KINDI (Key encapsulatIoN and encryption baseD on lattIces) is a lattice-based encryption scheme and CCA-secure key encapsulation mechanism that relies on lattice-based trapdoor functions. It recovers both the secret and error in MLWE instances. Due to this one attains nice security features and a high message throughput resulting in smaller ciphertext expansion factors at competitive parameters and performance.

  • Current Documentation (update Oct 2018 )
    Compared to the original update Oct 2018 we only add a small remark in Section 2.1 that decryption of the CPA-secure scheme outputs also s1 only when used as a subroutine for the CCA-secure KEM in accordance to Section 2.1.4 (first paragraph: “ The second output value s1 is necessary for the KEM“ )  and in accordance to all the concrete implementations in the submission package (s1 is never output in the implementations – per definition of CPA-secure encryption). The seed is only relevant for the CCA-secure KEM and thus included for the sake of completeness of this specification.
  • Documentation (update Jan 2018)
  • Submitted Documentation (Dec 2017)


KINDI was submitted to the NIST Call for Proposals: