Is this final Kyber?

[adamierymenko]

To what extent is Kyber still in flux or is the current standard solid?

https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/C0D3W1KoINY

Of course maybe there's no way to know... just curious if you know or not.

[mberry]

Only know what is said in the mailing lists or pq conferences. There is talk of replacing the various symmetric crypto algorithms with cSHAKE, from an implementation and simplicity point of view I can certainly get behind that.

Whether NIST removes Kyber512 or 90's mode from I'm still planning to support the current variants in this repo going forward unless there is a security risk doing so. Standardisation is great but happy to accommodate those who want alternatives.

[mberry]

FIPS 203 - ML KEM

I have a private branch looking at the differences, still waiting on test vectors.

How to proceed with the migration in the rust codebase at this late stage is another question altogether.

[mberry]

I would honestly be keen on some bikeshedding at this point and how to integrate both current Kyber and ML-KEM in this crate, the differences codewise are quite small but they aren't interoperable.

[bingmatv]

@mberry What specification does version 0.7.1 use? Does v0.7.1 use Round 3 parameters or FIPS-203 parameters? Because NSA (National Security Agency) decreased key length of DES, where IBM version of DES uses 128-bit key, but after NSA modified IBM parameters, DES has only 56-bit keys. It's possible that FIPS-203 reduced Kyber security, so I suggest using NIST Round3 parameters.