zig Add Kyber post-quantum key encapsulation mechanism

Implementation of the IND-CCA2 post-quantum secure key encapsulation mechanism (KEM) CRYSTALS-Kyber, as submitted to the third round of the NIST Post-Quantum Cryptography (v3.02/"draft00"), and selected for standardisation.

Kyber will likely change before final standardisation.

This implementation is based on the one I wrote in Go.

Mar 13 '23 13:03 bwesterb

@jedisct1

Mar 13 '23 13:03 bwesterb

Good job, Bas! This is awesome!

There are a couple things that need to be changed to make that code more idiomatic and consistent with the rest of the standard library.

But it will be easier to do that in the current work repository than here.

Mar 13 '23 14:03 jedisct1

Let's discuss this in your Zig fork :)

Mar 13 '23 15:03 jedisct1

On M2 Pro. Essentially the reference implementation:

Did 81000 Kyber512 encap operations in 1004289us (80654.1 ops/sec)
Did 87000 Kyber512 decap operations in 1011575us (86004.5 ops/sec)

This implementation:

         kyber512:      98172 encaps/s
         kyber512:      92426 decaps/s

For comparison with classical crypto, in Zig:

           x25519:      33924 exchanges/s

and BoringSSL:

Did 4598 Curve25519 arbitrary point multiplication operations in 1052611us (4368.2 ops/sec)

Mar 13 '23 16:03 bwesterb

This is rad!

And there's still plenty of room for optimization on the Keccak side.

Mar 13 '23 21:03 jedisct1

@jedisct1 All right, build passed.

Mar 14 '23 09:03 bwesterb

CI failure is unrelated; it's due to d6e48ab

Mar 14 '23 19:03 jedisct1

CI failure is unrelated; it's due to d6e48ab

It's a nondeterminism issue; probably in the macOS linker code. It's not the fault of d6e48abde87400a8a4851c7ab8c918005d81d058.

Mar 14 '23 21:03 andrewrk