Hardware-based security for high-level protection.

XIP6110B: KYBER-512/768/1024 KEM

Balanced Post-Quantum Key Encapsulation IP Core


Introduction

XIP6110B from Xiphera is an Intellectual Property (IP) core for CRYSTALS-Kyber post-quantum Key Encapsulation Mechanism (KEM). It supports key generation, encapsulation, and decapsulation operations for all Kyber variants Kyber-512, Kyber-768, and Kyber-1024. XIP6110B is optimized for a good balance between speed and resource requirements.

XIP6110B is a member of xQlave™ product family of secure and efficient IP cores for post- quantum cryptography (PQC) algorithms.

Key features

  • Small Resource Requirements: XIP6110B fits into less than 10k LUTs and additionally uses a few multipliers/DSP blocks and internal memory block in a typical FPGA implementation.
  • Fast Performance: XIP6110B is capable of computing a few thousand key generation, encapsulation, or decapsulation operations in a second in a typical FPGA implementation.
  • Secure Architecture: The execution time of XIP6110B is independent of the secret values and, consequently, provides full protection against timing-based side-channel attacks. XIP6110B has been implemented only in digital logic without any software components.
  • Easy Integration: The simple 64-bit interface of XIP6110B supports easy integration to various systems.
  • Compliance: XIP6110B is compliant with Kyber specifications 3.0 (Oct. 1, 2020) which is the version that was selected as a candidate to be standardized by NIST [1]. Xiphera commits to update XIP6110B when the standardization proceeds to newer versions.

Functionality

XIP6110B can be used for key generation, encapsulation, and decapsulation operations of all Kyber KEM variants Kyber-512, Kyber-768, and Kyber-1024 [1]. Kyber was selected as the primary algorithm for post-quantum key encapsulation by the NIST and, hence, it is expected to be very widely used in multiple different protocols in the coming years.

The main optimization objective for XIP6110B has been on achieving a good balance between resource requirements and performance as well as in providing a versatile support for all operations of all Kyber variants with a single IP core.

XIP6110B also includes protections against side-channel attacks, the most important of which is that the operation latency does not depend on any secret values. Because Kyber uses rejection sampling to obtain certain non-secret values (most importantly, the public key), the actual latency varies slightly between different execution runs. However, because the secret values are obtained in fully constant time by XIP6110B, the variance in the operation latencies does not induce any weaknesses against side-channel attacks.

XIP6110B implements the Kyber KEM operations, but key generation and encapsulation require random bytes as inputs. Hence, XIP6110B requires an external random number generator (for example, XIP8001B) for generating high-quality random bytes.


For more technical and commercial details, including FPGA resources & peak performance as well as ordering instructions, open the full product brief in PDF. Contact us by sending and email to email_career.png, and we’ll get back to you as soon as possible.

Open full product brief

Block diagram

Internal high-level block diagram of XIP6110B

Internal high-level block diagram of XIP6110B

Footnotes

[1] “90s” variants of Kyber, which are based on AES and SHA-2, are not supported.


Visit the product family page