Benchmarks for Kyber Level 1 PQM4 Integration on STM32 ARM Cortex-M4

Recently the PQM4 project fixed a bug that was preventing us from turning on optimizations. Please see . Naturally, this means we can run benchmarks now!  You can see the results on our benchmarking page at Here is an abbreviated and reformatted version of our results. We want to compare Kyber Level 1 against ECDSA over the SECP256R1 curve:

ECDHE [SECP256R1]  256 key gen 118 ops took 1.016 sec, avg  8.610 ms, 116.142 ops/sec

ECDHE [SECP256R1]  256 agree    56 ops took 1.016 sec, avg 18.143 ms, 55.118  ops/sec

Kyber_level1-kg                219 ops took 1.000 sec, avg  4.566 ms, 219.000 ops/sec

Kyber_level1-ed                 96 ops took 1.012 sec, avg 10.542 ms, 94.862  ops/sec

Note that Kyber does very well in that keygen on average takes 4.566 ms and an encapsulation and decapsulation cycle takes 10.542 ms which gives a total processing time to achieve a shared secret as 15.108 ms. For ECDHE a similar calculation yields 26.753 ms.  So it would seem that Kyber is marginally faster.  However, ECDHE is a NIKE (Non-Interactive Key Exchange) while Kyber is a KEM so in the context of TLS 1.3, these numbers can be somewhat misleading.

For KEMs, only the client does key generation and sends the public key to the server.  Then only the server does the encapsulation operation and sends the ciphertext back to the client. Then only the client does the decapsulation operation.

For NIKEs, both the server and the client must do the key generation operation.  Then both the server and the client must also do the key agreement step.  Since there are double the number of operations to achieve a shared secret, for a fair comparison, we need to double the average time for ECDHE.  

This gives us 15.108 ms versus 53.506 ms for Kyber and ECDHE respectively.  This makes Kyber the clear winner in processing time. That said, since Kyber has considerably larger artifacts than ECDHE, depending on your method of transmission, this margin can easily be lost if your transmission speeds are slow. 

Want benchmarks for Kyber at levels 3 and 5? What about Kyber hybridized with the NIST curves? Let us know and we’d be happy to help! Just send a message to or get in touch with your wolfSSL business director.