# XIP6110B: KYBER-512/768/1024 KEM # Balanced Post-Quantum Key Encapsulation IP Core Product Brief ver. 1.0 January 23, 2023 sales@xiphera.com #### Introduction XIP6110B from Xiphera is an Intellectual Property (IP) core for CRYSTALS-Kyber [2] post-quantum Key Encapsulation Mechanism (KEM). It supports key generation, encapsulation, and decapsulation operations for all Kyber variants Kyber-512, Kyber-768, and Kyber-1024. XIP6110B is optimized for a good balance between speed and resource requirements. XIP6110B is a member of $xQlave^{TM}$ product family of secure and efficient IP cores for post-quantum cryptography (PQC) algorithms. # **Key Features** - Small Resource Requirements: XIP6110B fits into less than 10k LUTs and additionally uses a few multipliers/DSP blocks and internal memory block in a typical FPGA implementation. - Fast Performance: XIP6110B is capable of computing a few thousand key generation, encapsulation, or decapsulation operations in a second in a typical FPGA implementation. - Secure Architecture: The execution time of XIP6110B is independent of the secret values and, consequently, provides full protection against timing-based side-channel attacks. XIP6110B has been implemented only in digital logic without any software components. - Easy Integration: The simple 64-bit interface of XIP6110B supports easy integration to various systems. - Compliance: XIP6110B is compliant with Kyber specifications 3.0 (Oct. 1, 2020) [2] which is the version that was selected as a candidate to be standardized by NIST [1]. Xiphera commits to update XIP6110B when the standardization proceeds to newer versions. ## **Functionality** XIP6110B can be used for key generation, encapsulation, and decapsulation operations of all Kyber KEM variants Kyber-512, Kyber-768, and Kyber-1024<sup>1</sup>. Kyber was selected as the primary algorithm for post-quantum key encapsulation by the NIST [1] and, hence, it is expected to be very widely used in multiple different protocols in the coming years. The main optimization objective for XIP6110B has been on achieving a good balance between resource requirements and performance as well as in providing a versatile support for all operations of all Kyber variants with a single IP core. XIP6110B also includes protections against side-channel attacks, the most important of which is that the operation latency does not depend on any secret values. Because Kyber uses rejection sampling to obtain certain non-secret values (most importantly, the public key), the actual latency varies slightly between different execution runs. However, because the secret values are obtained in fully constant time by XIP6110B, the variance in the operation latencies does not induce any weaknesses against side-channel attacks. XIP6110B implements the Kyber KEM operations defined in [2], but key generation and encapsulation require random bytes as inputs. Hence, XIP6110B requires an external random number generator (for example, XIP8001B) for generating high-quality random bytes. ## **Block Diagram** The internal high-level block diagram of XIP6110B is depicted in Figure 1. ### Interfaces The external interfaces of XIP6110B are depicted in Figure 2. This Product Brief describes a high-level overview of the functionality and capabilities of XIP6110B. Please contact sales@xiphera.com for a complete datasheet with a detailed description of the input and output signals, startup procedure of XIP6110B, example simulation waveforms, and the FPGA resource requirements of your targeted FPGA family. ### FPGA Resources and Performance Resource requirements and maximum clock frequencies of XIP6110B for selected FPGAs have been collected in Table 1. The memory requirements in Table 1 are given as memory blocks, but the total RAM requirement of XIP6110B is 163,840 bits. | Device | Resources | $f_{\sf MAX}$ | |--------------------------|------------------------------|---------------| | Intel Cyclone V | 5642 ALMs, 19 M10Ks, 3 DSPs | 114.76 MHz | | Xilinx Artix-7 | 8568 LUTs, 5.5 BRAMs, 6 DSPs | 117.99 MHz | | Xilinx UltraScale+ MPSoC | 8477 LUTs, 5.5 BRAMs, 6 DSPs | 249.44 MHz | Table 1: Resource usage and performance of XIP6110B on representative FPGA families. 2 <sup>1&</sup>quot;90s" variants of Kyber, which are based on AES and SHA-2, that are also defined in [2] are not supported. Figure 1: Internal high-level block diagram of XIP6110B 3 Figure 2: External interfaces of XIP6110B Performance of XIP6110B depends on the clock frequency, operation, and Kyber variant. With a 100 MHz clock, the approximative performance numbers for different operations and Kyber variants are as follows: - Key generation: 0.14 ms, 0.27 ms, and 0.40 ms for Kyber-512/768/1024, respectively. - Encapsulation: 0.20 ms, 0.35 ms, and 0.49 ms for Kyber-512/768/1024, respectively. - Decapsulation: 0.29 ms, 0.48 ms, and 0.63 ms for Kyber-512/768/1024, respectively. ## **Example Use Cases** Kyber can be expected to be used for key exchange in various security protocols in the coming years. Therefore, XIP6110B will have several applications in protecting critical systems. There are already drafts about how Kyber will be used in security protocols: for example, IPsec IKEv2 [4] and TLS 1.3 [3]. ## Ordering and Deliverables Please contact sales@xiphera.com for pricing and your preferred delivery method. XIP6110B can be shipped in a number of formats, including netlist, source code, or encrypted source code. Additionally, a comprehensive VHDL testbench and a detailed datasheet are included. # About Xiphera Xiphera specializes in secure and efficient implementations of standardized cryptographic algorithms on Field Programmable Gate Arrays (FPGAs) and Application Specific Integrated Circuits (ASICs). Our product portfolio includes individual cryptographic Intellectual Property (IP) cores, as well as comprehensive security solutions built from a combination of individual IP cores. Xiphera is a Finnish company operating under the laws of the Republic of Finland, and is fully owned by Finnish citizens and institutional investors. ### Contact Xiphera Oy Tekniikantie 12 FIN-02150 Espoo Finland sales@xiphera.com +358 20 730 5252 #### References - [1] Gorjan Alagic, Daniel Apon, David Cooper, Quynh Dang, Thinh Dang, John Kelsey, Jacob Lichtinger, Yi-Kai Liu, Carl Miller, Dustin Moody, Rene Peralta, Ray Perlner, Angela Robinson, and Daniel Smith-Tone. Status report on the third round of the nist post-quantum cryptography standardization process. Technical Report NIST IR 8413-upd1, National Institute of Standards and Technology, July 2022. - [2] Roberto Avanzi, Joppe Bos, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, John M. Schanck, Peter Schwabe, Gregor Seiler, and Damien Stehlé. CRYSTALS-Kyber: Algorithm specifications and supporting documentation, October 2020. Version 3.0. - [3] Douglas Stebila, Scott Fluhrer, and Shay Gueron. Hybrid key exchange in TLS 1.3. Internet-Draft draft-ietf-tls-hybrid-design-05, Internet Engineering Task Force, August 2022. Work in Progress. - [4] C. Tjhai, M. Tomlinson, G. Bartlett, Scott Fluhrer, Daniel Van Geest, Oscar Garcia-Morchon, and Valery Smyslov. Multiple key exchanges in IKEv2. Internet-Draft draft-ietf-ipsecme-ikev2-multiple-ke-12, Internet Engineering Task Force, December 2022. Work in Progress. 5