Skip to main content

Tight Analysis of Decryption Failure Probability of Kyber in Reality

  • 1124 Accesses

Part of the Lecture Notes in Computer Science book series (LNCS,volume 13407)


Kyber is a candidate in the third round of the National Institute of Standards and Technology (NIST) Post-Quantum Cryptography (PQC) Standardization. However, because of the protocol’s independence assumption, the bound on the decapsulation failure probability resulting from the original analysis is not tight. In this work, we give a rigorous mathematical analysis of the actual failure probability calculation, and provides the Kyber security estimation in reality rather than only in a statistical sense. Our analysis does not make independency assumptions on errors, and is with respect to concrete public keys in reality. Through sample test and experiments, we also illustrate the difference between the actual failure probability and the result given in the proposal of Kyber. The experiments show that, for Kyber-512 and 768, the failure probability resulting from the original paper is relatively conservative, but for Kyber-1024, the failure probability of some public keys is worse than claimed. This failure probability calculation for concrete public keys can also guide the selection of public keys in the actual application scenarios. What’s more, we measure the gap between the upper bound of the failure probability and the actual failure probability, then give a tight estimate. Our work can also re-evaluate the traditional \(1-\delta \) correctness in the literature, which will help re-evaluate some candidates’ security in NIST post-quantum cryptographic standardization.


  • Post-quantum cryptography
  • Learning with errors
  • Key encapsulation mechanism
  • Decryption failure

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD   79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions


  1. Bindel, N., Schanck, J.M.: Decryption failure is more likely after success. In: Ding, J., Tillich, J.-P. (eds.) PQCrypto 2020. LNCS, vol. 12100, pp. 206–225. Springer, Cham (2020).

    CrossRef  Google Scholar 

  2. Bos, J., Ducas, L., Kiltz, E., et al.: CRYSTALS-Kyber: a CCA-secure module-lattice-based KEM. In: 2018 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 353–367 (2018).

  3. Bos, J.W., Friedberger, S., Martinoli, M., et al.: Assessing the feasibility of single trace power analysis of Frodo. In: Cid, C., Jacobson, M., Jr. (eds.) SAC 2018. LNCS, vol. 11349, pp. 216–234. Springer, Cham (2019).

    CrossRef  Google Scholar 

  4. Dachman-Soled, D., Ducas, L., Gong, H., Rossi, M.: LWE with side information: attacks and concrete security estimation. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12171, pp. 329–358. Springer, Cham (2020).

    CrossRef  Google Scholar 

  5. D’Anvers, J.-P., Rossi, M., Virdia, F.: (One) failure is not an option: bootstrapping the search for failures in lattice-based encryption schemes. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 3–33. Springer, Cham (2020).

    CrossRef  MATH  Google Scholar 

  6. D’Anvers, J.-P., Guo, Q., Johansson, T., Nilsson, A., Vercauteren, F., Verbauwhede, I.: Decryption failure attacks on IND-CCA secure lattice-based schemes. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11443, pp. 565–598. Springer, Cham (2019).

    CrossRef  Google Scholar 

  7. D’Anvers, J.-P., Vercauteren, F., Verbauwhede, I.: The impact of error dependencies on Ring/Mod-LWE/LWR based schemes. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 103–115. Springer, Cham (2019).

    CrossRef  Google Scholar 

  8. Guo, Q., Johansson, T., Yang, J.: A novel CCA attack using decryption errors against LAC. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 82–111. Springer, Cham (2019).

    CrossRef  Google Scholar 

  9. Parzen, E.: On estimation of a probability density function and mode. Ann. Math. Stat. 33(3), 1065 (1962).

    CrossRef  MathSciNet  MATH  Google Scholar 

  10. Rosenblatt, M.: Remarks on some nonparametric estimates of a density function. In: Davis, R., Lii, KS., Politis, D. (eds.) Selected Works of Murray Rosenblatt. Selected Works in Probability and Statistics. pp. 832–837. Springer, New York (1956).

  11. Wishart, J., Bartlett, M.S.: The distribution of second order moment statistics in a normal system. In: Mathematical Proceedings of the Cambridge Philosophical Society, vol. 28, no. 4, pp. 455–459. Cambridge University Press, Cambridge (1932).

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Yunlei Zhao .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Fang, B., Wang, W., Zhao, Y. (2022). Tight Analysis of Decryption Failure Probability of Kyber in Reality. In: Alcaraz, C., Chen, L., Li, S., Samarati, P. (eds) Information and Communications Security. ICICS 2022. Lecture Notes in Computer Science, vol 13407. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-15776-9

  • Online ISBN: 978-3-031-15777-6

  • eBook Packages: Computer ScienceComputer Science (R0)