SABER and the Round-3 Finalists
SABER is a lattice-based key-encapsulation mechanism built on Learning With Rounding that was one of the four public-key/KEM finalists in Round 3 of the NIST post-quantum process, and its story is the clearest window into why NIST picked the KEM it did. The Round 3 KEM finalists were CRYSTALS-Kyber, SABER, NTRU, and Classic McEliece, and NIST selected CRYSTALS-Kyber, now standardized as ML-KEM, as the primary key-establishment algorithm. The runners-up were not rejected as broken. SABER, NTRU, and Classic McEliece all held their security through the competition, and Kyber won on an overall balance of security confidence, performance, and implementation properties rather than because any finalist fell. Understanding SABER and its peers is understanding the shape of the decision NIST actually made.
Source: NIST, “Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process,” NIST IR 8413, July 2022, csrc.nist.gov/pubs/ir/8413/upd1/final.
The short version:
- SABER is a lattice KEM built on Module Learning With Rounding (Module-LWR), a close cousin of the Module-LWE problem behind ML-KEM that replaces added random noise with deterministic rounding.
- The Round 3 KEM finalists were CRYSTALS-Kyber, SABER, NTRU, and Classic McEliece, and NIST selected Kyber (now ML-KEM) as the key-establishment standard.
- SABER’s design advantage is simplicity: LWR uses power-of-two moduli, which removes modular reduction and rejection sampling and halves the randomness a scheme needs.
- NTRU rests on the older NTRU lattice problem and made the KEM finals; its lattice family entered the standards through FALCON on the signature side.
- Classic McEliece is code-based rather than lattice, with tiny ciphertexts but enormous public keys, and it remained a finalist for its decades-long track record.
- NIST chose Kyber on balance, not because SABER was weak, and it added a fourth round and a code-based backup precisely to hedge the lattice concentration the finalists represented.
What is SABER, and what hard problem is it built on?
SABER is a lattice-based key-encapsulation mechanism whose security rests on the Module Learning With Rounding problem, written Module-LWR or Mod-LWR. It comes from a team at KU Leuven (Jan-Pieter D’Anvers, Angshuman Karmakar, Sujoy Sinha Roy, and Frederik Vercauteren), and it sits in the same broad lattice family as ML-KEM but uses a subtly different hard problem. Where the Module-LWE behind ML-KEM hides its secret by adding freshly sampled random noise to linear equations, Learning With Rounding hides the secret by deterministically rounding, throwing away the low-order bits of each value so the discarded bits act as the noise. Recovering the secret from the rounded equations is the hard problem, and no efficient classical or quantum attack is known for it at SABER’s parameters.
That rounding choice is the source of SABER’s engineering appeal. Because the noise comes from rounding rather than sampling, all of SABER’s moduli are powers of two, which lets it avoid modular reduction and rejection sampling entirely and cuts the amount of randomness it needs roughly in half compared with an LWE-based scheme, which also trims bandwidth. The deeper mechanics of the rounding-versus-noise trade-off live in Learning With Rounding (LWR). The practical read is that SABER was a clean, fast, well-regarded KEM whose security assumption was slightly less battle-tested than plain Module-LWE, which is one of the threads that ran through the final decision.
Source: Jan-Pieter D’Anvers, Angshuman Karmakar, Sujoy Sinha Roy, Frederik Vercauteren, “Saber: Module-LWR based key exchange, CPA-secure encryption and CCA-secure KEM,” IACR ePrint 2018/230.
Who were the Round 3 KEM finalists?
Round 3 of the NIST process split its fifteen candidates into a first tier of finalists considered ready for near-term standardization and a second tier of alternates kept for a possible later round. On the key-establishment side, four schemes were named finalists, and they deliberately spanned more than one hard problem so a break in any single family would not take the whole KEM decision down. The finalists:
| KEM finalist | Family | Hard problem | Signature of the design |
|---|---|---|---|
| CRYSTALS-Kyber | Lattice | Module-LWE | Balanced sizes and speed; the eventual winner |
| SABER | Lattice | Module-LWR | Power-of-two moduli, simple and fast |
| NTRU | Lattice | NTRU problem | Oldest, longest-studied lattice assumption |
| Classic McEliece | Code-based | Syndrome decoding | Tiny ciphertexts, enormous public keys, decades of scrutiny |
Three of the four are lattice-based, which is exactly the concentration that later pushed NIST to run a fourth round hunting for a non-lattice backup. Classic McEliece was the deliberate exception, a code-based scheme whose security has held since the late 1970s, kept in the finals as the conservative hedge despite public keys measured in hundreds of kilobytes. Alongside these finalists sat alternates including the code-based BIKE and HQC and the isogeny-based SIKE, and the arc of Round 4 is largely the story of those alternates, since SIKE broke and HQC was ultimately selected as the code-based backup.
Source: NIST IR 8413, July 2022, Tables 2 and 3, csrc.nist.gov/pubs/ir/8413/upd1/final.
Why did NIST pick Kyber over SABER and NTRU?
NIST selected CRYSTALS-Kyber, now ML-KEM, on an overall balance across the finalists, so the decision reads as a close call among strong candidates rather than a knockout. NIST IR 8413 records that all three lattice KEM finalists (Kyber, SABER, and NTRU) had comparable performance and no fatal flaw, and that the choice came down to weighing several factors together: security confidence in the underlying assumption, key and ciphertext sizes, speed across platforms, and the breadth of existing analysis and implementation experience. Kyber’s Module-LWE assumption had accumulated the deepest body of security analysis, its performance was well-rounded across hardware, and it carried strong implementation maturity, which together edged out its peers.
The runners-up each landed slightly differently on those axes. SABER’s Module-LWR assumption was elegant and efficient but newer and less studied than Module-LWE, which weighed against it on security confidence even though no attack threatened it. NTRU rested on the oldest and most-studied lattice assumption, a genuine strength, but its overall profile did not surpass Kyber’s, and its lattice family entered the standards anyway through FALCON on the signature side, covered in NTRU. So the honest framing is that Kyber won a competition of strong finalists, and SABER and NTRU are examples of good cryptography that lost a close race, held in reserve as proof the lattice world has more than one workable KEM.
Source: NIST IR 8413, July 2022, §3 (selection rationale for CRYSTALS-KYBER), csrc.nist.gov/pubs/ir/8413/upd1/final.
How does Module-LWR differ from the Module-LWE behind ML-KEM?
The two problems are close cousins that hide a lattice secret in different ways, and the difference is the whole design distinction between SABER and Kyber. Module-LWE, the basis of ML-KEM, starts from linear equations over a module of polynomial vectors and hides the secret by adding a small amount of freshly sampled random noise to each equation, so recovering the secret means solving noisy linear algebra. Module-LWR, the basis of SABER, hides the secret by rounding instead: it computes the same kind of equation and then deterministically drops the low-order bits, and the information lost in that rounding plays the role the added noise played in LWE.
The consequences ripple through the implementation:
- Randomness. LWE has to sample noise from a distribution for every equation, while LWR derives its noise from deterministic rounding, so SABER needs roughly half the randomness and no noise-sampling machinery.
- Moduli. LWR lets SABER use power-of-two moduli, which removes modular reduction and rejection sampling, two of the fiddlier and more side-channel-sensitive parts of a lattice KEM.
- Maturity. LWE has a longer and deeper track record of security analysis, including tighter reductions to worst-case lattice problems, so Module-LWE carried more accumulated confidence into the decision.
Neither problem has a known efficient quantum attack at the parameters these schemes use, and both resist Shor’s algorithm because their hardness is geometric with none of the periodic structure Shor’s needs. The trade is real but modest: SABER bought simplicity and speed from rounding, while Kyber’s noise-based assumption carried the weight of more scrutiny, which is one of the reasons Kyber was the safer standardization choice.
Source: Jan-Pieter D’Anvers et al., “Saber: Module-LWR based key exchange,” IACR ePrint 2018/230.
What happened to the finalists NIST did not select?
They did not vanish. A losing finalist in an open competition is a vetted, still-secure algorithm held in reserve, and each Round 3 KEM runner-up has a distinct afterlife. SABER remains a published, well-regarded Module-LWR KEM that a security team can study as a worked alternative, though without a FIPS standard behind it, it is not a compliance choice. NTRU lost the KEM slot but its lattice family entered the standards through FALCON, being standardized as FN-DSA, so the NTRU assumption is in the shipped signature world even though the NTRU KEM is not.
Classic McEliece took a different path. It stayed under evaluation past Round 3 because its code-based security has held for over four decades, and it remains a candidate for standardization in specialized, high-assurance settings where its enormous public keys are tolerable in exchange for that track record. The broader lesson across all three is that NIST built the competition so the winners arrive with a documented history of public attack and the losers fail or fall short in the open, which is why a security team can point a regulator at ML-KEM with confidence: it won a field of strong finalists, and the runners-up are standing evidence of how much good cryptography the process had to choose from. The full arc of the competition is in The NIST PQC Competition.
Source: NIST IR 8413, July 2022, csrc.nist.gov/pubs/ir/8413/upd1/final.
Common misconceptions
- “SABER was rejected because it was broken.” It held its security through the entire competition. NIST chose Kyber on an overall balance of security confidence, performance, and maturity, and SABER was a strong finalist that lost a close race.
- “SABER and ML-KEM are the same thing.” Both are lattice KEMs, and SABER rests on Module-LWR (rounding) while ML-KEM rests on Module-LWE (added noise). They are cousins with different hardness assumptions and different implementation profiles.
- “NTRU losing the KEM means NTRU is out of the standards.” The NTRU KEM was not selected, but the NTRU lattice family is the foundation of FALCON, being standardized as FN-DSA, so NTRU is in the shipped standards on the signature side.
- “All the Round 3 KEM finalists were lattice-based.” Three of the four were, but Classic McEliece is code-based. That lattice concentration is exactly why NIST ran a fourth round and selected the code-based HQC as a backup.
- “A losing finalist is worthless.” A finalist is a vetted algorithm that survived years of public cryptanalysis. SABER, NTRU, and Classic McEliece are all secure designs held in reserve, which is the diversity insurance the competition was built to produce.
Questions people ask
What is SABER? SABER is a lattice-based key-encapsulation mechanism built on Module Learning With Rounding, developed at KU Leuven. It was a Round 3 KEM finalist in the NIST post-quantum process, valued for using power-of-two moduli that make it simple and fast, though it was not the KEM NIST selected.
Why did ML-KEM win over SABER? NIST selected CRYSTALS-Kyber (now ML-KEM) on an overall balance of security confidence, performance, and implementation maturity. All three lattice finalists were strong; Kyber’s Module-LWE assumption carried the deepest body of analysis, which edged out SABER’s newer Module-LWR.
What is the difference between Module-LWR and Module-LWE? Module-LWE hides its secret by adding random sampled noise to lattice equations, while Module-LWR hides it by deterministically rounding away low-order bits. Rounding lets SABER use power-of-two moduli and half the randomness, while LWE carries a longer track record of security analysis.
Who were the NIST Round 3 KEM finalists? CRYSTALS-Kyber, SABER, NTRU, and Classic McEliece. Three are lattice-based and one is code-based, and NIST selected Kyber for the key-establishment standard while keeping the others as vetted alternatives.
Is SABER safe to use? SABER held its security through the competition and has no known efficient attack, so it is a sound design. It lacks a FIPS standard, so for compliance and deployment the standardized ML-KEM is the choice, with SABER as a studied alternative rather than a production one.
What happened to NTRU and Classic McEliece? NTRU lost the KEM slot but its lattice family entered the standards through FALCON, becoming FN-DSA. Classic McEliece stayed under evaluation for high-assurance use, valued for its four-decade code-based track record despite very large public keys.
Everything here is the map, given freely. When your team needs the standardized KEM sized and sequenced into your own architecture, and wants to understand why ML-KEM is the default over its finalists, that’s what an alignment briefing is for.
Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.