{13}\) 2.29 768 see Table 8 1 118 107
256 3 \(2^{13}\) 2.29 1024 3 189 172
256 4 \(2^{13}\) 2.29 1280 5 260 236
Dilithium 256 4 8380417 \(\sqrt{2}\) 1280 Uniform in \([-2,2]\) 2 123 112
256 5 8380417 \(\sqrt{20/3}\) 1536 Uniform in \([-4,4]\) 3 182 165
256 7 8380417 \(\sqrt{2}\) 2048 Uniform in \([-2,2]\) 5 252 229
Frodo 640 \(2^{15}\) 2.8 640 see Table 9 1 150 137
976 \(2^{16}\) 2.3 976 3 215 196
1344 \(2^{16}\) 1.4 1344 5 280 255
NTRULPrime 653 4621 \(\sqrt{2/3}\) 909 \(\#(\pm 1)=252\) 1 130 118
761 4591 \(\sqrt{2/3}\) 1017 \(\#(\pm 1)=250\) 2 155 140
857 5167 \(\sqrt{2/3}\) 1113 \(\#(\pm 1)=281\) 2 176 160
953 6343 \(\sqrt{2/3}\) 1209 \(\#(\pm 1)=345\) 3 197 178
1013 7177 \(\sqrt{2/3}\) 1269 \(\#(\pm 1)=392\) 4 210 190
1277 7879 \(\sqrt{2/3}\) 1533 \(\#(\pm 1)=429\) 5 271 245
  1. * The parameters are the secret dimension n, MLWE rank k, modulo q, standard deviation of the error \(\sigma\) and the distribution of secret \({\mathbf {s}}\).
  2. * \(m^*\) is the maximum number of allowed samples for each scheme.
  3. * Frodo uses the Frodo model; all the rest schemes use core-SVP model