CHSH-Augmented Kyber Scheme

Updated 22 November 2025

The paper demonstrates a hybrid post-quantum KEM that integrates a CHSH Bell test with CRYSTALS-Kyber to enforce IND-CCA security via dual reductions.
It interleaves classical lattice-based operations with quantum CHSH measurements on EPR pairs to certify non-locality and provide information-theoretic guarantees.
The scheme achieves composability, forward secrecy, and minimal latency, with tunable quantum resources (e.g., m = 512 EPR pairs) for practical deployment.

The CHSH-augmented Kyber scheme is a hybrid post-quantum key encapsulation mechanism (KEM) that unifies lattice-based cryptography with device-independent quantum non-locality certification. It integrates a Clauser–Horne–Shimony–Holt (CHSH) Bell-inequality test into the CRYSTALS-Kyber KEM workflow, thereby coupling computational hardness (Module-LWE) with information-theoretic quantum guarantees. By interleaving a non-locality test based on EPR pairs within the encapsulation/decapsulation routines, this protocol offers provable dual-hardness: any adversary that breaks the scheme’s IND-CCA security must either solve a Module-LWE instance or a QMA-complete 2-local Hamiltonian problem, under the standard complexity assumption QMA ⊄ NP (Cherkaoui et al., 15 Nov 2025).

1. Hybrid Protocol Structure and Workflow

The CHSH-augmented Kyber protocol interleaves the classical operations of CRYSTALS-Kyber with a quantum sub-protocol testing non-locality via the CHSH game. The process can be summarized in the following sequence:

Setup: Both parties agree on Kyber public parameters (e.g., modulus $q$ , dimensions $n$ , $k$ , error parameter $\eta$ ), the number of EPR pairs $m$ , and a CHSH score threshold $S_0$ where $2 < S_0 < 2\sqrt{2}$ .
Key Generation: One party runs classical Kyber KeyGen to obtain $(\mathrm{pk}, \mathrm{sk})$ .
Encapsulation + CHSH: The encapsulation party generates a Kyber ciphertext and key via the FO transform, prepares $m$ EPR pairs, distributes halves, and both parties conduct CHSH measurements (randomly chosen measurement bases, with result and basis exchange to compute correlations). If the empirical CHSH score $S \geq S_0$ , the key is accepted; otherwise, the protocol aborts.
Decapsulation + CHSH: The recipient recovers the Kyber key via classical decapsulation and repeats the CHSH measurement and scoring. The session key is output only if both classical and quantum checks succeed.

The session key is derived as $K = H(K_0 \parallel S \parallel aux)$ , where $K_0$ is the Kyber-derived key, $S$ the empirical CHSH score, and $H$ a hash or KDF.

2. Quantum Procedures and CHSH Test Implementation

The non-locality test integrates $m$ pairs of maximally entangled two-qubit EPR states $|\psi\rangle = (|00\rangle + |11\rangle)/\sqrt{2}$ , distributed between the parties. For each pair $i$ :

Each party independently chooses a random basis ( $a_i$ $a_{i}$ for Alice, $b_i$ $b_{i}$ for Bob).
- Alice: $a_i=0$ measures in $\sigma_z$ ; $a_i=1$ in $\sigma_x$ .
- Bob: $b_i=0$ measures in $(\sigma_z+\sigma_x)/\sqrt{2}$ ; $b_i=1$ in $(\sigma_z-\sigma_x)/\sqrt{2}$ .
Outcomes $x_i, y_i \in \{\pm 1\}$ are recorded.
Each pair yields correlation $C_i = x_i y_i (-1)^{a_i b_i}$ .
The CHSH score is computed as $S = E[A_0B_0]+E[A_0B_1]+E[A_1B_0]-E[A_1B_1]$ , with $E[A_jB_k] = \frac{1}{|\{i:a_i=j, b_i=k\}|} \sum_{i:a_i=j, b_i=k} x_i y_i$ .

Quantum theory predicts that $S_Q = 2\sqrt{2}$ (Tsirelson bound), exceeding the classical local hidden-variable bound $S_C \leq 2$ . The observed empirical $S$ provides an information-theoretic certificate of non-locality, verifiable within rigorous statistical bounds (error controlled by $m$ and Hoeffding’s inequality).

3. Dual-Hardness Security Reductions

The security of the CHSH-augmented Kyber KEM is established via two orthogonal reductions:

Classical Branch: Under the Module-LWE assumption, an adversary breaking the IND-CCA game for Kyber can be reduced to solving Module-LWE with comparable advantage. The FO transform and Markov key evolution guarantee indistinguishability up to negligible error, provided protocol parameters maintain cumulative noise below $q/4$ (Cherkaoui et al., 15 Nov 2025).
Quantum Branch: Observation of a CHSH violation $S > S_0$ is mapped to finding a low-energy state for the 2-local Hamiltonian $H = \sum_{i=1}^m H_i$ , where $H_i = \frac{1}{2}\big(I - (-1)^{a_ib_i} \sigma_{a_i} \otimes \sigma_{b_i}\big)$ . Deciding the spectral gap under promise is QMA-complete; thus, a successful quantum adversary must solve a QMA-complete instance.

Any adversary breaking IND-CCA security must either solve Module-LWE (widely believed to be hard for PPT) or a QMA-complete local Hamiltonian problem (hard for classical algorithms under QMA ⊄ NP).

4. Fujisaki–Okamoto Transform Integration

The scheme embeds CHSH verification within the FO transform to maintain IND-CCA security. The encapsulation algorithm FO-CHSH-Encaps samples random $r$ , computes the Kyber encapsulation $(ct, K_0)$ , executes the CHSH sub-protocol to obtain $S$ , and outputs $(ct, K = H_1(K_0 \parallel ct \parallel S))$ if $S \geq S_0$ . Decapsulation mirrors this, aborting on decryption failure or $S' < S_0$ .

Including $S$ in the KDF ensures that only parties able to conduct genuine CHSH tests derive the session key, and FO security proofs extend with only an additional negligible term accounting for the CHSH game’s soundness.

5. Performance Metrics and Resource Analysis

Resource requirements for the scheme are as follows:

Resource	Classical Kyber	CHSH-Augmented Kyber
Quantum comms per session	0	$2m$ qubits
CHSH metadata	0	$4m$ bits
Gate count	0	$O(m)$ total
Circuit depth	0	$O(\log m)$
Latency overhead	0	$<$ 5%

Selection of $m$ is protocol-tunable; $m = 512$ aligns quantum resource usage with Kyber-512. There is an additional quantum round for EPR distribution and measurement but this phase is fully pipelineable. The paper estimates latency overhead below 5% on practical photonic or superconducting hardware (Cherkaoui et al., 15 Nov 2025).

6. Composability, Forward Secrecy, and Security Properties

The CHSH test is modeled as an ideal functionality $\mathcal{F}_{CHSH}$ , ensuring that key agreement is realized as a standard authenticated key exchange ( $\mathcal{F}_{AKE}$ ) in the hybrid ( $\mathcal{F}_{RO,H}, \mathcal{F}_{CHSH}$ ) model. When implemented as part of a universal composition (UC)-secure protocol, the scheme maintains full composability—even when embedded in higher-level cryptographic applications—by virtue of its dual-hardness and independence of session keys.

Each session employs fresh Kyber key pairs and EPR pairs, and the key derivation includes a non-leaked, freshly measured CHSH outcome $S$ , thereby ensuring forward secrecy. Exposure of long-term secrets or session state in one interaction does not compromise future (or past) keys; the Markov key evolution further prevents chaining of secret key compromise across sessions.

7. Scope and Significance

The CHSH-augmented Kyber scheme establishes a rigorous, composable, and forward-secure approach to post-quantum key exchange that is provably secure against both classical and quantum adversaries, conditioned on Module-LWE and QMA-complete problem hardness. By directly certifying quantum correlations in the key agreement workflow, it materially enhances the assurance offered by purely computational schemes, and presents a unified protocol that remains compatible with current NIST PQC standards while advancing the integration of quantum information-theoretic primitives into practical cryptography (Cherkaoui et al., 15 Nov 2025).

PDF Markdown Chat (Pro)

References (1)

QMA Complete Quantum-Enhanced Kyber: Provable Security Through CHSH Nonlocality (2025)

Whiteboard

Generate a whiteboard explanation of this topic.

Follow Topic

Get notified by email when new papers are published related to CHSH-Augmented Kyber Scheme.