From 0c68ac46e3228e335501a21d1f3c20e7883b99f2 Mon Sep 17 00:00:00 2001
From: Basil Hess <bhe@zurich.ibm.com>
Date: Wed, 30 Aug 2023 17:00:56 +0200
Subject: [PATCH] pull kyber/standard & update patches

---
 .CMake/alg_support.cmake                      |  30 ----
 docs/algorithms/kem/kyber.md                  |  33 ++--
 docs/algorithms/kem/kyber.yml                 |  44 +----
 docs/cbom.json                                |  98 +----------
 .../copy_from_upstream/copy_from_upstream.yml |  14 +-
 ...atch => pqcrystals-kyber-avx2-shake.patch} | 153 +++++-------------
 ...patch => pqcrystals-kyber-ref-shake.patch} |  60 +++----
 .../patches/pqcrystals-kyber-yml.patch        |   6 +-
 src/kem/kyber/CMakeLists.txt                  |  30 ----
 src/kem/kyber/kem_kyber_1024.c                |  38 +----
 src/kem/kyber/kem_kyber_512.c                 |  38 +----
 src/kem/kyber/kem_kyber_768.c                 |  38 +----
 .../pqcrystals-kyber_kyber1024_avx2/api.h     |  45 +++---
 .../pqcrystals-kyber_kyber1024_avx2/indcpa.c  | 103 ++----------
 .../pqcrystals-kyber_kyber1024_avx2/indcpa.h  |   8 +-
 .../pqcrystals-kyber_kyber1024_avx2/kem.c     |  97 ++++++++---
 .../pqcrystals-kyber_kyber1024_avx2/kem.h     |  18 +--
 .../pqcrystals-kyber_kyber1024_avx2/poly.c    |   2 -
 .../rejsample.c                               |   4 +-
 .../symmetric-shake.c                         |  23 +++
 .../symmetric.h                               |  43 +----
 .../pqcrystals-kyber_kyber1024_ref/api.h      |  45 +++---
 .../pqcrystals-kyber_kyber1024_ref/indcpa.c   |  24 +--
 .../pqcrystals-kyber_kyber1024_ref/indcpa.h   |   8 +-
 .../pqcrystals-kyber_kyber1024_ref/kem.c      | 100 ++++++++----
 .../pqcrystals-kyber_kyber1024_ref/kem.h      |  18 +--
 .../pqcrystals-kyber_kyber1024_ref/params.h   |  13 --
 .../symmetric-shake.c                         |  23 +++
 .../symmetric.h                               |  37 +----
 .../pqcrystals-kyber_kyber512_avx2/api.h      |  45 +++---
 .../pqcrystals-kyber_kyber512_avx2/indcpa.c   | 103 ++----------
 .../pqcrystals-kyber_kyber512_avx2/indcpa.h   |   8 +-
 .../pqcrystals-kyber_kyber512_avx2/kem.c      |  97 ++++++++---
 .../pqcrystals-kyber_kyber512_avx2/kem.h      |  18 +--
 .../pqcrystals-kyber_kyber512_avx2/poly.c     |   2 -
 .../rejsample.c                               |   4 +-
 .../symmetric-shake.c                         |  23 +++
 .../symmetric.h                               |  43 +----
 .../kyber/pqcrystals-kyber_kyber512_ref/api.h |  45 +++---
 .../pqcrystals-kyber_kyber512_ref/indcpa.c    |  24 +--
 .../pqcrystals-kyber_kyber512_ref/indcpa.h    |   8 +-
 .../kyber/pqcrystals-kyber_kyber512_ref/kem.c | 100 ++++++++----
 .../kyber/pqcrystals-kyber_kyber512_ref/kem.h |  18 +--
 .../pqcrystals-kyber_kyber512_ref/params.h    |  13 --
 .../symmetric-shake.c                         |  23 +++
 .../pqcrystals-kyber_kyber512_ref/symmetric.h |  37 +----
 .../pqcrystals-kyber_kyber768_avx2/api.h      |  45 +++---
 .../pqcrystals-kyber_kyber768_avx2/indcpa.c   | 103 ++----------
 .../pqcrystals-kyber_kyber768_avx2/indcpa.h   |   8 +-
 .../pqcrystals-kyber_kyber768_avx2/kem.c      |  97 ++++++++---
 .../pqcrystals-kyber_kyber768_avx2/kem.h      |  18 +--
 .../pqcrystals-kyber_kyber768_avx2/poly.c     |   2 -
 .../rejsample.c                               |   4 +-
 .../symmetric-shake.c                         |  23 +++
 .../symmetric.h                               |  43 +----
 .../kyber/pqcrystals-kyber_kyber768_ref/api.h |  45 +++---
 .../pqcrystals-kyber_kyber768_ref/indcpa.c    |  24 +--
 .../pqcrystals-kyber_kyber768_ref/indcpa.h    |   8 +-
 .../kyber/pqcrystals-kyber_kyber768_ref/kem.c | 100 ++++++++----
 .../kyber/pqcrystals-kyber_kyber768_ref/kem.h |  18 +--
 .../pqcrystals-kyber_kyber768_ref/params.h    |  13 --
 .../symmetric-shake.c                         |  23 +++
 .../pqcrystals-kyber_kyber768_ref/symmetric.h |  37 +----
 src/oqsconfig.h.cmake                         |   3 -
 tests/KATs/kem/kats.json                      |   6 +-
 65 files changed, 944 insertions(+), 1480 deletions(-)
 rename scripts/copy_from_upstream/patches/{pqcrystals-kyber-avx2-shake-aes.patch => pqcrystals-kyber-avx2-shake.patch} (52%)
 rename scripts/copy_from_upstream/patches/{pqcrystals-kyber-ref-shake-aes.patch => pqcrystals-kyber-ref-shake.patch} (53%)

diff --git a/.CMake/alg_support.cmake b/.CMake/alg_support.cmake
index 55c8603a40..70edd56fac 100644
--- a/.CMake/alg_support.cmake
+++ b/.CMake/alg_support.cmake
@@ -205,16 +205,6 @@ if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_BMI2_INSTRUCT
 endif()
 endif()
 
-if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
-if((OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS)))
-if(((CMAKE_C_COMPILER_ID STREQUAL "GNU") AND (CMAKE_C_COMPILER_VERSION VERSION_GREATER_EQUAL "9.4.0")) OR ((CMAKE_CXX_COMPILER_ID STREQUAL "GNU") AND (CMAKE_CXX_COMPILER_VERSION VERSION_GREATER_EQUAL "9.4.0")) OR ((NOT (CMAKE_C_COMPILER_ID STREQUAL "GNU")) AND (NOT (CMAKE_CXX_COMPILER_ID STREQUAL "GNU"))))
-    cmake_dependent_option(OQS_ENABLE_KEM_kyber_512_aarch64 "" ON "OQS_ENABLE_KEM_kyber_512" OFF)
-else()
-    message(WARNING "  ARM optimizations are not fully supported on this compiler version.")
-endif()
-endif()
-endif()
-
 cmake_dependent_option(OQS_ENABLE_KEM_kyber_768 "" ON "OQS_ENABLE_KEM_KYBER" OFF)
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_BMI2_INSTRUCTIONS AND OQS_USE_POPCNT_INSTRUCTIONS))
@@ -222,16 +212,6 @@ if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_BMI2_INSTRUCT
 endif()
 endif()
 
-if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
-if((OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS)))
-if(((CMAKE_C_COMPILER_ID STREQUAL "GNU") AND (CMAKE_C_COMPILER_VERSION VERSION_GREATER_EQUAL "9.4.0")) OR ((CMAKE_CXX_COMPILER_ID STREQUAL "GNU") AND (CMAKE_CXX_COMPILER_VERSION VERSION_GREATER_EQUAL "9.4.0")) OR ((NOT (CMAKE_C_COMPILER_ID STREQUAL "GNU")) AND (NOT (CMAKE_CXX_COMPILER_ID STREQUAL "GNU"))))
-    cmake_dependent_option(OQS_ENABLE_KEM_kyber_768_aarch64 "" ON "OQS_ENABLE_KEM_kyber_768" OFF)
-else()
-    message(WARNING "  ARM optimizations are not fully supported on this compiler version.")
-endif()
-endif()
-endif()
-
 cmake_dependent_option(OQS_ENABLE_KEM_kyber_1024 "" ON "OQS_ENABLE_KEM_KYBER" OFF)
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_BMI2_INSTRUCTIONS AND OQS_USE_POPCNT_INSTRUCTIONS))
@@ -239,16 +219,6 @@ if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_BMI2_INSTRUCT
 endif()
 endif()
 
-if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
-if((OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS)))
-if(((CMAKE_C_COMPILER_ID STREQUAL "GNU") AND (CMAKE_C_COMPILER_VERSION VERSION_GREATER_EQUAL "9.4.0")) OR ((CMAKE_CXX_COMPILER_ID STREQUAL "GNU") AND (CMAKE_CXX_COMPILER_VERSION VERSION_GREATER_EQUAL "9.4.0")) OR ((NOT (CMAKE_C_COMPILER_ID STREQUAL "GNU")) AND (NOT (CMAKE_CXX_COMPILER_ID STREQUAL "GNU"))))
-    cmake_dependent_option(OQS_ENABLE_KEM_kyber_1024_aarch64 "" ON "OQS_ENABLE_KEM_kyber_1024" OFF)
-else()
-    message(WARNING "  ARM optimizations are not fully supported on this compiler version.")
-endif()
-endif()
-endif()
-
 
 option(OQS_ENABLE_SIG_DILITHIUM "Enable dilithium algorithm family" ON)
 cmake_dependent_option(OQS_ENABLE_SIG_dilithium_2 "" ON "OQS_ENABLE_SIG_DILITHIUM" OFF)
diff --git a/docs/algorithms/kem/kyber.md b/docs/algorithms/kem/kyber.md
index 3f7d1b91ed..d054fb907c 100644
--- a/docs/algorithms/kem/kyber.md
+++ b/docs/algorithms/kem/kyber.md
@@ -7,12 +7,8 @@
 - **Authors' website**: https://pq-crystals.org/
 - **Specification version**: NIST Round 3 submission.
 - **Primary Source**<a name="primary-source"></a>:
-  - **Source**: https://github.com/pq-crystals/kyber/commit/518de2414a85052bb91349bcbcc347f391292d5b with copy_from_upstream patches
+  - **Source**: https://github.com/bhess/kyber/commit/0bf4adf5a0a93d7ff51b89fac228d0f65e148fea with copy_from_upstream patches
   - **Implementation license (SPDX-Identifier)**: CC0-1.0 or Apache-2.0
-- **Optimized Implementation sources**: https://github.com/pq-crystals/kyber/commit/518de2414a85052bb91349bcbcc347f391292d5b with copy_from_upstream patches
-  - **pqclean-aarch64**:<a name="pqclean-aarch64"></a>
-      - **Source**: https://github.com/PQClean/PQClean/commit/c3abebf4ab1ff516ffa71e6337f06d898952c299 with copy_from_upstream patches
-      - **Implementation license (SPDX-Identifier)**: CC0-1.0 and (CC0-1.0 or Apache-2.0) and (CC0-1.0 or MIT) and MIT
 
 
 ## Parameter set summary
@@ -25,11 +21,10 @@
 
 ## Kyber512 implementation characteristics
 
-|        Implementation source        | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?‡   |
-|:-----------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:----------------------|
-|  [Primary Source](#primary-source)  | ref                      | All                         | All                             | None                    | True                               | True                                           | False                 |
-|  [Primary Source](#primary-source)  | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2,BMI2,POPCNT        | True                               | True                                           | False                 |
-| [pqclean-aarch64](#pqclean-aarch64) | aarch64                  | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                 |
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?‡   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:----------------------|
+| [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                 |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2,BMI2,POPCNT        | True                               | True                                           | False                 |
 
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
 
@@ -37,21 +32,19 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.
 
 ## Kyber768 implementation characteristics
 
-|        Implementation source        | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
-|:-----------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
-|  [Primary Source](#primary-source)  | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
-|  [Primary Source](#primary-source)  | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2,BMI2,POPCNT        | True                               | True                                           | False                |
-| [pqclean-aarch64](#pqclean-aarch64) | aarch64                  | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                |
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2,BMI2,POPCNT        | True                               | True                                           | False                |
 
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
 
 ## Kyber1024 implementation characteristics
 
-|        Implementation source        | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
-|:-----------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
-|  [Primary Source](#primary-source)  | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
-|  [Primary Source](#primary-source)  | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2,BMI2,POPCNT        | True                               | True                                           | False                |
-| [pqclean-aarch64](#pqclean-aarch64) | aarch64                  | ARM64\_V8                   | Linux,Darwin                    | None                    | True                               | False                                          | False                |
+|       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
+|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
+| [Primary Source](#primary-source) | ref                      | All                         | All                             | None                    | True                               | True                                           | False                |
+| [Primary Source](#primary-source) | avx2                     | x86\_64                     | Linux,Darwin                    | AVX2,BMI2,POPCNT        | True                               | True                                           | False                |
 
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
 
diff --git a/docs/algorithms/kem/kyber.yml b/docs/algorithms/kem/kyber.yml
index f5edb82f97..f5aa167d20 100644
--- a/docs/algorithms/kem/kyber.yml
+++ b/docs/algorithms/kem/kyber.yml
@@ -17,15 +17,9 @@ website: https://pq-crystals.org/
 nist-round: 3
 spec-version: NIST Round 3 submission
 primary-upstream:
-  source: https://github.com/pq-crystals/kyber/commit/518de2414a85052bb91349bcbcc347f391292d5b
+  source: https://github.com/bhess/kyber/commit/0bf4adf5a0a93d7ff51b89fac228d0f65e148fea
     with copy_from_upstream patches
   spdx-license-identifier: CC0-1.0 or Apache-2.0
-optimized-upstreams:
-  pqclean-aarch64:
-    source: https://github.com/PQClean/PQClean/commit/c3abebf4ab1ff516ffa71e6337f06d898952c299
-      with copy_from_upstream patches
-    spdx-license-identifier: CC0-1.0 and (CC0-1.0 or Apache-2.0) and (CC0-1.0 or MIT)
-      and MIT
 parameter-sets:
 - name: Kyber512
   claimed-nist-level: 1
@@ -60,18 +54,6 @@ parameter-sets:
     no-secret-dependent-branching-claimed: true
     no-secret-dependent-branching-checked-by-valgrind: true
     large-stack-usage: false
-  - upstream: pqclean-aarch64
-    upstream-id: aarch64
-    supported-platforms:
-    - architecture: ARM64_V8
-      operating_systems:
-      - Linux
-      - Darwin
-    common-crypto:
-    - SHA3: liboqs
-    no-secret-dependent-branching-claimed: true
-    no-secret-dependent-branching-checked-by-valgrind: false
-    large-stack-usage: false
 - name: Kyber768
   claimed-nist-level: 3
   claimed-security: IND-CCA2
@@ -105,18 +87,6 @@ parameter-sets:
     no-secret-dependent-branching-claimed: true
     no-secret-dependent-branching-checked-by-valgrind: true
     large-stack-usage: false
-  - upstream: pqclean-aarch64
-    upstream-id: aarch64
-    supported-platforms:
-    - architecture: ARM64_V8
-      operating_systems:
-      - Linux
-      - Darwin
-    common-crypto:
-    - SHA3: liboqs
-    no-secret-dependent-branching-claimed: true
-    no-secret-dependent-branching-checked-by-valgrind: false
-    large-stack-usage: false
 - name: Kyber1024
   claimed-nist-level: 5
   claimed-security: IND-CCA2
@@ -150,15 +120,3 @@ parameter-sets:
     no-secret-dependent-branching-claimed: true
     no-secret-dependent-branching-checked-by-valgrind: true
     large-stack-usage: false
-  - upstream: pqclean-aarch64
-    upstream-id: aarch64
-    supported-platforms:
-    - architecture: ARM64_V8
-      operating_systems:
-      - Linux
-      - Darwin
-    common-crypto:
-    - SHA3: liboqs
-    no-secret-dependent-branching-claimed: true
-    no-secret-dependent-branching-checked-by-valgrind: false
-    large-stack-usage: false
diff --git a/docs/cbom.json b/docs/cbom.json
index 8f85b3aec2..87632d2e6b 100644
--- a/docs/cbom.json
+++ b/docs/cbom.json
@@ -1,23 +1,23 @@
 {
   "bomFormat": "CBOM",
   "specVersion": "1.4-cbom-1.0",
-  "serialNumber": "urn:uuid:99426048-4f9a-4c52-80ea-57bff62ae697",
+  "serialNumber": "urn:uuid:59cc5324-3dea-44e3-976b-b498462d97af",
   "version": 1,
   "metadata": {
-    "timestamp": "2023-08-30T14:45:52.905958",
+    "timestamp": "2023-08-30T16:20:15.423429",
     "component": {
       "type": "library",
-      "bom-ref": "pkg:github/open-quantum-safe/liboqs@5bf38ed4232148caf0794bbb3a8468571706078b",
+      "bom-ref": "pkg:github/open-quantum-safe/liboqs@28f32db2bdfe7efe39d7750a6505f21fc305de6a",
       "name": "liboqs",
-      "version": "5bf38ed4232148caf0794bbb3a8468571706078b"
+      "version": "28f32db2bdfe7efe39d7750a6505f21fc305de6a"
     }
   },
   "components": [
     {
       "type": "library",
-      "bom-ref": "pkg:github/open-quantum-safe/liboqs@5bf38ed4232148caf0794bbb3a8468571706078b",
+      "bom-ref": "pkg:github/open-quantum-safe/liboqs@28f32db2bdfe7efe39d7750a6505f21fc305de6a",
       "name": "liboqs",
-      "version": "5bf38ed4232148caf0794bbb3a8468571706078b"
+      "version": "28f32db2bdfe7efe39d7750a6505f21fc305de6a"
     },
     {
       "type": "crypto-asset",
@@ -879,26 +879,6 @@
         "nistQuantumSecurityLevel": 1
       }
     },
-    {
-      "type": "crypto-asset",
-      "bom-ref": "alg:Kyber512:armv8-a",
-      "name": "Kyber",
-      "cryptoProperties": {
-        "assetType": "algorithm",
-        "algorithmProperties": {
-          "variant": "Kyber512",
-          "primitive": "kem",
-          "implementationLevel": "softwarePlainRam",
-          "cryptoFunctions": [
-            "keygen",
-            "encapsulate",
-            "decapsulate"
-          ],
-          "implementationPlatform": "armv8-a"
-        },
-        "nistQuantumSecurityLevel": 1
-      }
-    },
     {
       "type": "crypto-asset",
       "bom-ref": "alg:Kyber768:generic",
@@ -939,26 +919,6 @@
         "nistQuantumSecurityLevel": 3
       }
     },
-    {
-      "type": "crypto-asset",
-      "bom-ref": "alg:Kyber768:armv8-a",
-      "name": "Kyber",
-      "cryptoProperties": {
-        "assetType": "algorithm",
-        "algorithmProperties": {
-          "variant": "Kyber768",
-          "primitive": "kem",
-          "implementationLevel": "softwarePlainRam",
-          "cryptoFunctions": [
-            "keygen",
-            "encapsulate",
-            "decapsulate"
-          ],
-          "implementationPlatform": "armv8-a"
-        },
-        "nistQuantumSecurityLevel": 3
-      }
-    },
     {
       "type": "crypto-asset",
       "bom-ref": "alg:Kyber1024:generic",
@@ -999,26 +959,6 @@
         "nistQuantumSecurityLevel": 5
       }
     },
-    {
-      "type": "crypto-asset",
-      "bom-ref": "alg:Kyber1024:armv8-a",
-      "name": "Kyber",
-      "cryptoProperties": {
-        "assetType": "algorithm",
-        "algorithmProperties": {
-          "variant": "Kyber1024",
-          "primitive": "kem",
-          "implementationLevel": "softwarePlainRam",
-          "cryptoFunctions": [
-            "keygen",
-            "encapsulate",
-            "decapsulate"
-          ],
-          "implementationPlatform": "armv8-a"
-        },
-        "nistQuantumSecurityLevel": 5
-      }
-    },
     {
       "type": "crypto-asset",
       "bom-ref": "alg:sntrup761:generic",
@@ -1768,7 +1708,7 @@
   ],
   "dependencies": [
     {
-      "ref": "pkg:github/open-quantum-safe/liboqs@5bf38ed4232148caf0794bbb3a8468571706078b",
+      "ref": "pkg:github/open-quantum-safe/liboqs@28f32db2bdfe7efe39d7750a6505f21fc305de6a",
       "dependsOn": [
         "alg:BIKE-L1:x86_64",
         "alg:BIKE-L3:x86_64",
@@ -1813,13 +1753,10 @@
         "alg:HQC-256:x86_64",
         "alg:Kyber512:generic",
         "alg:Kyber512:x86_64",
-        "alg:Kyber512:armv8-a",
         "alg:Kyber768:generic",
         "alg:Kyber768:x86_64",
-        "alg:Kyber768:armv8-a",
         "alg:Kyber1024:generic",
         "alg:Kyber1024:x86_64",
-        "alg:Kyber1024:armv8-a",
         "alg:sntrup761:generic",
         "alg:sntrup761:x86_64",
         "alg:Dilithium2:generic",
@@ -2192,13 +2129,6 @@
       ],
       "dependencyType": "uses"
     },
-    {
-      "ref": "alg:Kyber512:armv8-a",
-      "dependsOn": [
-        "alg:sha3"
-      ],
-      "dependencyType": "uses"
-    },
     {
       "ref": "alg:Kyber768:generic",
       "dependsOn": [
@@ -2213,13 +2143,6 @@
       ],
       "dependencyType": "uses"
     },
-    {
-      "ref": "alg:Kyber768:armv8-a",
-      "dependsOn": [
-        "alg:sha3"
-      ],
-      "dependencyType": "uses"
-    },
     {
       "ref": "alg:Kyber1024:generic",
       "dependsOn": [
@@ -2234,13 +2157,6 @@
       ],
       "dependencyType": "uses"
     },
-    {
-      "ref": "alg:Kyber1024:armv8-a",
-      "dependsOn": [
-        "alg:sha3"
-      ],
-      "dependencyType": "uses"
-    },
     {
       "ref": "alg:sntrup761:generic",
       "dependsOn": [
diff --git a/scripts/copy_from_upstream/copy_from_upstream.yml b/scripts/copy_from_upstream/copy_from_upstream.yml
index 50756dd9fb..fb754ad7d1 100644
--- a/scripts/copy_from_upstream/copy_from_upstream.yml
+++ b/scripts/copy_from_upstream/copy_from_upstream.yml
@@ -8,16 +8,16 @@ upstreams:
     sig_meta_path: 'crypto_sign/{pqclean_scheme}/META.yml'
     kem_scheme_path: 'crypto_kem/{pqclean_scheme}'
     sig_scheme_path: 'crypto_sign/{pqclean_scheme}'
-    patches: [pqclean-sphincs.patch, pqclean-kyber-armneon-shake-fixes.patch, pqclean-kyber-armneon-768-1024-fixes.patch, pqclean-classicmceliece.patch]
+    patches: [pqclean-sphincs.patch, pqclean-classicmceliece.patch]
     ignore: pqclean_sphincs-shake-256s-simple_aarch64, pqclean_sphincs-shake-256s-simple_aarch64, pqclean_sphincs-shake-256f-simple_aarch64, pqclean_sphincs-shake-192s-simple_aarch64, pqclean_sphincs-shake-192f-simple_aarch64, pqclean_sphincs-shake-128s-simple_aarch64, pqclean_sphincs-shake-128f-simple_aarch64
   -
     name: pqcrystals-kyber
-    git_url: https://github.com/pq-crystals/kyber.git
-    git_branch: master
-    git_commit: 518de2414a85052bb91349bcbcc347f391292d5b
+    git_url: https://github.com/bhess/kyber.git
+    git_branch: bhe-ymlupd
+    git_commit: 0bf4adf5a0a93d7ff51b89fac228d0f65e148fea
     kem_meta_path: '{pretty_name_full}_META.yml'
     kem_scheme_path: '.'
-    patches: [pqcrystals-kyber-yml.patch, pqcrystals-kyber-ref-shake-aes.patch, pqcrystals-kyber-avx2-shake-aes.patch]
+    patches: [pqcrystals-kyber-yml.patch, pqcrystals-kyber-ref-shake.patch, pqcrystals-kyber-avx2-shake.patch]
   -
     name: pqcrystals-dilithium
     git_url: https://github.com/bhess/dilithium.git
@@ -92,11 +92,7 @@ kems:
   -
     name: kyber
     default_implementation: ref
-    arch_specific_implementations:
-                                      aarch64: aarch64
     upstream_location: pqcrystals-kyber
-    arch_specific_upstream_locations:
-                                      aarch64: pqclean
     schemes:
       -
         scheme: "512"
diff --git a/scripts/copy_from_upstream/patches/pqcrystals-kyber-avx2-shake-aes.patch b/scripts/copy_from_upstream/patches/pqcrystals-kyber-avx2-shake.patch
similarity index 52%
rename from scripts/copy_from_upstream/patches/pqcrystals-kyber-avx2-shake-aes.patch
rename to scripts/copy_from_upstream/patches/pqcrystals-kyber-avx2-shake.patch
index 1763b53678..71c338bbcf 100644
--- a/scripts/copy_from_upstream/patches/pqcrystals-kyber-avx2-shake-aes.patch
+++ b/scripts/copy_from_upstream/patches/pqcrystals-kyber-avx2-shake.patch
@@ -1,35 +1,8 @@
-c6a44a0dbb6735caf40ad4856063282feab56d98
 diff --git a/avx2/indcpa.c b/avx2/indcpa.c
-index 926f6e87..b8840863 100644
+index 4f3b782..cf93531 100644
 --- a/avx2/indcpa.c
 +++ b/avx2/indcpa.c
-@@ -178,7 +178,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
-   ALIGNED_UINT8(REJ_UNIFORM_AVX_NBLOCKS*AES256CTR_BLOCKBYTES) buf;
-   aes256ctr_ctx state;
- 
--  aes256ctr_init(&state, seed, 0);
-+  aes256ctr_init_key(&state, seed);
- 
-   for(i=0;i<KYBER_K;i++) {
-     for(j=0;j<KYBER_K;j++) {
-@@ -187,7 +187,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
-       else
-         nonce = (i << 8) | j;
- 
--      state.n = _mm_loadl_epi64((__m128i *)&nonce);
-+      aes256ctr_init_iv_u64(&state, nonce);
-       aes256ctr_squeezeblocks(buf.coeffs, REJ_UNIFORM_AVX_NBLOCKS, &state);
-       buflen = REJ_UNIFORM_AVX_NBLOCKS*AES256CTR_BLOCKBYTES;
-       ctr = rej_uniform_avx(a[i].vec[j].coeffs, buf.coeffs);
-@@ -204,6 +204,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
-       poly_nttunpack(&a[i].vec[j]);
-     }
-   }
-+  aes256_ctx_release(&state);
- }
- #else
- #if KYBER_K == 2
-@@ -212,7 +213,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
+@@ -175,7 +175,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
    unsigned int ctr0, ctr1, ctr2, ctr3;
    ALIGNED_UINT8(REJ_UNIFORM_AVX_NBLOCKS*SHAKE128_RATE) buf[4];
    __m256i f;
@@ -38,7 +11,7 @@ index 926f6e87..b8840863 100644
  
    f = _mm256_loadu_si256((__m256i *)seed);
    _mm256_store_si256(buf[0].vec, f);
-@@ -241,6 +242,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
+@@ -204,6 +204,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
      buf[3].coeffs[33] = 1;
    }
  
@@ -46,7 +19,7 @@ index 926f6e87..b8840863 100644
    shake128x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 34);
    shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_AVX_NBLOCKS, &state);
  
-@@ -262,6 +264,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
+@@ -225,6 +226,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
    poly_nttunpack(&a[0].vec[1]);
    poly_nttunpack(&a[1].vec[0]);
    poly_nttunpack(&a[1].vec[1]);
@@ -54,7 +27,7 @@ index 926f6e87..b8840863 100644
  }
  #elif KYBER_K == 3
  void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
-@@ -269,8 +272,8 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
+@@ -232,8 +234,8 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
    unsigned int ctr0, ctr1, ctr2, ctr3;
    ALIGNED_UINT8(REJ_UNIFORM_AVX_NBLOCKS*SHAKE128_RATE) buf[4];
    __m256i f;
@@ -65,7 +38,7 @@ index 926f6e87..b8840863 100644
  
    f = _mm256_loadu_si256((__m256i *)seed);
    _mm256_store_si256(buf[0].vec, f);
-@@ -299,6 +302,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
+@@ -262,6 +264,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
      buf[3].coeffs[33] = 1;
    }
  
@@ -73,15 +46,23 @@ index 926f6e87..b8840863 100644
    shake128x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 34);
    shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_AVX_NBLOCKS, &state);
  
-@@ -364,6 +368,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
-     ctr2 += rej_uniform(a[2].vec[0].coeffs + ctr2, KYBER_N - ctr2, buf[2].coeffs, SHAKE128_RATE);
-     ctr3 += rej_uniform(a[2].vec[1].coeffs + ctr3, KYBER_N - ctr3, buf[3].coeffs, SHAKE128_RATE);
+@@ -278,6 +281,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
+     ctr2 += rej_uniform(a[0].vec[2].coeffs + ctr2, KYBER_N - ctr2, buf[2].coeffs, SHAKE128_RATE);
+     ctr3 += rej_uniform(a[1].vec[0].coeffs + ctr3, KYBER_N - ctr3, buf[3].coeffs, SHAKE128_RATE);
    }
 +  shake128x4_inc_ctx_release(&state);
  
-   poly_nttunpack(&a[1].vec[1]);
-   poly_nttunpack(&a[1].vec[2]);
-@@ -374,6 +379,8 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
+   poly_nttunpack(&a[0].vec[0]);
+   poly_nttunpack(&a[0].vec[1]);
+@@ -311,6 +315,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
+     buf[3].coeffs[33] = 2;
+   }
+ 
++  shake128x4_inc_init(&state);
+   shake128x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 34);
+   shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_AVX_NBLOCKS, &state);
+ 
+@@ -337,6 +342,8 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
    _mm256_store_si256(buf[0].vec, f);
    buf[0].coeffs[32] = 2;
    buf[0].coeffs[33] = 2;
@@ -90,7 +71,7 @@ index 926f6e87..b8840863 100644
    shake128_absorb_once(&state1x, buf[0].coeffs, 34);
    shake128_squeezeblocks(buf[0].coeffs, REJ_UNIFORM_AVX_NBLOCKS, &state1x);
    ctr0 = rej_uniform_avx(a[2].vec[2].coeffs, buf[0].coeffs);
-@@ -381,6 +388,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
+@@ -344,6 +351,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
      shake128_squeezeblocks(buf[0].coeffs, 1, &state1x);
      ctr0 += rej_uniform(a[2].vec[2].coeffs + ctr0, KYBER_N - ctr0, buf[0].coeffs, SHAKE128_RATE);
    }
@@ -98,7 +79,7 @@ index 926f6e87..b8840863 100644
  
    poly_nttunpack(&a[2].vec[2]);
  }
-@@ -390,7 +398,8 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
+@@ -353,7 +361,8 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
    unsigned int i, ctr0, ctr1, ctr2, ctr3;
    ALIGNED_UINT8(REJ_UNIFORM_AVX_NBLOCKS*SHAKE128_RATE) buf[4];
    __m256i f;
@@ -108,64 +89,22 @@ index 926f6e87..b8840863 100644
  
    for(i=0;i<4;i++) {
      f = _mm256_loadu_si256((__m256i *)seed);
-@@ -442,6 +451,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
+@@ -383,6 +392,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
+       buf[3].coeffs[33] = i;
+     }
+ 
++    shake128x4_inc_init(&state);
+     shake128x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 34);
+     shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_AVX_NBLOCKS, &state);
+ 
+@@ -405,6 +415,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
      poly_nttunpack(&a[i].vec[2]);
      poly_nttunpack(&a[i].vec[3]);
    }
 +  shake128x4_inc_ctx_release(&state);
  }
  #endif
- #endif
-@@ -476,19 +486,20 @@ void indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
-   uint64_t nonce = 0;
-   ALIGNED_UINT8(NOISE_NBLOCKS*AES256CTR_BLOCKBYTES+32) coins; // +32 bytes as required by poly_cbd_eta1
-   aes256ctr_ctx state;
--  aes256ctr_init(&state, noiseseed, nonce++);
-+  aes256ctr_init_u64(&state, noiseseed, nonce++);
-   for(i=0;i<KYBER_K;i++) {
-     aes256ctr_squeezeblocks(coins.coeffs, NOISE_NBLOCKS, &state);
--    state.n = _mm_loadl_epi64((__m128i *)&nonce);
-+    aes256ctr_init_iv_u64(&state, nonce);
-     nonce += 1;
-     poly_cbd_eta1(&skpv.vec[i], coins.vec);
-   }
-   for(i=0;i<KYBER_K;i++) {
-     aes256ctr_squeezeblocks(coins.coeffs, NOISE_NBLOCKS, &state);
--    state.n = _mm_loadl_epi64((__m128i *)&nonce);
-+    aes256ctr_init_iv_u64(&state, nonce);
-     nonce += 1;
-     poly_cbd_eta1(&e.vec[i], coins.vec);
-   }
-+  aes256_ctx_release(&state);
- #else
- #if KYBER_K == 2
-   poly_getnoise_eta1_4x(skpv.vec+0, skpv.vec+1, e.vec+0, e.vec+1, noiseseed, 0, 1, 2, 3);
-@@ -554,20 +565,22 @@ void indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES],
-   uint64_t nonce = 0;
-   ALIGNED_UINT8(NOISE_NBLOCKS*AES256CTR_BLOCKBYTES+32) buf; /* +32 bytes as required by poly_cbd_eta1 */
-   aes256ctr_ctx state;
--  aes256ctr_init(&state, coins, nonce++);
-+  aes256ctr_init_u64(&state, coins, nonce++);
-   for(i=0;i<KYBER_K;i++) {
-     aes256ctr_squeezeblocks(buf.coeffs, NOISE_NBLOCKS, &state);
--    state.n = _mm_loadl_epi64((__m128i *)&nonce);
-+    aes256ctr_init_iv_u64(&state, nonce);
-     nonce += 1;
-     poly_cbd_eta1(&sp.vec[i], buf.vec);
-   }
-   for(i=0;i<KYBER_K;i++) {
-     aes256ctr_squeezeblocks(buf.coeffs, CIPHERTEXTNOISE_NBLOCKS, &state);
--    state.n = _mm_loadl_epi64((__m128i *)&nonce);
-+    aes256ctr_init_iv_u64(&state, nonce);
-     nonce += 1;
-     poly_cbd_eta2(&ep.vec[i], buf.vec);
-   }
-   aes256ctr_squeezeblocks(buf.coeffs, CIPHERTEXTNOISE_NBLOCKS, &state);
-+  aes256_ctx_release(&state);
-+
-   poly_cbd_eta2(&epp, buf.vec);
- #else
- #if KYBER_K == 2
+ 
 diff --git a/avx2/poly.c b/avx2/poly.c
 index ab148a2..96bad86 100644
 --- a/avx2/poly.c
@@ -178,23 +117,7 @@ index ab148a2..96bad86 100644
  #include "params.h"
  #include "poly.h"
  #include "ntt.h"
-@@ -360,6 +361,7 @@ void poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const poly * restrict a)
-   }
- }
- 
-+#ifndef KYBER_90S
- /*************************************************
- * Name:        poly_getnoise_eta1
- *
-@@ -397,6 +399,7 @@ void poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t non
-   prf(buf.coeffs, KYBER_ETA2*KYBER_N/4, seed, nonce);
-   poly_cbd_eta2(r, buf.vec);
- }
-+#endif
- 
- #ifndef KYBER_90S
- #define NOISE_NBLOCKS ((KYBER_ETA1*KYBER_N/4+SHAKE256_RATE-1)/SHAKE256_RATE)
-@@ -412,7 +415,7 @@ void poly_getnoise_eta1_4x(poly *r0,
+@@ -412,7 +413,7 @@ void poly_getnoise_eta1_4x(poly *r0,
  {
    ALIGNED_UINT8(NOISE_NBLOCKS*SHAKE256_RATE) buf[4];
    __m256i f;
@@ -203,7 +126,7 @@ index ab148a2..96bad86 100644
  
    f = _mm256_loadu_si256((__m256i *)seed);
    _mm256_store_si256(buf[0].vec, f);
-@@ -425,8 +428,10 @@ void poly_getnoise_eta1_4x(poly *r0,
+@@ -425,8 +426,10 @@ void poly_getnoise_eta1_4x(poly *r0,
    buf[2].coeffs[32] = nonce2;
    buf[3].coeffs[32] = nonce3;
  
@@ -214,7 +137,7 @@ index ab148a2..96bad86 100644
  
    poly_cbd_eta1(r0, buf[0].vec);
    poly_cbd_eta1(r1, buf[1].vec);
-@@ -447,7 +452,7 @@ void poly_getnoise_eta1122_4x(poly *r0,
+@@ -447,7 +450,7 @@ void poly_getnoise_eta1122_4x(poly *r0,
  {
    ALIGNED_UINT8(NOISE_NBLOCKS*SHAKE256_RATE) buf[4];
    __m256i f;
@@ -223,7 +146,7 @@ index ab148a2..96bad86 100644
  
    f = _mm256_loadu_si256((__m256i *)seed);
    _mm256_store_si256(buf[0].vec, f);
-@@ -460,8 +465,10 @@ void poly_getnoise_eta1122_4x(poly *r0,
+@@ -460,8 +463,10 @@ void poly_getnoise_eta1122_4x(poly *r0,
    buf[2].coeffs[32] = nonce2;
    buf[3].coeffs[32] = nonce3;
  
@@ -235,10 +158,10 @@ index ab148a2..96bad86 100644
    poly_cbd_eta1(r0, buf[0].vec);
    poly_cbd_eta1(r1, buf[1].vec);
 diff --git a/avx2/symmetric.h b/avx2/symmetric.h
-index b99fe91..483eabc 100644
+index 627b891..e4941f7 100644
 --- a/avx2/symmetric.h
 +++ b/avx2/symmetric.h
-@@ -33,10 +33,10 @@ typedef aes256ctr_ctx xof_state;
+@@ -8,10 +8,10 @@
  #include "fips202.h"
  #include "fips202x4.h"
  
diff --git a/scripts/copy_from_upstream/patches/pqcrystals-kyber-ref-shake-aes.patch b/scripts/copy_from_upstream/patches/pqcrystals-kyber-ref-shake.patch
similarity index 53%
rename from scripts/copy_from_upstream/patches/pqcrystals-kyber-ref-shake-aes.patch
rename to scripts/copy_from_upstream/patches/pqcrystals-kyber-ref-shake.patch
index af44fbd837..15ccb1ecc1 100644
--- a/scripts/copy_from_upstream/patches/pqcrystals-kyber-ref-shake-aes.patch
+++ b/scripts/copy_from_upstream/patches/pqcrystals-kyber-ref-shake.patch
@@ -1,9 +1,8 @@
-47bee8a95b1d9446c27e667efbd8f82ac2733bef
 diff --git a/ref/indcpa.c b/ref/indcpa.c
-index 60f4059..96022ea 100644
+index 5d74518..4a8b4c8 100644
 --- a/ref/indcpa.c
 +++ b/ref/indcpa.c
-@@ -167,6 +167,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed)
+@@ -164,6 +164,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed)
    unsigned int buflen, off;
    uint8_t buf[GEN_MATRIX_NBLOCKS*XOF_BLOCKBYTES+2];
    xof_state state;
@@ -11,7 +10,7 @@ index 60f4059..96022ea 100644
  
    for(i=0;i<KYBER_K;i++) {
      for(j=0;j<KYBER_K;j++) {
-@@ -189,6 +190,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed)
+@@ -186,6 +187,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed)
        }
      }
    }
@@ -20,7 +19,7 @@ index 60f4059..96022ea 100644
  
  /*************************************************
 diff --git a/ref/symmetric-shake.c b/ref/symmetric-shake.c
-index 4d9560a..2317c06 100644
+index 6a99071..20f4518 100644
 --- a/ref/symmetric-shake.c
 +++ b/ref/symmetric-shake.c
 @@ -15,7 +15,7 @@
@@ -32,39 +31,30 @@ index 4d9560a..2317c06 100644
                             const uint8_t seed[KYBER_SYMBYTES],
                             uint8_t x,
                             uint8_t y)
-diff --git a/ref/symmetric-shake.c b/ref/symmetric-aes.c
-index 4d9560a..2317c06 100644
---- a/ref/symmetric-aes.c
-+++ b/ref/symmetric-aes.c
-@@ -6,10 +6,11 @@
- 
- void kyber_aes256xof_absorb(aes256ctr_ctx *state, const uint8_t seed[32], uint8_t x, uint8_t y)
+@@ -63,11 +63,12 @@ void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYM
+ **************************************************/
+ void kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SYMBYTES], const uint8_t input[KYBER_CIPHERTEXTBYTES])
  {
-+  (void) seed;
-   uint8_t expnonce[12] = {0};
-   expnonce[0] = x;
-   expnonce[1] = y;
--  aes256ctr_init(state, seed, expnonce);
-+  aes256ctr_init_iv(state, expnonce);
- }
+-  keccak_state s;
++  shake256incctx s;
  
- void kyber_aes256ctr_prf(uint8_t *out, size_t outlen, const uint8_t key[32], uint8_t nonce)
+-  shake256_init(&s);
+-  shake256_absorb(&s, key, KYBER_SYMBYTES);
+-  shake256_absorb(&s, input, KYBER_CIPHERTEXTBYTES);
+-  shake256_finalize(&s);
+-  shake256_squeeze(out, KYBER_SSBYTES, &s);
++  shake256_inc_init(&s);
++  shake256_inc_absorb(&s, key, KYBER_SYMBYTES);
++  shake256_inc_absorb(&s, input, KYBER_CIPHERTEXTBYTES);
++  shake256_inc_finalize(&s);
++  shake256_inc_squeeze(out, KYBER_SSBYTES, &s);
++  shake256_inc_ctx_release(&s);
+ }
 diff --git a/ref/symmetric.h b/ref/symmetric.h
-index 28339e6..bb8086f 100644
+index 58e6ece..2acc66f 100644
 --- a/ref/symmetric.h
 +++ b/ref/symmetric.h
-@@ -26,8 +26,10 @@ void kyber_aes256ctr_prf(uint8_t *out, size_t outlen, const uint8_t key[32], uin
- 
- #define hash_h(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES)
- #define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES)
-+#define xof_init(STATE, SEED) aes256ctr_init_key(STATE, SEED)
- #define xof_absorb(STATE, SEED, X, Y) kyber_aes256xof_absorb(STATE, SEED, X, Y)
- #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-+#define xof_release(STATE) aes256_ctx_release(STATE)
- #define prf(OUT, OUTBYTES, KEY, NONCE) kyber_aes256ctr_prf(OUT, OUTBYTES, KEY, NONCE)
- #define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES)
- 
-@@ -35,10 +37,10 @@ void kyber_aes256ctr_prf(uint8_t *out, size_t outlen, const uint8_t key[32], uin
+@@ -7,10 +7,10 @@
  
  #include "fips202.h"
  
@@ -77,7 +67,7 @@ index 28339e6..bb8086f 100644
                             const uint8_t seed[KYBER_SYMBYTES],
                             uint8_t x,
                             uint8_t y);
-@@ -50,8 +52,10 @@ void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYM
+@@ -25,8 +25,10 @@ void kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SY
  
  #define hash_h(OUT, IN, INBYTES) sha3_256(OUT, IN, INBYTES)
  #define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES)
@@ -86,5 +76,5 @@ index 28339e6..bb8086f 100644
  #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
 +#define xof_release(STATE) shake128_inc_ctx_release(STATE)
  #define prf(OUT, OUTBYTES, KEY, NONCE) kyber_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
- #define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES)
+ #define rkprf(OUT, KEY, INPUT) kyber_shake256_rkprf(OUT, KEY, INPUT)
  
diff --git a/scripts/copy_from_upstream/patches/pqcrystals-kyber-yml.patch b/scripts/copy_from_upstream/patches/pqcrystals-kyber-yml.patch
index 34559ab46a..1226076727 100644
--- a/scripts/copy_from_upstream/patches/pqcrystals-kyber-yml.patch
+++ b/scripts/copy_from_upstream/patches/pqcrystals-kyber-yml.patch
@@ -10,7 +10,7 @@ index baa5ca3..fec9249 100644
 -    common_dep: common_ref
 +    sources: ../LICENSE kem.c indcpa.c polyvec.c poly.c reduce.c ntt.c cbd.c verify.c kem.h params.h api.h indcpa.h polyvec.h poly.h reduce.h ntt.h cbd.h verify.h symmetric.h symmetric-shake.c
    - name: avx2
-     version: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
+     version: https://github.com/pq-crystals/kyber/tree/standard
      compile_opts: -DKYBER_K=4
      signature_keypair: pqcrystals_kyber1024_avx2_keypair
      signature_enc: pqcrystals_kyber1024_avx2_enc
@@ -33,7 +33,7 @@ index b251701..a744ccf 100644
 -    common_dep: common_ref
 +    sources: ../LICENSE kem.c indcpa.c polyvec.c poly.c reduce.c ntt.c cbd.c verify.c kem.h params.h api.h indcpa.h polyvec.h poly.h reduce.h ntt.h cbd.h verify.h symmetric.h symmetric-shake.c
    - name: avx2
-     version: https://github.com/pq-crystals/kyber/commit/36414d64fc1890ed58d1ca8b1e0cab23635d1ac2
+     version: https://github.com/pq-crystals/kyber/tree/standard
      compile_opts: -DKYBER_K=2 
      signature_keypair: pqcrystals_kyber512_avx2_keypair
      signature_enc: pqcrystals_kyber512_avx2_enc
@@ -56,7 +56,7 @@ index 7a0cc3d..397a524 100644
 -    common_dep: common_ref
 +    sources: ../LICENSE kem.c indcpa.c polyvec.c poly.c reduce.c ntt.c cbd.c verify.c kem.h params.h api.h indcpa.h polyvec.h poly.h reduce.h ntt.h cbd.h verify.h symmetric.h symmetric-shake.c
    - name: avx2
-     version: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
+     version: https://github.com/pq-crystals/kyber/tree/standard
      compile_opts: -DKYBER_K=3
      signature_keypair: pqcrystals_kyber768_avx2_keypair
      signature_enc: pqcrystals_kyber768_avx2_enc
diff --git a/src/kem/kyber/CMakeLists.txt b/src/kem/kyber/CMakeLists.txt
index 5498547007..de182f9201 100644
--- a/src/kem/kyber/CMakeLists.txt
+++ b/src/kem/kyber/CMakeLists.txt
@@ -23,16 +23,6 @@ if(OQS_ENABLE_KEM_kyber_512_avx2)
     set(_KYBER_OBJS ${_KYBER_OBJS} $<TARGET_OBJECTS:kyber_512_avx2>)
 endif()
 
-if(OQS_ENABLE_KEM_kyber_512_aarch64)
-    add_library(kyber_512_aarch64 OBJECT pqclean_kyber512_aarch64/__asm_base_mul.S pqclean_kyber512_aarch64/__asm_iNTT.S pqclean_kyber512_aarch64/__asm_NTT.S pqclean_kyber512_aarch64/__asm_poly.S pqclean_kyber512_aarch64/cbd.c pqclean_kyber512_aarch64/feat.S pqclean_kyber512_aarch64/fips202x2.c pqclean_kyber512_aarch64/indcpa.c pqclean_kyber512_aarch64/kem.c pqclean_kyber512_aarch64/neon_poly.c pqclean_kyber512_aarch64/neon_polyvec.c pqclean_kyber512_aarch64/neon_symmetric-shake.c pqclean_kyber512_aarch64/ntt.c pqclean_kyber512_aarch64/poly.c pqclean_kyber512_aarch64/polyvec.c pqclean_kyber512_aarch64/reduce.c pqclean_kyber512_aarch64/rejsample.c pqclean_kyber512_aarch64/symmetric-shake.c pqclean_kyber512_aarch64/verify.c)
-    target_include_directories(kyber_512_aarch64 PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqclean_kyber512_aarch64)
-    target_include_directories(kyber_512_aarch64 PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
-    if (CMAKE_SYSTEM_NAME STREQUAL "Darwin")
-        target_compile_definitions(kyber_512_aarch64 PRIVATE old_gas_syntax)
-    endif()
-    set(_KYBER_OBJS ${_KYBER_OBJS} $<TARGET_OBJECTS:kyber_512_aarch64>)
-endif()
-
 if(OQS_ENABLE_KEM_kyber_768)
     add_library(kyber_768_ref OBJECT kem_kyber_768.c pqcrystals-kyber_kyber768_ref/cbd.c pqcrystals-kyber_kyber768_ref/indcpa.c pqcrystals-kyber_kyber768_ref/kem.c pqcrystals-kyber_kyber768_ref/ntt.c pqcrystals-kyber_kyber768_ref/poly.c pqcrystals-kyber_kyber768_ref/polyvec.c pqcrystals-kyber_kyber768_ref/reduce.c pqcrystals-kyber_kyber768_ref/symmetric-shake.c pqcrystals-kyber_kyber768_ref/verify.c)
     target_compile_options(kyber_768_ref PUBLIC -DKYBER_K=3)
@@ -51,16 +41,6 @@ if(OQS_ENABLE_KEM_kyber_768_avx2)
     set(_KYBER_OBJS ${_KYBER_OBJS} $<TARGET_OBJECTS:kyber_768_avx2>)
 endif()
 
-if(OQS_ENABLE_KEM_kyber_768_aarch64)
-    add_library(kyber_768_aarch64 OBJECT pqclean_kyber768_aarch64/__asm_base_mul.S pqclean_kyber768_aarch64/__asm_iNTT.S pqclean_kyber768_aarch64/__asm_NTT.S pqclean_kyber768_aarch64/__asm_poly.S pqclean_kyber768_aarch64/cbd.c pqclean_kyber768_aarch64/feat.S pqclean_kyber768_aarch64/fips202x2.c pqclean_kyber768_aarch64/indcpa.c pqclean_kyber768_aarch64/kem.c pqclean_kyber768_aarch64/neon_poly.c pqclean_kyber768_aarch64/neon_polyvec.c pqclean_kyber768_aarch64/neon_symmetric-shake.c pqclean_kyber768_aarch64/ntt.c pqclean_kyber768_aarch64/poly.c pqclean_kyber768_aarch64/polyvec.c pqclean_kyber768_aarch64/reduce.c pqclean_kyber768_aarch64/rejsample.c pqclean_kyber768_aarch64/symmetric-shake.c pqclean_kyber768_aarch64/verify.c)
-    target_include_directories(kyber_768_aarch64 PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqclean_kyber768_aarch64)
-    target_include_directories(kyber_768_aarch64 PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
-    if (CMAKE_SYSTEM_NAME STREQUAL "Darwin")
-        target_compile_definitions(kyber_768_aarch64 PRIVATE old_gas_syntax)
-    endif()
-    set(_KYBER_OBJS ${_KYBER_OBJS} $<TARGET_OBJECTS:kyber_768_aarch64>)
-endif()
-
 if(OQS_ENABLE_KEM_kyber_1024)
     add_library(kyber_1024_ref OBJECT kem_kyber_1024.c pqcrystals-kyber_kyber1024_ref/cbd.c pqcrystals-kyber_kyber1024_ref/indcpa.c pqcrystals-kyber_kyber1024_ref/kem.c pqcrystals-kyber_kyber1024_ref/ntt.c pqcrystals-kyber_kyber1024_ref/poly.c pqcrystals-kyber_kyber1024_ref/polyvec.c pqcrystals-kyber_kyber1024_ref/reduce.c pqcrystals-kyber_kyber1024_ref/symmetric-shake.c pqcrystals-kyber_kyber1024_ref/verify.c)
     target_compile_options(kyber_1024_ref PUBLIC -DKYBER_K=4)
@@ -79,14 +59,4 @@ if(OQS_ENABLE_KEM_kyber_1024_avx2)
     set(_KYBER_OBJS ${_KYBER_OBJS} $<TARGET_OBJECTS:kyber_1024_avx2>)
 endif()
 
-if(OQS_ENABLE_KEM_kyber_1024_aarch64)
-    add_library(kyber_1024_aarch64 OBJECT pqclean_kyber1024_aarch64/__asm_base_mul.S pqclean_kyber1024_aarch64/__asm_iNTT.S pqclean_kyber1024_aarch64/__asm_NTT.S pqclean_kyber1024_aarch64/__asm_poly.S pqclean_kyber1024_aarch64/cbd.c pqclean_kyber1024_aarch64/feat.S pqclean_kyber1024_aarch64/fips202x2.c pqclean_kyber1024_aarch64/indcpa.c pqclean_kyber1024_aarch64/kem.c pqclean_kyber1024_aarch64/neon_poly.c pqclean_kyber1024_aarch64/neon_polyvec.c pqclean_kyber1024_aarch64/neon_symmetric-shake.c pqclean_kyber1024_aarch64/ntt.c pqclean_kyber1024_aarch64/poly.c pqclean_kyber1024_aarch64/polyvec.c pqclean_kyber1024_aarch64/reduce.c pqclean_kyber1024_aarch64/rejsample.c pqclean_kyber1024_aarch64/symmetric-shake.c pqclean_kyber1024_aarch64/verify.c)
-    target_include_directories(kyber_1024_aarch64 PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqclean_kyber1024_aarch64)
-    target_include_directories(kyber_1024_aarch64 PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
-    if (CMAKE_SYSTEM_NAME STREQUAL "Darwin")
-        target_compile_definitions(kyber_1024_aarch64 PRIVATE old_gas_syntax)
-    endif()
-    set(_KYBER_OBJS ${_KYBER_OBJS} $<TARGET_OBJECTS:kyber_1024_aarch64>)
-endif()
-
 set(KYBER_OBJS ${_KYBER_OBJS} PARENT_SCOPE)
diff --git a/src/kem/kyber/kem_kyber_1024.c b/src/kem/kyber/kem_kyber_1024.c
index db72b23cd5..8909938950 100644
--- a/src/kem/kyber/kem_kyber_1024.c
+++ b/src/kem/kyber/kem_kyber_1024.c
@@ -13,7 +13,7 @@ OQS_KEM *OQS_KEM_kyber_1024_new(void) {
 		return NULL;
 	}
 	kem->method_name = OQS_KEM_alg_kyber_1024;
-	kem->alg_version = "https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff";
+	kem->alg_version = "https://github.com/pq-crystals/kyber/tree/standard";
 
 	kem->claimed_nist_level = 5;
 	kem->ind_cca = true;
@@ -40,12 +40,6 @@ extern int pqcrystals_kyber1024_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t
 extern int pqcrystals_kyber1024_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
 #endif
 
-#if defined(OQS_ENABLE_KEM_kyber_1024_aarch64)
-extern int PQCLEAN_KYBER1024_AARCH64_crypto_kem_keypair(uint8_t *pk, uint8_t *sk);
-extern int PQCLEAN_KYBER1024_AARCH64_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-extern int PQCLEAN_KYBER1024_AARCH64_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-#endif
-
 OQS_API OQS_STATUS OQS_KEM_kyber_1024_keypair(uint8_t *public_key, uint8_t *secret_key) {
 #if defined(OQS_ENABLE_KEM_kyber_1024_avx2)
 #if defined(OQS_DIST_BUILD)
@@ -57,16 +51,6 @@ OQS_API OQS_STATUS OQS_KEM_kyber_1024_keypair(uint8_t *public_key, uint8_t *secr
 		return (OQS_STATUS) pqcrystals_kyber1024_ref_keypair(public_key, secret_key);
 	}
 #endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_KEM_kyber_1024_aarch64)
-#if defined(OQS_DIST_BUILD)
-	if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
-		return (OQS_STATUS) PQCLEAN_KYBER1024_AARCH64_crypto_kem_keypair(public_key, secret_key);
-#if defined(OQS_DIST_BUILD)
-	} else {
-		return (OQS_STATUS) pqcrystals_kyber1024_ref_keypair(public_key, secret_key);
-	}
-#endif /* OQS_DIST_BUILD */
 #else
 	return (OQS_STATUS) pqcrystals_kyber1024_ref_keypair(public_key, secret_key);
 #endif
@@ -83,16 +67,6 @@ OQS_API OQS_STATUS OQS_KEM_kyber_1024_encaps(uint8_t *ciphertext, uint8_t *share
 		return (OQS_STATUS) pqcrystals_kyber1024_ref_enc(ciphertext, shared_secret, public_key);
 	}
 #endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_KEM_kyber_1024_aarch64)
-#if defined(OQS_DIST_BUILD)
-	if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
-		return (OQS_STATUS) PQCLEAN_KYBER1024_AARCH64_crypto_kem_enc(ciphertext, shared_secret, public_key);
-#if defined(OQS_DIST_BUILD)
-	} else {
-		return (OQS_STATUS) pqcrystals_kyber1024_ref_enc(ciphertext, shared_secret, public_key);
-	}
-#endif /* OQS_DIST_BUILD */
 #else
 	return (OQS_STATUS) pqcrystals_kyber1024_ref_enc(ciphertext, shared_secret, public_key);
 #endif
@@ -109,16 +83,6 @@ OQS_API OQS_STATUS OQS_KEM_kyber_1024_decaps(uint8_t *shared_secret, const uint8
 		return (OQS_STATUS) pqcrystals_kyber1024_ref_dec(shared_secret, ciphertext, secret_key);
 	}
 #endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_KEM_kyber_1024_aarch64)
-#if defined(OQS_DIST_BUILD)
-	if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
-		return (OQS_STATUS) PQCLEAN_KYBER1024_AARCH64_crypto_kem_dec(shared_secret, ciphertext, secret_key);
-#if defined(OQS_DIST_BUILD)
-	} else {
-		return (OQS_STATUS) pqcrystals_kyber1024_ref_dec(shared_secret, ciphertext, secret_key);
-	}
-#endif /* OQS_DIST_BUILD */
 #else
 	return (OQS_STATUS) pqcrystals_kyber1024_ref_dec(shared_secret, ciphertext, secret_key);
 #endif
diff --git a/src/kem/kyber/kem_kyber_512.c b/src/kem/kyber/kem_kyber_512.c
index a226787f65..244729e3fe 100644
--- a/src/kem/kyber/kem_kyber_512.c
+++ b/src/kem/kyber/kem_kyber_512.c
@@ -13,7 +13,7 @@ OQS_KEM *OQS_KEM_kyber_512_new(void) {
 		return NULL;
 	}
 	kem->method_name = OQS_KEM_alg_kyber_512;
-	kem->alg_version = "https://github.com/pq-crystals/kyber/commit/74cad307858b61e434490c75f812cb9b9ef7279b";
+	kem->alg_version = "https://github.com/pq-crystals/kyber/tree/standard";
 
 	kem->claimed_nist_level = 1;
 	kem->ind_cca = true;
@@ -40,12 +40,6 @@ extern int pqcrystals_kyber512_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t
 extern int pqcrystals_kyber512_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
 #endif
 
-#if defined(OQS_ENABLE_KEM_kyber_512_aarch64)
-extern int PQCLEAN_KYBER512_AARCH64_crypto_kem_keypair(uint8_t *pk, uint8_t *sk);
-extern int PQCLEAN_KYBER512_AARCH64_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-extern int PQCLEAN_KYBER512_AARCH64_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-#endif
-
 OQS_API OQS_STATUS OQS_KEM_kyber_512_keypair(uint8_t *public_key, uint8_t *secret_key) {
 #if defined(OQS_ENABLE_KEM_kyber_512_avx2)
 #if defined(OQS_DIST_BUILD)
@@ -57,16 +51,6 @@ OQS_API OQS_STATUS OQS_KEM_kyber_512_keypair(uint8_t *public_key, uint8_t *secre
 		return (OQS_STATUS) pqcrystals_kyber512_ref_keypair(public_key, secret_key);
 	}
 #endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_KEM_kyber_512_aarch64)
-#if defined(OQS_DIST_BUILD)
-	if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
-		return (OQS_STATUS) PQCLEAN_KYBER512_AARCH64_crypto_kem_keypair(public_key, secret_key);
-#if defined(OQS_DIST_BUILD)
-	} else {
-		return (OQS_STATUS) pqcrystals_kyber512_ref_keypair(public_key, secret_key);
-	}
-#endif /* OQS_DIST_BUILD */
 #else
 	return (OQS_STATUS) pqcrystals_kyber512_ref_keypair(public_key, secret_key);
 #endif
@@ -83,16 +67,6 @@ OQS_API OQS_STATUS OQS_KEM_kyber_512_encaps(uint8_t *ciphertext, uint8_t *shared
 		return (OQS_STATUS) pqcrystals_kyber512_ref_enc(ciphertext, shared_secret, public_key);
 	}
 #endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_KEM_kyber_512_aarch64)
-#if defined(OQS_DIST_BUILD)
-	if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
-		return (OQS_STATUS) PQCLEAN_KYBER512_AARCH64_crypto_kem_enc(ciphertext, shared_secret, public_key);
-#if defined(OQS_DIST_BUILD)
-	} else {
-		return (OQS_STATUS) pqcrystals_kyber512_ref_enc(ciphertext, shared_secret, public_key);
-	}
-#endif /* OQS_DIST_BUILD */
 #else
 	return (OQS_STATUS) pqcrystals_kyber512_ref_enc(ciphertext, shared_secret, public_key);
 #endif
@@ -109,16 +83,6 @@ OQS_API OQS_STATUS OQS_KEM_kyber_512_decaps(uint8_t *shared_secret, const uint8_
 		return (OQS_STATUS) pqcrystals_kyber512_ref_dec(shared_secret, ciphertext, secret_key);
 	}
 #endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_KEM_kyber_512_aarch64)
-#if defined(OQS_DIST_BUILD)
-	if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
-		return (OQS_STATUS) PQCLEAN_KYBER512_AARCH64_crypto_kem_dec(shared_secret, ciphertext, secret_key);
-#if defined(OQS_DIST_BUILD)
-	} else {
-		return (OQS_STATUS) pqcrystals_kyber512_ref_dec(shared_secret, ciphertext, secret_key);
-	}
-#endif /* OQS_DIST_BUILD */
 #else
 	return (OQS_STATUS) pqcrystals_kyber512_ref_dec(shared_secret, ciphertext, secret_key);
 #endif
diff --git a/src/kem/kyber/kem_kyber_768.c b/src/kem/kyber/kem_kyber_768.c
index bc21b00380..d36e60fb25 100644
--- a/src/kem/kyber/kem_kyber_768.c
+++ b/src/kem/kyber/kem_kyber_768.c
@@ -13,7 +13,7 @@ OQS_KEM *OQS_KEM_kyber_768_new(void) {
 		return NULL;
 	}
 	kem->method_name = OQS_KEM_alg_kyber_768;
-	kem->alg_version = "https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff";
+	kem->alg_version = "https://github.com/pq-crystals/kyber/tree/standard";
 
 	kem->claimed_nist_level = 3;
 	kem->ind_cca = true;
@@ -40,12 +40,6 @@ extern int pqcrystals_kyber768_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t
 extern int pqcrystals_kyber768_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
 #endif
 
-#if defined(OQS_ENABLE_KEM_kyber_768_aarch64)
-extern int PQCLEAN_KYBER768_AARCH64_crypto_kem_keypair(uint8_t *pk, uint8_t *sk);
-extern int PQCLEAN_KYBER768_AARCH64_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-extern int PQCLEAN_KYBER768_AARCH64_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-#endif
-
 OQS_API OQS_STATUS OQS_KEM_kyber_768_keypair(uint8_t *public_key, uint8_t *secret_key) {
 #if defined(OQS_ENABLE_KEM_kyber_768_avx2)
 #if defined(OQS_DIST_BUILD)
@@ -57,16 +51,6 @@ OQS_API OQS_STATUS OQS_KEM_kyber_768_keypair(uint8_t *public_key, uint8_t *secre
 		return (OQS_STATUS) pqcrystals_kyber768_ref_keypair(public_key, secret_key);
 	}
 #endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_KEM_kyber_768_aarch64)
-#if defined(OQS_DIST_BUILD)
-	if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
-		return (OQS_STATUS) PQCLEAN_KYBER768_AARCH64_crypto_kem_keypair(public_key, secret_key);
-#if defined(OQS_DIST_BUILD)
-	} else {
-		return (OQS_STATUS) pqcrystals_kyber768_ref_keypair(public_key, secret_key);
-	}
-#endif /* OQS_DIST_BUILD */
 #else
 	return (OQS_STATUS) pqcrystals_kyber768_ref_keypair(public_key, secret_key);
 #endif
@@ -83,16 +67,6 @@ OQS_API OQS_STATUS OQS_KEM_kyber_768_encaps(uint8_t *ciphertext, uint8_t *shared
 		return (OQS_STATUS) pqcrystals_kyber768_ref_enc(ciphertext, shared_secret, public_key);
 	}
 #endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_KEM_kyber_768_aarch64)
-#if defined(OQS_DIST_BUILD)
-	if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
-		return (OQS_STATUS) PQCLEAN_KYBER768_AARCH64_crypto_kem_enc(ciphertext, shared_secret, public_key);
-#if defined(OQS_DIST_BUILD)
-	} else {
-		return (OQS_STATUS) pqcrystals_kyber768_ref_enc(ciphertext, shared_secret, public_key);
-	}
-#endif /* OQS_DIST_BUILD */
 #else
 	return (OQS_STATUS) pqcrystals_kyber768_ref_enc(ciphertext, shared_secret, public_key);
 #endif
@@ -109,16 +83,6 @@ OQS_API OQS_STATUS OQS_KEM_kyber_768_decaps(uint8_t *shared_secret, const uint8_
 		return (OQS_STATUS) pqcrystals_kyber768_ref_dec(shared_secret, ciphertext, secret_key);
 	}
 #endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_KEM_kyber_768_aarch64)
-#if defined(OQS_DIST_BUILD)
-	if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
-		return (OQS_STATUS) PQCLEAN_KYBER768_AARCH64_crypto_kem_dec(shared_secret, ciphertext, secret_key);
-#if defined(OQS_DIST_BUILD)
-	} else {
-		return (OQS_STATUS) pqcrystals_kyber768_ref_dec(shared_secret, ciphertext, secret_key);
-	}
-#endif /* OQS_DIST_BUILD */
 #else
 	return (OQS_STATUS) pqcrystals_kyber768_ref_dec(shared_secret, ciphertext, secret_key);
 #endif
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/api.h b/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/api.h
index 4ae94cbab7..a154e80f1d 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/api.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/api.h
@@ -6,70 +6,61 @@
 #define pqcrystals_kyber512_SECRETKEYBYTES 1632
 #define pqcrystals_kyber512_PUBLICKEYBYTES 800
 #define pqcrystals_kyber512_CIPHERTEXTBYTES 768
+#define pqcrystals_kyber512_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber512_ENCCOINBYTES 32
 #define pqcrystals_kyber512_BYTES 32
 
 #define pqcrystals_kyber512_avx2_SECRETKEYBYTES pqcrystals_kyber512_SECRETKEYBYTES
 #define pqcrystals_kyber512_avx2_PUBLICKEYBYTES pqcrystals_kyber512_PUBLICKEYBYTES
 #define pqcrystals_kyber512_avx2_CIPHERTEXTBYTES pqcrystals_kyber512_CIPHERTEXTBYTES
+#define pqcrystals_kyber512_avx2_KEYPAIRCOINBYTES pqcrystals_kyber512_KEYPAIRCOINBYTES
+#define pqcrystals_kyber512_avx2_ENCCOINBYTES pqcrystals_kyber512_ENCCOINBYTES
 #define pqcrystals_kyber512_avx2_BYTES pqcrystals_kyber512_BYTES
 
+int pqcrystals_kyber512_avx2_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
 int pqcrystals_kyber512_avx2_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber512_avx2_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
 int pqcrystals_kyber512_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
 int pqcrystals_kyber512_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
 
-#define pqcrystals_kyber512_90s_avx2_SECRETKEYBYTES pqcrystals_kyber512_SECRETKEYBYTES
-#define pqcrystals_kyber512_90s_avx2_PUBLICKEYBYTES pqcrystals_kyber512_PUBLICKEYBYTES
-#define pqcrystals_kyber512_90s_avx2_CIPHERTEXTBYTES pqcrystals_kyber512_CIPHERTEXTBYTES
-#define pqcrystals_kyber512_90s_avx2_BYTES pqcrystals_kyber512_BYTES
-
-int pqcrystals_kyber512_90s_avx2_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber512_90s_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber512_90s_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
 #define pqcrystals_kyber768_SECRETKEYBYTES 2400
 #define pqcrystals_kyber768_PUBLICKEYBYTES 1184
 #define pqcrystals_kyber768_CIPHERTEXTBYTES 1088
+#define pqcrystals_kyber768_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber768_ENCCOINBYTES 32
 #define pqcrystals_kyber768_BYTES 32
 
 #define pqcrystals_kyber768_avx2_SECRETKEYBYTES pqcrystals_kyber768_SECRETKEYBYTES
 #define pqcrystals_kyber768_avx2_PUBLICKEYBYTES pqcrystals_kyber768_PUBLICKEYBYTES
 #define pqcrystals_kyber768_avx2_CIPHERTEXTBYTES pqcrystals_kyber768_CIPHERTEXTBYTES
+#define pqcrystals_kyber768_avx2_KEYPAIRCOINBYTES pqcrystals_kyber768_KEYPAIRCOINBYTES
+#define pqcrystals_kyber768_avx2_ENCCOINBYTES pqcrystals_kyber768_ENCCOINBYTES
 #define pqcrystals_kyber768_avx2_BYTES pqcrystals_kyber768_BYTES
 
+int pqcrystals_kyber768_avx2_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
 int pqcrystals_kyber768_avx2_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber768_avx2_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
 int pqcrystals_kyber768_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
 int pqcrystals_kyber768_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
 
-#define pqcrystals_kyber768_90s_avx2_SECRETKEYBYTES pqcrystals_kyber768_SECRETKEYBYTES
-#define pqcrystals_kyber768_90s_avx2_PUBLICKEYBYTES pqcrystals_kyber768_PUBLICKEYBYTES
-#define pqcrystals_kyber768_90s_avx2_CIPHERTEXTBYTES pqcrystals_kyber768_CIPHERTEXTBYTES
-#define pqcrystals_kyber768_90s_avx2_BYTES pqcrystals_kyber768_BYTES
-
-int pqcrystals_kyber768_90s_avx2_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber768_90s_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber768_90s_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
 #define pqcrystals_kyber1024_SECRETKEYBYTES 3168
 #define pqcrystals_kyber1024_PUBLICKEYBYTES 1568
 #define pqcrystals_kyber1024_CIPHERTEXTBYTES 1568
+#define pqcrystals_kyber1024_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber1024_ENCCOINBYTES 32
 #define pqcrystals_kyber1024_BYTES 32
 
 #define pqcrystals_kyber1024_avx2_SECRETKEYBYTES pqcrystals_kyber1024_SECRETKEYBYTES
 #define pqcrystals_kyber1024_avx2_PUBLICKEYBYTES pqcrystals_kyber1024_PUBLICKEYBYTES
 #define pqcrystals_kyber1024_avx2_CIPHERTEXTBYTES pqcrystals_kyber1024_CIPHERTEXTBYTES
+#define pqcrystals_kyber1024_avx2_KEYPAIRCOINBYTES pqcrystals_kyber1024_KEYPAIRCOINBYTES
+#define pqcrystals_kyber1024_avx2_ENCCOINBYTES pqcrystals_kyber1024_ENCCOINBYTES
 #define pqcrystals_kyber1024_avx2_BYTES pqcrystals_kyber1024_BYTES
 
+int pqcrystals_kyber1024_avx2_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
 int pqcrystals_kyber1024_avx2_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber1024_avx2_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
 int pqcrystals_kyber1024_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
 int pqcrystals_kyber1024_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
 
-#define pqcrystals_kyber1024_90s_avx2_SECRETKEYBYTES pqcrystals_kyber1024_SECRETKEYBYTES
-#define pqcrystals_kyber1024_90s_avx2_PUBLICKEYBYTES pqcrystals_kyber1024_PUBLICKEYBYTES
-#define pqcrystals_kyber1024_90s_avx2_CIPHERTEXTBYTES pqcrystals_kyber1024_CIPHERTEXTBYTES
-#define pqcrystals_kyber1024_90s_avx2_BYTES pqcrystals_kyber1024_BYTES
-
-int pqcrystals_kyber1024_90s_avx2_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber1024_90s_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber1024_90s_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
 #endif
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/indcpa.c b/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/indcpa.c
index b88408631b..cf93531178 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/indcpa.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/indcpa.c
@@ -169,44 +169,6 @@ static unsigned int rej_uniform(int16_t *r,
 *              - const uint8_t *seed: pointer to input seed
 *              - int transposed: boolean deciding whether A or A^T is generated
 **************************************************/
-#ifdef KYBER_90S
-void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
-{
-  unsigned int ctr, i, j, k;
-  unsigned int buflen, off;
-  uint64_t nonce = 0;
-  ALIGNED_UINT8(REJ_UNIFORM_AVX_NBLOCKS*AES256CTR_BLOCKBYTES) buf;
-  aes256ctr_ctx state;
-
-  aes256ctr_init_key(&state, seed);
-
-  for(i=0;i<KYBER_K;i++) {
-    for(j=0;j<KYBER_K;j++) {
-      if(transposed)
-        nonce = (j << 8) | i;
-      else
-        nonce = (i << 8) | j;
-
-      aes256ctr_init_iv_u64(&state, nonce);
-      aes256ctr_squeezeblocks(buf.coeffs, REJ_UNIFORM_AVX_NBLOCKS, &state);
-      buflen = REJ_UNIFORM_AVX_NBLOCKS*AES256CTR_BLOCKBYTES;
-      ctr = rej_uniform_avx(a[i].vec[j].coeffs, buf.coeffs);
-
-      while(ctr < KYBER_N) {
-        off = buflen % 3;
-        for(k = 0; k < off; k++)
-          buf.coeffs[k] = buf.coeffs[buflen - off + k];
-        aes256ctr_squeezeblocks(buf.coeffs + off, 1, &state);
-        buflen = off + AES256CTR_BLOCKBYTES;
-        ctr += rej_uniform(a[i].vec[j].coeffs + ctr, KYBER_N - ctr, buf.coeffs, buflen);
-      }
-
-      poly_nttunpack(&a[i].vec[j]);
-    }
-  }
-  aes256_ctx_release(&state);
-}
-#else
 #if KYBER_K == 2
 void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
 {
@@ -319,6 +281,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
     ctr2 += rej_uniform(a[0].vec[2].coeffs + ctr2, KYBER_N - ctr2, buf[2].coeffs, SHAKE128_RATE);
     ctr3 += rej_uniform(a[1].vec[0].coeffs + ctr3, KYBER_N - ctr3, buf[3].coeffs, SHAKE128_RATE);
   }
+  shake128x4_inc_ctx_release(&state);
 
   poly_nttunpack(&a[0].vec[0]);
   poly_nttunpack(&a[0].vec[1]);
@@ -352,6 +315,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
     buf[3].coeffs[33] = 2;
   }
 
+  shake128x4_inc_init(&state);
   shake128x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 34);
   shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_AVX_NBLOCKS, &state);
 
@@ -368,7 +332,6 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
     ctr2 += rej_uniform(a[2].vec[0].coeffs + ctr2, KYBER_N - ctr2, buf[2].coeffs, SHAKE128_RATE);
     ctr3 += rej_uniform(a[2].vec[1].coeffs + ctr3, KYBER_N - ctr3, buf[3].coeffs, SHAKE128_RATE);
   }
-  shake128x4_inc_ctx_release(&state);
 
   poly_nttunpack(&a[1].vec[1]);
   poly_nttunpack(&a[1].vec[2]);
@@ -429,6 +392,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
       buf[3].coeffs[33] = i;
     }
 
+    shake128x4_inc_init(&state);
     shake128x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 34);
     shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_AVX_NBLOCKS, &state);
 
@@ -454,10 +418,9 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
   shake128x4_inc_ctx_release(&state);
 }
 #endif
-#endif
 
 /*************************************************
-* Name:        indcpa_keypair
+* Name:        indcpa_keypair_derand
 *
 * Description: Generates public and private key for the CPA-secure
 *              public-key encryption scheme underlying Kyber
@@ -465,10 +428,13 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
 * Arguments:   - uint8_t *pk: pointer to output public key
 *                             (of length KYBER_INDCPA_PUBLICKEYBYTES bytes)
 *              - uint8_t *sk: pointer to output private key
-                              (of length KYBER_INDCPA_SECRETKEYBYTES bytes)
+*                             (of length KYBER_INDCPA_SECRETKEYBYTES bytes)
+*              - const uint8_t *coins: pointer to input randomness
+*                             (of length KYBER_SYMBYTES bytes)
 **************************************************/
-void indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
-                    uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES])
+void indcpa_keypair_derand(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
+                           uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES],
+                           const uint8_t coins[KYBER_SYMBYTES])
 {
   unsigned int i;
   uint8_t buf[2*KYBER_SYMBYTES];
@@ -476,31 +442,10 @@ void indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
   const uint8_t *noiseseed = buf + KYBER_SYMBYTES;
   polyvec a[KYBER_K], e, pkpv, skpv;
 
-  randombytes(buf, KYBER_SYMBYTES);
-  hash_g(buf, buf, KYBER_SYMBYTES);
+  hash_g(buf, coins, KYBER_SYMBYTES);
 
   gen_a(a, publicseed);
 
-#ifdef KYBER_90S
-#define NOISE_NBLOCKS ((KYBER_ETA1*KYBER_N/4)/AES256CTR_BLOCKBYTES) /* Assumes divisibility */
-  uint64_t nonce = 0;
-  ALIGNED_UINT8(NOISE_NBLOCKS*AES256CTR_BLOCKBYTES+32) coins; // +32 bytes as required by poly_cbd_eta1
-  aes256ctr_ctx state;
-  aes256ctr_init_u64(&state, noiseseed, nonce++);
-  for(i=0;i<KYBER_K;i++) {
-    aes256ctr_squeezeblocks(coins.coeffs, NOISE_NBLOCKS, &state);
-    aes256ctr_init_iv_u64(&state, nonce);
-    nonce += 1;
-    poly_cbd_eta1(&skpv.vec[i], coins.vec);
-  }
-  for(i=0;i<KYBER_K;i++) {
-    aes256ctr_squeezeblocks(coins.coeffs, NOISE_NBLOCKS, &state);
-    aes256ctr_init_iv_u64(&state, nonce);
-    nonce += 1;
-    poly_cbd_eta1(&e.vec[i], coins.vec);
-  }
-  aes256_ctx_release(&state);
-#else
 #if KYBER_K == 2
   poly_getnoise_eta1_4x(skpv.vec+0, skpv.vec+1, e.vec+0, e.vec+1, noiseseed, 0, 1, 2, 3);
 #elif KYBER_K == 3
@@ -509,7 +454,6 @@ void indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
 #elif KYBER_K == 4
   poly_getnoise_eta1_4x(skpv.vec+0, skpv.vec+1, skpv.vec+2, skpv.vec+3, noiseseed,  0, 1, 2, 3);
   poly_getnoise_eta1_4x(e.vec+0, e.vec+1, e.vec+2, e.vec+3, noiseseed, 4, 5, 6, 7);
-#endif
 #endif
 
   polyvec_ntt(&skpv);
@@ -559,30 +503,6 @@ void indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES],
   poly_frommsg(&k, m);
   gen_at(at, seed);
 
-#ifdef KYBER_90S
-#define NOISE_NBLOCKS ((KYBER_ETA1*KYBER_N/4)/AES256CTR_BLOCKBYTES) /* Assumes divisibility */
-#define CIPHERTEXTNOISE_NBLOCKS ((KYBER_ETA2*KYBER_N/4)/AES256CTR_BLOCKBYTES) /* Assumes divisibility */
-  uint64_t nonce = 0;
-  ALIGNED_UINT8(NOISE_NBLOCKS*AES256CTR_BLOCKBYTES+32) buf; /* +32 bytes as required by poly_cbd_eta1 */
-  aes256ctr_ctx state;
-  aes256ctr_init_u64(&state, coins, nonce++);
-  for(i=0;i<KYBER_K;i++) {
-    aes256ctr_squeezeblocks(buf.coeffs, NOISE_NBLOCKS, &state);
-    aes256ctr_init_iv_u64(&state, nonce);
-    nonce += 1;
-    poly_cbd_eta1(&sp.vec[i], buf.vec);
-  }
-  for(i=0;i<KYBER_K;i++) {
-    aes256ctr_squeezeblocks(buf.coeffs, CIPHERTEXTNOISE_NBLOCKS, &state);
-    aes256ctr_init_iv_u64(&state, nonce);
-    nonce += 1;
-    poly_cbd_eta2(&ep.vec[i], buf.vec);
-  }
-  aes256ctr_squeezeblocks(buf.coeffs, CIPHERTEXTNOISE_NBLOCKS, &state);
-  aes256_ctx_release(&state);
-
-  poly_cbd_eta2(&epp, buf.vec);
-#else
 #if KYBER_K == 2
   poly_getnoise_eta1122_4x(sp.vec+0, sp.vec+1, ep.vec+0, ep.vec+1, coins, 0, 1, 2, 3);
   poly_getnoise_eta2(&epp, coins, 4);
@@ -593,7 +513,6 @@ void indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES],
   poly_getnoise_eta1_4x(sp.vec+0, sp.vec+1, sp.vec+2, sp.vec+3, coins, 0, 1, 2, 3);
   poly_getnoise_eta1_4x(ep.vec+0, ep.vec+1, ep.vec+2, ep.vec+3, coins, 4, 5, 6, 7);
   poly_getnoise_eta2(&epp, coins, 8);
-#endif
 #endif
 
   polyvec_ntt(&sp);
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/indcpa.h b/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/indcpa.h
index 57bd5ead3a..6dd5088c85 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/indcpa.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/indcpa.h
@@ -7,9 +7,11 @@
 
 #define gen_matrix KYBER_NAMESPACE(gen_matrix)
 void gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed);
-#define indcpa_keypair KYBER_NAMESPACE(indcpa_keypair)
-void indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
-                    uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]);
+
+#define indcpa_keypair_derand KYBER_NAMESPACE(indcpa_keypair_derand)
+void indcpa_keypair_derand(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
+                           uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES],
+                           const uint8_t coins[KYBER_SYMBYTES]);
 
 #define indcpa_enc KYBER_NAMESPACE(indcpa_enc)
 void indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES],
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/kem.c b/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/kem.c
index c48a955d49..63abc1029c 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/kem.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/kem.c
@@ -7,6 +7,32 @@
 #include "verify.h"
 #include "symmetric.h"
 #include "randombytes.h"
+/*************************************************
+* Name:        crypto_kem_keypair_derand
+*
+* Description: Generates public and private key
+*              for CCA-secure Kyber key encapsulation mechanism
+*
+* Arguments:   - uint8_t *pk: pointer to output public key
+*                (an already allocated array of KYBER_PUBLICKEYBYTES bytes)
+*              - uint8_t *sk: pointer to output private key
+*                (an already allocated array of KYBER_SECRETKEYBYTES bytes)
+*              - uint8_t *coins: pointer to input randomness
+*                (an already allocated array filled with 2*KYBER_SYMBYTES random bytes)
+**
+* Returns 0 (success)
+**************************************************/
+int crypto_kem_keypair_derand(uint8_t *pk,
+                              uint8_t *sk,
+                              const uint8_t *coins)
+{
+  indcpa_keypair_derand(pk, sk, coins);
+  memcpy(sk+KYBER_INDCPA_SECRETKEYBYTES, pk, KYBER_PUBLICKEYBYTES);
+  hash_h(sk+KYBER_SECRETKEYBYTES-2*KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
+  /* Value z for pseudo-random output on reject */
+  memcpy(sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES, coins+KYBER_SYMBYTES, KYBER_SYMBYTES);
+  return 0;
+}
 
 /*************************************************
 * Name:        crypto_kem_keypair
@@ -24,16 +50,14 @@
 int crypto_kem_keypair(uint8_t *pk,
                        uint8_t *sk)
 {
-  indcpa_keypair(pk, sk);
-  memcpy(sk+KYBER_INDCPA_SECRETKEYBYTES, pk, KYBER_INDCPA_PUBLICKEYBYTES);
-  hash_h(sk+KYBER_SECRETKEYBYTES-2*KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
-  /* Value z for pseudo-random output on reject */
-  randombytes(sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES, KYBER_SYMBYTES);
+  uint8_t coins[2*KYBER_SYMBYTES];
+  randombytes(coins, 2*KYBER_SYMBYTES);
+  crypto_kem_keypair_derand(pk, sk, coins);
   return 0;
 }
 
 /*************************************************
-* Name:        crypto_kem_enc
+* Name:        crypto_kem_enc_derand
 *
 * Description: Generates cipher text and shared
 *              secret for given public key
@@ -44,20 +68,21 @@ int crypto_kem_keypair(uint8_t *pk,
 *                (an already allocated array of KYBER_SSBYTES bytes)
 *              - const uint8_t *pk: pointer to input public key
 *                (an already allocated array of KYBER_PUBLICKEYBYTES bytes)
-*
+*              - const uint8_t *coins: pointer to input randomness
+*                (an already allocated array filled with KYBER_SYMBYTES random bytes)
+**
 * Returns 0 (success)
 **************************************************/
-int crypto_kem_enc(uint8_t *ct,
-                   uint8_t *ss,
-                   const uint8_t *pk)
+int crypto_kem_enc_derand(uint8_t *ct,
+                          uint8_t *ss,
+                          const uint8_t *pk,
+                          const uint8_t *coins)
 {
   uint8_t buf[2*KYBER_SYMBYTES];
   /* Will contain key, coins */
   uint8_t kr[2*KYBER_SYMBYTES];
 
-  randombytes(buf, KYBER_SYMBYTES);
-  /* Don't release system RNG output */
-  hash_h(buf, buf, KYBER_SYMBYTES);
+  memcpy(buf, coins, KYBER_SYMBYTES);
 
   /* Multitarget countermeasure for coins + contributory KEM */
   hash_h(buf+KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
@@ -66,10 +91,32 @@ int crypto_kem_enc(uint8_t *ct,
   /* coins are in kr+KYBER_SYMBYTES */
   indcpa_enc(ct, buf, pk, kr+KYBER_SYMBYTES);
 
-  /* overwrite coins in kr with H(c) */
-  hash_h(kr+KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES);
-  /* hash concatenation of pre-k and H(c) to k */
-  kdf(ss, kr, 2*KYBER_SYMBYTES);
+  memcpy(ss,kr,KYBER_SYMBYTES);
+  return 0;
+}
+
+/*************************************************
+* Name:        crypto_kem_enc
+*
+* Description: Generates cipher text and shared
+*              secret for given public key
+*
+* Arguments:   - uint8_t *ct: pointer to output cipher text
+*                (an already allocated array of KYBER_CIPHERTEXTBYTES bytes)
+*              - uint8_t *ss: pointer to output shared secret
+*                (an already allocated array of KYBER_SSBYTES bytes)
+*              - const uint8_t *pk: pointer to input public key
+*                (an already allocated array of KYBER_PUBLICKEYBYTES bytes)
+*
+* Returns 0 (success)
+**************************************************/
+int crypto_kem_enc(uint8_t *ct,
+                   uint8_t *ss,
+                   const uint8_t *pk)
+{
+  uint8_t coins[KYBER_SYMBYTES];
+  randombytes(coins, KYBER_SYMBYTES);
+  crypto_kem_enc_derand(ct, ss, pk, coins);
   return 0;
 }
 
@@ -98,7 +145,7 @@ int crypto_kem_dec(uint8_t *ss,
   uint8_t buf[2*KYBER_SYMBYTES];
   /* Will contain key, coins */
   uint8_t kr[2*KYBER_SYMBYTES];
-  ALIGNED_UINT8(KYBER_CIPHERTEXTBYTES) cmp;
+  uint8_t cmp[KYBER_CIPHERTEXTBYTES+KYBER_SYMBYTES];
   const uint8_t *pk = sk+KYBER_INDCPA_SECRETKEYBYTES;
 
   indcpa_dec(buf, ct, sk);
@@ -108,17 +155,15 @@ int crypto_kem_dec(uint8_t *ss,
   hash_g(kr, buf, 2*KYBER_SYMBYTES);
 
   /* coins are in kr+KYBER_SYMBYTES */
-  indcpa_enc(cmp.coeffs, buf, pk, kr+KYBER_SYMBYTES);
+  indcpa_enc(cmp, buf, pk, kr+KYBER_SYMBYTES);
 
-  fail = verify(ct, cmp.coeffs, KYBER_CIPHERTEXTBYTES);
+  fail = verify(ct, cmp, KYBER_CIPHERTEXTBYTES);
 
-  /* overwrite coins in kr with H(c) */
-  hash_h(kr+KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES);
+  /* Compute rejection key */
+  rkprf(ss,sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES,ct);
 
-  /* Overwrite pre-k with z on re-encryption failure */
-  cmov(kr, sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES, KYBER_SYMBYTES, fail);
+  /* Copy true key to return buffer if fail is false */
+  cmov(ss,kr,KYBER_SYMBYTES,!fail);
 
-  /* hash concatenation of pre-k and H(c) to k */
-  kdf(ss, kr, 2*KYBER_SYMBYTES);
   return 0;
 }
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/kem.h b/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/kem.h
index 3f3eff697c..234f11966b 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/kem.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/kem.h
@@ -10,28 +10,22 @@
 #define CRYPTO_BYTES           KYBER_SSBYTES
 
 #if   (KYBER_K == 2)
-#ifdef KYBER_90S
-#define CRYPTO_ALGNAME "Kyber512-90s"
-#else
 #define CRYPTO_ALGNAME "Kyber512"
-#endif
 #elif (KYBER_K == 3)
-#ifdef KYBER_90S
-#define CRYPTO_ALGNAME "Kyber768-90s"
-#else
 #define CRYPTO_ALGNAME "Kyber768"
-#endif
 #elif (KYBER_K == 4)
-#ifdef KYBER_90S
-#define CRYPTO_ALGNAME "Kyber1024-90s"
-#else
 #define CRYPTO_ALGNAME "Kyber1024"
 #endif
-#endif
+
+#define crypto_kem_keypair_derand KYBER_NAMESPACE(keypair_derand)
+int crypto_kem_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
 
 #define crypto_kem_keypair KYBER_NAMESPACE(keypair)
 int crypto_kem_keypair(uint8_t *pk, uint8_t *sk);
 
+#define crypto_kem_enc_derand KYBER_NAMESPACE(enc_derand)
+int crypto_kem_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
+
 #define crypto_kem_enc KYBER_NAMESPACE(enc)
 int crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
 
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/poly.c b/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/poly.c
index 93e246011b..96bad864f2 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/poly.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/poly.c
@@ -361,7 +361,6 @@ void poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const poly * restrict a)
   }
 }
 
-#ifndef KYBER_90S
 /*************************************************
 * Name:        poly_getnoise_eta1
 *
@@ -399,7 +398,6 @@ void poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t non
   prf(buf.coeffs, KYBER_ETA2*KYBER_N/4, seed, nonce);
   poly_cbd_eta2(r, buf.vec);
 }
-#endif
 
 #ifndef KYBER_90S
 #define NOISE_NBLOCKS ((KYBER_ETA1*KYBER_N/4+SHAKE256_RATE-1)/SHAKE256_RATE)
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/rejsample.c b/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/rejsample.c
index edee6ecd64..9060a44cb9 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/rejsample.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/rejsample.c
@@ -290,7 +290,7 @@ unsigned int rej_uniform_avx(int16_t * restrict r, const uint8_t *buf)
   __m128i f, t, pilo, pihi;
 
   ctr = pos = 0;
-  while(ctr <= KYBER_N - 32 && pos <= REJ_UNIFORM_AVX_BUFLEN - 48) {
+  while(ctr <= KYBER_N - 32 && pos <= REJ_UNIFORM_AVX_BUFLEN - 56) {
     f0 = _mm256_loadu_si256((__m256i *)&buf[pos]);
     f1 = _mm256_loadu_si256((__m256i *)&buf[pos+24]);
     f0 = _mm256_permute4x64_epi64(f0, 0x94);
@@ -354,7 +354,7 @@ unsigned int rej_uniform_avx(int16_t * restrict r, const uint8_t *buf)
     ctr += _mm_popcnt_u32((good >> 24) & 0xFF);
   }
 
-  while(ctr <= KYBER_N - 8 && pos <= REJ_UNIFORM_AVX_BUFLEN - 12) {
+  while(ctr <= KYBER_N - 8 && pos <= REJ_UNIFORM_AVX_BUFLEN - 16) {
     f = _mm_loadu_si128((__m128i *)&buf[pos]);
     f = _mm_shuffle_epi8(f, _mm256_castsi256_si128(idx8));
     t = _mm_srli_epi16(f, 4);
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/symmetric-shake.c b/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/symmetric-shake.c
index 2317c06276..20f451882e 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/symmetric-shake.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/symmetric-shake.c
@@ -49,3 +49,26 @@ void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYM
 
   shake256(out, outlen, extkey, sizeof(extkey));
 }
+
+/*************************************************
+* Name:        kyber_shake256_prf
+*
+* Description: Usage of SHAKE256 as a PRF, concatenates secret and public input
+*              and then generates outlen bytes of SHAKE256 output
+*
+* Arguments:   - uint8_t *out: pointer to output
+*              - size_t outlen: number of requested output bytes
+*              - const uint8_t *key: pointer to the key (of length KYBER_SYMBYTES)
+*              - uint8_t nonce: single-byte nonce (public PRF input)
+**************************************************/
+void kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SYMBYTES], const uint8_t input[KYBER_CIPHERTEXTBYTES])
+{
+  shake256incctx s;
+
+  shake256_inc_init(&s);
+  shake256_inc_absorb(&s, key, KYBER_SYMBYTES);
+  shake256_inc_absorb(&s, input, KYBER_CIPHERTEXTBYTES);
+  shake256_inc_finalize(&s);
+  shake256_inc_squeeze(out, KYBER_SSBYTES, &s);
+  shake256_inc_ctx_release(&s);
+}
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/symmetric.h b/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/symmetric.h
index 483eabc494..e4941f7a86 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/symmetric.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber1024_avx2/symmetric.h
@@ -5,31 +5,6 @@
 #include <stdint.h>
 #include "params.h"
 
-#ifdef KYBER_90S
-
-#include "sha2.h"
-#include "aes256ctr.h"
-
-#if (KYBER_SSBYTES != 32)
-#error "90s variant of Kyber can only generate keys of length 256 bits"
-#endif
-
-typedef aes256ctr_ctx xof_state;
-
-#define XOF_BLOCKBYTES AES256CTR_BLOCKBYTES
-
-#define hash_h(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES)
-#define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES)
-#define xof_absorb(STATE, SEED, X, Y) \
-        aes256ctr_init(STATE, SEED, (X) | ((uint16_t)(Y) << 8))
-#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) \
-        aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define prf(OUT, OUTBYTES, KEY, NONCE) \
-        aes256ctr_prf(OUT, OUTBYTES, KEY, NONCE)
-#define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES)
-
-#else
-
 #include "fips202.h"
 #include "fips202x4.h"
 
@@ -42,22 +17,18 @@ void kyber_shake128_absorb(shake128incctx *s,
                            uint8_t y);
 
 #define kyber_shake256_prf KYBER_NAMESPACE(kyber_shake256_prf)
-void kyber_shake256_prf(uint8_t *out,
-                        size_t outlen,
-                        const uint8_t key[KYBER_SYMBYTES],
-                        uint8_t nonce);
+void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYMBYTES], uint8_t nonce);
+
+#define kyber_shake256_rkprf KYBER_NAMESPACE(kyber_shake256_rkprf)
+void kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SYMBYTES], const uint8_t input[KYBER_CIPHERTEXTBYTES]);
 
 #define XOF_BLOCKBYTES SHAKE128_RATE
 
 #define hash_h(OUT, IN, INBYTES) sha3_256(OUT, IN, INBYTES)
 #define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES)
 #define xof_absorb(STATE, SEED, X, Y) kyber_shake128_absorb(STATE, SEED, X, Y)
-#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) \
-        shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define prf(OUT, OUTBYTES, KEY, NONCE) \
-        kyber_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
-#define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES)
-
-#endif /* KYBER_90S */
+#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
+#define prf(OUT, OUTBYTES, KEY, NONCE) kyber_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
+#define rkprf(OUT, KEY, INPUT) kyber_shake256_rkprf(OUT, KEY, INPUT)
 
 #endif /* SYMMETRIC_H */
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/api.h b/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/api.h
index b34eab9705..70d40f3f3e 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/api.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/api.h
@@ -6,70 +6,61 @@
 #define pqcrystals_kyber512_SECRETKEYBYTES 1632
 #define pqcrystals_kyber512_PUBLICKEYBYTES 800
 #define pqcrystals_kyber512_CIPHERTEXTBYTES 768
+#define pqcrystals_kyber512_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber512_ENCCOINBYTES 32
 #define pqcrystals_kyber512_BYTES 32
 
 #define pqcrystals_kyber512_ref_SECRETKEYBYTES pqcrystals_kyber512_SECRETKEYBYTES
 #define pqcrystals_kyber512_ref_PUBLICKEYBYTES pqcrystals_kyber512_PUBLICKEYBYTES
 #define pqcrystals_kyber512_ref_CIPHERTEXTBYTES pqcrystals_kyber512_CIPHERTEXTBYTES
+#define pqcrystals_kyber512_ref_KEYPAIRCOINBYTES pqcrystals_kyber512_KEYPAIRCOINBYTES
+#define pqcrystals_kyber512_ref_ENCCOINBYTES pqcrystals_kyber512_ENCCOINBYTES
 #define pqcrystals_kyber512_ref_BYTES pqcrystals_kyber512_BYTES
 
+int pqcrystals_kyber512_ref_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
 int pqcrystals_kyber512_ref_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber512_ref_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
 int pqcrystals_kyber512_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
 int pqcrystals_kyber512_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
 
-#define pqcrystals_kyber512_90s_ref_SECRETKEYBYTES pqcrystals_kyber512_SECRETKEYBYTES
-#define pqcrystals_kyber512_90s_ref_PUBLICKEYBYTES pqcrystals_kyber512_PUBLICKEYBYTES
-#define pqcrystals_kyber512_90s_ref_CIPHERTEXTBYTES pqcrystals_kyber512_CIPHERTEXTBYTES
-#define pqcrystals_kyber512_90s_ref_BYTES pqcrystals_kyber512_BYTES
-
-int pqcrystals_kyber512_90s_ref_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber512_90s_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber512_90s_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
 #define pqcrystals_kyber768_SECRETKEYBYTES 2400
 #define pqcrystals_kyber768_PUBLICKEYBYTES 1184
 #define pqcrystals_kyber768_CIPHERTEXTBYTES 1088
+#define pqcrystals_kyber768_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber768_ENCCOINBYTES 32
 #define pqcrystals_kyber768_BYTES 32
 
 #define pqcrystals_kyber768_ref_SECRETKEYBYTES pqcrystals_kyber768_SECRETKEYBYTES
 #define pqcrystals_kyber768_ref_PUBLICKEYBYTES pqcrystals_kyber768_PUBLICKEYBYTES
 #define pqcrystals_kyber768_ref_CIPHERTEXTBYTES pqcrystals_kyber768_CIPHERTEXTBYTES
+#define pqcrystals_kyber768_ref_KEYPAIRCOINBYTES pqcrystals_kyber768_KEYPAIRCOINBYTES
+#define pqcrystals_kyber768_ref_ENCCOINBYTES pqcrystals_kyber768_ENCCOINBYTES
 #define pqcrystals_kyber768_ref_BYTES pqcrystals_kyber768_BYTES
 
+int pqcrystals_kyber768_ref_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
 int pqcrystals_kyber768_ref_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber768_ref_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
 int pqcrystals_kyber768_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
 int pqcrystals_kyber768_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
 
-#define pqcrystals_kyber768_90s_ref_SECRETKEYBYTES pqcrystals_kyber768_SECRETKEYBYTES
-#define pqcrystals_kyber768_90s_ref_PUBLICKEYBYTES pqcrystals_kyber768_PUBLICKEYBYTES
-#define pqcrystals_kyber768_90s_ref_CIPHERTEXTBYTES pqcrystals_kyber768_CIPHERTEXTBYTES
-#define pqcrystals_kyber768_90s_ref_BYTES pqcrystals_kyber768_BYTES
-
-int pqcrystals_kyber768_90s_ref_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber768_90s_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber768_90s_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
 #define pqcrystals_kyber1024_SECRETKEYBYTES 3168
 #define pqcrystals_kyber1024_PUBLICKEYBYTES 1568
 #define pqcrystals_kyber1024_CIPHERTEXTBYTES 1568
+#define pqcrystals_kyber1024_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber1024_ENCCOINBYTES 32
 #define pqcrystals_kyber1024_BYTES 32
 
 #define pqcrystals_kyber1024_ref_SECRETKEYBYTES pqcrystals_kyber1024_SECRETKEYBYTES
 #define pqcrystals_kyber1024_ref_PUBLICKEYBYTES pqcrystals_kyber1024_PUBLICKEYBYTES
 #define pqcrystals_kyber1024_ref_CIPHERTEXTBYTES pqcrystals_kyber1024_CIPHERTEXTBYTES
+#define pqcrystals_kyber1024_ref_KEYPAIRCOINBYTES pqcrystals_kyber1024_KEYPAIRCOINBYTES
+#define pqcrystals_kyber1024_ref_ENCCOINBYTES pqcrystals_kyber1024_ENCCOINBYTES
 #define pqcrystals_kyber1024_ref_BYTES pqcrystals_kyber1024_BYTES
 
+int pqcrystals_kyber1024_ref_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
 int pqcrystals_kyber1024_ref_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber1024_ref_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
 int pqcrystals_kyber1024_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
 int pqcrystals_kyber1024_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
 
-#define pqcrystals_kyber1024_90s_ref_SECRETKEYBYTES pqcrystals_kyber1024_SECRETKEYBYTES
-#define pqcrystals_kyber1024_90s_ref_PUBLICKEYBYTES pqcrystals_kyber1024_PUBLICKEYBYTES
-#define pqcrystals_kyber1024_90s_ref_CIPHERTEXTBYTES pqcrystals_kyber1024_CIPHERTEXTBYTES
-#define pqcrystals_kyber1024_90s_ref_BYTES pqcrystals_kyber1024_BYTES
-
-int pqcrystals_kyber1024_90s_ref_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber1024_90s_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber1024_90s_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
 #endif
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/indcpa.c b/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/indcpa.c
index f0129aa046..4a8b4c894f 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/indcpa.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/indcpa.c
@@ -1,5 +1,6 @@
 #include <stddef.h>
 #include <stdint.h>
+#include <string.h>
 #include "params.h"
 #include "indcpa.h"
 #include "polyvec.h"
@@ -23,10 +24,8 @@ static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES],
                     polyvec *pk,
                     const uint8_t seed[KYBER_SYMBYTES])
 {
-  size_t i;
   polyvec_tobytes(r, pk);
-  for(i=0;i<KYBER_SYMBYTES;i++)
-    r[i+KYBER_POLYVECBYTES] = seed[i];
+  memcpy(r+KYBER_POLYVECBYTES, seed, KYBER_SYMBYTES);
 }
 
 /*************************************************
@@ -43,10 +42,8 @@ static void unpack_pk(polyvec *pk,
                       uint8_t seed[KYBER_SYMBYTES],
                       const uint8_t packedpk[KYBER_INDCPA_PUBLICKEYBYTES])
 {
-  size_t i;
   polyvec_frombytes(pk, packedpk);
-  for(i=0;i<KYBER_SYMBYTES;i++)
-    seed[i] = packedpk[i+KYBER_POLYVECBYTES];
+  memcpy(seed, packedpk+KYBER_POLYVECBYTES, KYBER_SYMBYTES);
 }
 
 /*************************************************
@@ -194,7 +191,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed)
 }
 
 /*************************************************
-* Name:        indcpa_keypair
+* Name:        indcpa_keypair_derand
 *
 * Description: Generates public and private key for the CPA-secure
 *              public-key encryption scheme underlying Kyber
@@ -202,10 +199,13 @@ void gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed)
 * Arguments:   - uint8_t *pk: pointer to output public key
 *                             (of length KYBER_INDCPA_PUBLICKEYBYTES bytes)
 *              - uint8_t *sk: pointer to output private key
-                              (of length KYBER_INDCPA_SECRETKEYBYTES bytes)
+*                             (of length KYBER_INDCPA_SECRETKEYBYTES bytes)
+*              - const uint8_t *coins: pointer to input randomness
+*                             (of length KYBER_SYMBYTES bytes)
 **************************************************/
-void indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
-                    uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES])
+void indcpa_keypair_derand(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
+                           uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES],
+                           const uint8_t coins[KYBER_SYMBYTES])
 {
   unsigned int i;
   uint8_t buf[2*KYBER_SYMBYTES];
@@ -214,8 +214,7 @@ void indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
   uint8_t nonce = 0;
   polyvec a[KYBER_K], e, pkpv, skpv;
 
-  randombytes(buf, KYBER_SYMBYTES);
-  hash_g(buf, buf, KYBER_SYMBYTES);
+  hash_g(buf, coins, KYBER_SYMBYTES);
 
   gen_a(a, publicseed);
 
@@ -240,6 +239,7 @@ void indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
   pack_pk(pk, &pkpv, publicseed);
 }
 
+
 /*************************************************
 * Name:        indcpa_enc
 *
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/indcpa.h b/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/indcpa.h
index 57bd5ead3a..6dd5088c85 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/indcpa.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/indcpa.h
@@ -7,9 +7,11 @@
 
 #define gen_matrix KYBER_NAMESPACE(gen_matrix)
 void gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed);
-#define indcpa_keypair KYBER_NAMESPACE(indcpa_keypair)
-void indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
-                    uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]);
+
+#define indcpa_keypair_derand KYBER_NAMESPACE(indcpa_keypair_derand)
+void indcpa_keypair_derand(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
+                           uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES],
+                           const uint8_t coins[KYBER_SYMBYTES]);
 
 #define indcpa_enc KYBER_NAMESPACE(indcpa_enc)
 void indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES],
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/kem.c b/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/kem.c
index f376bd236a..63abc1029c 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/kem.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/kem.c
@@ -1,11 +1,38 @@
 #include <stddef.h>
 #include <stdint.h>
+#include <string.h>
 #include "params.h"
 #include "kem.h"
 #include "indcpa.h"
 #include "verify.h"
 #include "symmetric.h"
 #include "randombytes.h"
+/*************************************************
+* Name:        crypto_kem_keypair_derand
+*
+* Description: Generates public and private key
+*              for CCA-secure Kyber key encapsulation mechanism
+*
+* Arguments:   - uint8_t *pk: pointer to output public key
+*                (an already allocated array of KYBER_PUBLICKEYBYTES bytes)
+*              - uint8_t *sk: pointer to output private key
+*                (an already allocated array of KYBER_SECRETKEYBYTES bytes)
+*              - uint8_t *coins: pointer to input randomness
+*                (an already allocated array filled with 2*KYBER_SYMBYTES random bytes)
+**
+* Returns 0 (success)
+**************************************************/
+int crypto_kem_keypair_derand(uint8_t *pk,
+                              uint8_t *sk,
+                              const uint8_t *coins)
+{
+  indcpa_keypair_derand(pk, sk, coins);
+  memcpy(sk+KYBER_INDCPA_SECRETKEYBYTES, pk, KYBER_PUBLICKEYBYTES);
+  hash_h(sk+KYBER_SECRETKEYBYTES-2*KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
+  /* Value z for pseudo-random output on reject */
+  memcpy(sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES, coins+KYBER_SYMBYTES, KYBER_SYMBYTES);
+  return 0;
+}
 
 /*************************************************
 * Name:        crypto_kem_keypair
@@ -23,18 +50,14 @@
 int crypto_kem_keypair(uint8_t *pk,
                        uint8_t *sk)
 {
-  size_t i;
-  indcpa_keypair(pk, sk);
-  for(i=0;i<KYBER_INDCPA_PUBLICKEYBYTES;i++)
-    sk[i+KYBER_INDCPA_SECRETKEYBYTES] = pk[i];
-  hash_h(sk+KYBER_SECRETKEYBYTES-2*KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
-  /* Value z for pseudo-random output on reject */
-  randombytes(sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES, KYBER_SYMBYTES);
+  uint8_t coins[2*KYBER_SYMBYTES];
+  randombytes(coins, 2*KYBER_SYMBYTES);
+  crypto_kem_keypair_derand(pk, sk, coins);
   return 0;
 }
 
 /*************************************************
-* Name:        crypto_kem_enc
+* Name:        crypto_kem_enc_derand
 *
 * Description: Generates cipher text and shared
 *              secret for given public key
@@ -45,20 +68,21 @@ int crypto_kem_keypair(uint8_t *pk,
 *                (an already allocated array of KYBER_SSBYTES bytes)
 *              - const uint8_t *pk: pointer to input public key
 *                (an already allocated array of KYBER_PUBLICKEYBYTES bytes)
-*
+*              - const uint8_t *coins: pointer to input randomness
+*                (an already allocated array filled with KYBER_SYMBYTES random bytes)
+**
 * Returns 0 (success)
 **************************************************/
-int crypto_kem_enc(uint8_t *ct,
-                   uint8_t *ss,
-                   const uint8_t *pk)
+int crypto_kem_enc_derand(uint8_t *ct,
+                          uint8_t *ss,
+                          const uint8_t *pk,
+                          const uint8_t *coins)
 {
   uint8_t buf[2*KYBER_SYMBYTES];
   /* Will contain key, coins */
   uint8_t kr[2*KYBER_SYMBYTES];
 
-  randombytes(buf, KYBER_SYMBYTES);
-  /* Don't release system RNG output */
-  hash_h(buf, buf, KYBER_SYMBYTES);
+  memcpy(buf, coins, KYBER_SYMBYTES);
 
   /* Multitarget countermeasure for coins + contributory KEM */
   hash_h(buf+KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
@@ -67,10 +91,32 @@ int crypto_kem_enc(uint8_t *ct,
   /* coins are in kr+KYBER_SYMBYTES */
   indcpa_enc(ct, buf, pk, kr+KYBER_SYMBYTES);
 
-  /* overwrite coins in kr with H(c) */
-  hash_h(kr+KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES);
-  /* hash concatenation of pre-k and H(c) to k */
-  kdf(ss, kr, 2*KYBER_SYMBYTES);
+  memcpy(ss,kr,KYBER_SYMBYTES);
+  return 0;
+}
+
+/*************************************************
+* Name:        crypto_kem_enc
+*
+* Description: Generates cipher text and shared
+*              secret for given public key
+*
+* Arguments:   - uint8_t *ct: pointer to output cipher text
+*                (an already allocated array of KYBER_CIPHERTEXTBYTES bytes)
+*              - uint8_t *ss: pointer to output shared secret
+*                (an already allocated array of KYBER_SSBYTES bytes)
+*              - const uint8_t *pk: pointer to input public key
+*                (an already allocated array of KYBER_PUBLICKEYBYTES bytes)
+*
+* Returns 0 (success)
+**************************************************/
+int crypto_kem_enc(uint8_t *ct,
+                   uint8_t *ss,
+                   const uint8_t *pk)
+{
+  uint8_t coins[KYBER_SYMBYTES];
+  randombytes(coins, KYBER_SYMBYTES);
+  crypto_kem_enc_derand(ct, ss, pk, coins);
   return 0;
 }
 
@@ -95,19 +141,17 @@ int crypto_kem_dec(uint8_t *ss,
                    const uint8_t *ct,
                    const uint8_t *sk)
 {
-  size_t i;
   int fail;
   uint8_t buf[2*KYBER_SYMBYTES];
   /* Will contain key, coins */
   uint8_t kr[2*KYBER_SYMBYTES];
-  uint8_t cmp[KYBER_CIPHERTEXTBYTES];
+  uint8_t cmp[KYBER_CIPHERTEXTBYTES+KYBER_SYMBYTES];
   const uint8_t *pk = sk+KYBER_INDCPA_SECRETKEYBYTES;
 
   indcpa_dec(buf, ct, sk);
 
   /* Multitarget countermeasure for coins + contributory KEM */
-  for(i=0;i<KYBER_SYMBYTES;i++)
-    buf[KYBER_SYMBYTES+i] = sk[KYBER_SECRETKEYBYTES-2*KYBER_SYMBYTES+i];
+  memcpy(buf+KYBER_SYMBYTES, sk+KYBER_SECRETKEYBYTES-2*KYBER_SYMBYTES, KYBER_SYMBYTES);
   hash_g(kr, buf, 2*KYBER_SYMBYTES);
 
   /* coins are in kr+KYBER_SYMBYTES */
@@ -115,13 +159,11 @@ int crypto_kem_dec(uint8_t *ss,
 
   fail = verify(ct, cmp, KYBER_CIPHERTEXTBYTES);
 
-  /* overwrite coins in kr with H(c) */
-  hash_h(kr+KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES);
+  /* Compute rejection key */
+  rkprf(ss,sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES,ct);
 
-  /* Overwrite pre-k with z on re-encryption failure */
-  cmov(kr, sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES, KYBER_SYMBYTES, fail);
+  /* Copy true key to return buffer if fail is false */
+  cmov(ss,kr,KYBER_SYMBYTES,!fail);
 
-  /* hash concatenation of pre-k and H(c) to k */
-  kdf(ss, kr, 2*KYBER_SYMBYTES);
   return 0;
 }
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/kem.h b/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/kem.h
index 3f3eff697c..234f11966b 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/kem.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/kem.h
@@ -10,28 +10,22 @@
 #define CRYPTO_BYTES           KYBER_SSBYTES
 
 #if   (KYBER_K == 2)
-#ifdef KYBER_90S
-#define CRYPTO_ALGNAME "Kyber512-90s"
-#else
 #define CRYPTO_ALGNAME "Kyber512"
-#endif
 #elif (KYBER_K == 3)
-#ifdef KYBER_90S
-#define CRYPTO_ALGNAME "Kyber768-90s"
-#else
 #define CRYPTO_ALGNAME "Kyber768"
-#endif
 #elif (KYBER_K == 4)
-#ifdef KYBER_90S
-#define CRYPTO_ALGNAME "Kyber1024-90s"
-#else
 #define CRYPTO_ALGNAME "Kyber1024"
 #endif
-#endif
+
+#define crypto_kem_keypair_derand KYBER_NAMESPACE(keypair_derand)
+int crypto_kem_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
 
 #define crypto_kem_keypair KYBER_NAMESPACE(keypair)
 int crypto_kem_keypair(uint8_t *pk, uint8_t *sk);
 
+#define crypto_kem_enc_derand KYBER_NAMESPACE(enc_derand)
+int crypto_kem_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
+
 #define crypto_kem_enc KYBER_NAMESPACE(enc)
 int crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
 
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/params.h b/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/params.h
index 3d02a0f9e6..0802c74805 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/params.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/params.h
@@ -5,27 +5,14 @@
 #define KYBER_K 3	/* Change this for different security strengths */
 #endif
 
-//#define KYBER_90S	/* Uncomment this if you want the 90S variant */
 
 /* Don't change parameters below this line */
 #if   (KYBER_K == 2)
-#ifdef KYBER_90S
-#define KYBER_NAMESPACE(s) pqcrystals_kyber512_90s_ref_##s
-#else
 #define KYBER_NAMESPACE(s) pqcrystals_kyber512_ref_##s
-#endif
 #elif (KYBER_K == 3)
-#ifdef KYBER_90S
-#define KYBER_NAMESPACE(s) pqcrystals_kyber768_90s_ref_##s
-#else
 #define KYBER_NAMESPACE(s) pqcrystals_kyber768_ref_##s
-#endif
 #elif (KYBER_K == 4)
-#ifdef KYBER_90S
-#define KYBER_NAMESPACE(s) pqcrystals_kyber1024_90s_ref_##s
-#else
 #define KYBER_NAMESPACE(s) pqcrystals_kyber1024_ref_##s
-#endif
 #else
 #error "KYBER_K must be in {2,3,4}"
 #endif
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/symmetric-shake.c b/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/symmetric-shake.c
index 2317c06276..20f451882e 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/symmetric-shake.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/symmetric-shake.c
@@ -49,3 +49,26 @@ void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYM
 
   shake256(out, outlen, extkey, sizeof(extkey));
 }
+
+/*************************************************
+* Name:        kyber_shake256_prf
+*
+* Description: Usage of SHAKE256 as a PRF, concatenates secret and public input
+*              and then generates outlen bytes of SHAKE256 output
+*
+* Arguments:   - uint8_t *out: pointer to output
+*              - size_t outlen: number of requested output bytes
+*              - const uint8_t *key: pointer to the key (of length KYBER_SYMBYTES)
+*              - uint8_t nonce: single-byte nonce (public PRF input)
+**************************************************/
+void kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SYMBYTES], const uint8_t input[KYBER_CIPHERTEXTBYTES])
+{
+  shake256incctx s;
+
+  shake256_inc_init(&s);
+  shake256_inc_absorb(&s, key, KYBER_SYMBYTES);
+  shake256_inc_absorb(&s, input, KYBER_CIPHERTEXTBYTES);
+  shake256_inc_finalize(&s);
+  shake256_inc_squeeze(out, KYBER_SSBYTES, &s);
+  shake256_inc_ctx_release(&s);
+}
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/symmetric.h b/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/symmetric.h
index 2f2fb63647..2acc66f98d 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/symmetric.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber1024_ref/symmetric.h
@@ -5,36 +5,6 @@
 #include <stdint.h>
 #include "params.h"
 
-#ifdef KYBER_90S
-
-#include "aes256ctr.h"
-#include "sha2.h"
-
-#if (KYBER_SSBYTES != 32)
-#error "90s variant of Kyber can only generate keys of length 256 bits"
-#endif
-
-typedef aes256ctr_ctx xof_state;
-
-#define kyber_aes256xof_absorb KYBER_NAMESPACE(kyber_aes256xof_absorb)
-void kyber_aes256xof_absorb(aes256ctr_ctx *state, const uint8_t seed[32], uint8_t x, uint8_t y);
-
-#define kyber_aes256ctr_prf KYBER_NAMESPACE(kyber_aes256ctr_prf)
-void kyber_aes256ctr_prf(uint8_t *out, size_t outlen, const uint8_t key[32], uint8_t nonce);
-
-#define XOF_BLOCKBYTES AES256CTR_BLOCKBYTES
-
-#define hash_h(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES)
-#define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES)
-#define xof_init(STATE, SEED) aes256ctr_init_key(STATE, SEED)
-#define xof_absorb(STATE, SEED, X, Y) kyber_aes256xof_absorb(STATE, SEED, X, Y)
-#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define xof_release(STATE) aes256_ctx_release(STATE)
-#define prf(OUT, OUTBYTES, KEY, NONCE) kyber_aes256ctr_prf(OUT, OUTBYTES, KEY, NONCE)
-#define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES)
-
-#else
-
 #include "fips202.h"
 
 typedef shake128incctx xof_state;
@@ -48,6 +18,9 @@ void kyber_shake128_absorb(shake128incctx *s,
 #define kyber_shake256_prf KYBER_NAMESPACE(kyber_shake256_prf)
 void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYMBYTES], uint8_t nonce);
 
+#define kyber_shake256_rkprf KYBER_NAMESPACE(kyber_shake256_rkprf)
+void kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SYMBYTES], const uint8_t input[KYBER_CIPHERTEXTBYTES]);
+
 #define XOF_BLOCKBYTES SHAKE128_RATE
 
 #define hash_h(OUT, IN, INBYTES) sha3_256(OUT, IN, INBYTES)
@@ -57,8 +30,6 @@ void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYM
 #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
 #define xof_release(STATE) shake128_inc_ctx_release(STATE)
 #define prf(OUT, OUTBYTES, KEY, NONCE) kyber_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
-#define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES)
-
-#endif /* KYBER_90S */
+#define rkprf(OUT, KEY, INPUT) kyber_shake256_rkprf(OUT, KEY, INPUT)
 
 #endif /* SYMMETRIC_H */
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/api.h b/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/api.h
index 4ae94cbab7..a154e80f1d 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/api.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/api.h
@@ -6,70 +6,61 @@
 #define pqcrystals_kyber512_SECRETKEYBYTES 1632
 #define pqcrystals_kyber512_PUBLICKEYBYTES 800
 #define pqcrystals_kyber512_CIPHERTEXTBYTES 768
+#define pqcrystals_kyber512_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber512_ENCCOINBYTES 32
 #define pqcrystals_kyber512_BYTES 32
 
 #define pqcrystals_kyber512_avx2_SECRETKEYBYTES pqcrystals_kyber512_SECRETKEYBYTES
 #define pqcrystals_kyber512_avx2_PUBLICKEYBYTES pqcrystals_kyber512_PUBLICKEYBYTES
 #define pqcrystals_kyber512_avx2_CIPHERTEXTBYTES pqcrystals_kyber512_CIPHERTEXTBYTES
+#define pqcrystals_kyber512_avx2_KEYPAIRCOINBYTES pqcrystals_kyber512_KEYPAIRCOINBYTES
+#define pqcrystals_kyber512_avx2_ENCCOINBYTES pqcrystals_kyber512_ENCCOINBYTES
 #define pqcrystals_kyber512_avx2_BYTES pqcrystals_kyber512_BYTES
 
+int pqcrystals_kyber512_avx2_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
 int pqcrystals_kyber512_avx2_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber512_avx2_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
 int pqcrystals_kyber512_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
 int pqcrystals_kyber512_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
 
-#define pqcrystals_kyber512_90s_avx2_SECRETKEYBYTES pqcrystals_kyber512_SECRETKEYBYTES
-#define pqcrystals_kyber512_90s_avx2_PUBLICKEYBYTES pqcrystals_kyber512_PUBLICKEYBYTES
-#define pqcrystals_kyber512_90s_avx2_CIPHERTEXTBYTES pqcrystals_kyber512_CIPHERTEXTBYTES
-#define pqcrystals_kyber512_90s_avx2_BYTES pqcrystals_kyber512_BYTES
-
-int pqcrystals_kyber512_90s_avx2_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber512_90s_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber512_90s_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
 #define pqcrystals_kyber768_SECRETKEYBYTES 2400
 #define pqcrystals_kyber768_PUBLICKEYBYTES 1184
 #define pqcrystals_kyber768_CIPHERTEXTBYTES 1088
+#define pqcrystals_kyber768_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber768_ENCCOINBYTES 32
 #define pqcrystals_kyber768_BYTES 32
 
 #define pqcrystals_kyber768_avx2_SECRETKEYBYTES pqcrystals_kyber768_SECRETKEYBYTES
 #define pqcrystals_kyber768_avx2_PUBLICKEYBYTES pqcrystals_kyber768_PUBLICKEYBYTES
 #define pqcrystals_kyber768_avx2_CIPHERTEXTBYTES pqcrystals_kyber768_CIPHERTEXTBYTES
+#define pqcrystals_kyber768_avx2_KEYPAIRCOINBYTES pqcrystals_kyber768_KEYPAIRCOINBYTES
+#define pqcrystals_kyber768_avx2_ENCCOINBYTES pqcrystals_kyber768_ENCCOINBYTES
 #define pqcrystals_kyber768_avx2_BYTES pqcrystals_kyber768_BYTES
 
+int pqcrystals_kyber768_avx2_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
 int pqcrystals_kyber768_avx2_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber768_avx2_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
 int pqcrystals_kyber768_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
 int pqcrystals_kyber768_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
 
-#define pqcrystals_kyber768_90s_avx2_SECRETKEYBYTES pqcrystals_kyber768_SECRETKEYBYTES
-#define pqcrystals_kyber768_90s_avx2_PUBLICKEYBYTES pqcrystals_kyber768_PUBLICKEYBYTES
-#define pqcrystals_kyber768_90s_avx2_CIPHERTEXTBYTES pqcrystals_kyber768_CIPHERTEXTBYTES
-#define pqcrystals_kyber768_90s_avx2_BYTES pqcrystals_kyber768_BYTES
-
-int pqcrystals_kyber768_90s_avx2_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber768_90s_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber768_90s_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
 #define pqcrystals_kyber1024_SECRETKEYBYTES 3168
 #define pqcrystals_kyber1024_PUBLICKEYBYTES 1568
 #define pqcrystals_kyber1024_CIPHERTEXTBYTES 1568
+#define pqcrystals_kyber1024_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber1024_ENCCOINBYTES 32
 #define pqcrystals_kyber1024_BYTES 32
 
 #define pqcrystals_kyber1024_avx2_SECRETKEYBYTES pqcrystals_kyber1024_SECRETKEYBYTES
 #define pqcrystals_kyber1024_avx2_PUBLICKEYBYTES pqcrystals_kyber1024_PUBLICKEYBYTES
 #define pqcrystals_kyber1024_avx2_CIPHERTEXTBYTES pqcrystals_kyber1024_CIPHERTEXTBYTES
+#define pqcrystals_kyber1024_avx2_KEYPAIRCOINBYTES pqcrystals_kyber1024_KEYPAIRCOINBYTES
+#define pqcrystals_kyber1024_avx2_ENCCOINBYTES pqcrystals_kyber1024_ENCCOINBYTES
 #define pqcrystals_kyber1024_avx2_BYTES pqcrystals_kyber1024_BYTES
 
+int pqcrystals_kyber1024_avx2_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
 int pqcrystals_kyber1024_avx2_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber1024_avx2_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
 int pqcrystals_kyber1024_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
 int pqcrystals_kyber1024_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
 
-#define pqcrystals_kyber1024_90s_avx2_SECRETKEYBYTES pqcrystals_kyber1024_SECRETKEYBYTES
-#define pqcrystals_kyber1024_90s_avx2_PUBLICKEYBYTES pqcrystals_kyber1024_PUBLICKEYBYTES
-#define pqcrystals_kyber1024_90s_avx2_CIPHERTEXTBYTES pqcrystals_kyber1024_CIPHERTEXTBYTES
-#define pqcrystals_kyber1024_90s_avx2_BYTES pqcrystals_kyber1024_BYTES
-
-int pqcrystals_kyber1024_90s_avx2_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber1024_90s_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber1024_90s_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
 #endif
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/indcpa.c b/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/indcpa.c
index b88408631b..cf93531178 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/indcpa.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/indcpa.c
@@ -169,44 +169,6 @@ static unsigned int rej_uniform(int16_t *r,
 *              - const uint8_t *seed: pointer to input seed
 *              - int transposed: boolean deciding whether A or A^T is generated
 **************************************************/
-#ifdef KYBER_90S
-void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
-{
-  unsigned int ctr, i, j, k;
-  unsigned int buflen, off;
-  uint64_t nonce = 0;
-  ALIGNED_UINT8(REJ_UNIFORM_AVX_NBLOCKS*AES256CTR_BLOCKBYTES) buf;
-  aes256ctr_ctx state;
-
-  aes256ctr_init_key(&state, seed);
-
-  for(i=0;i<KYBER_K;i++) {
-    for(j=0;j<KYBER_K;j++) {
-      if(transposed)
-        nonce = (j << 8) | i;
-      else
-        nonce = (i << 8) | j;
-
-      aes256ctr_init_iv_u64(&state, nonce);
-      aes256ctr_squeezeblocks(buf.coeffs, REJ_UNIFORM_AVX_NBLOCKS, &state);
-      buflen = REJ_UNIFORM_AVX_NBLOCKS*AES256CTR_BLOCKBYTES;
-      ctr = rej_uniform_avx(a[i].vec[j].coeffs, buf.coeffs);
-
-      while(ctr < KYBER_N) {
-        off = buflen % 3;
-        for(k = 0; k < off; k++)
-          buf.coeffs[k] = buf.coeffs[buflen - off + k];
-        aes256ctr_squeezeblocks(buf.coeffs + off, 1, &state);
-        buflen = off + AES256CTR_BLOCKBYTES;
-        ctr += rej_uniform(a[i].vec[j].coeffs + ctr, KYBER_N - ctr, buf.coeffs, buflen);
-      }
-
-      poly_nttunpack(&a[i].vec[j]);
-    }
-  }
-  aes256_ctx_release(&state);
-}
-#else
 #if KYBER_K == 2
 void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
 {
@@ -319,6 +281,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
     ctr2 += rej_uniform(a[0].vec[2].coeffs + ctr2, KYBER_N - ctr2, buf[2].coeffs, SHAKE128_RATE);
     ctr3 += rej_uniform(a[1].vec[0].coeffs + ctr3, KYBER_N - ctr3, buf[3].coeffs, SHAKE128_RATE);
   }
+  shake128x4_inc_ctx_release(&state);
 
   poly_nttunpack(&a[0].vec[0]);
   poly_nttunpack(&a[0].vec[1]);
@@ -352,6 +315,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
     buf[3].coeffs[33] = 2;
   }
 
+  shake128x4_inc_init(&state);
   shake128x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 34);
   shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_AVX_NBLOCKS, &state);
 
@@ -368,7 +332,6 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
     ctr2 += rej_uniform(a[2].vec[0].coeffs + ctr2, KYBER_N - ctr2, buf[2].coeffs, SHAKE128_RATE);
     ctr3 += rej_uniform(a[2].vec[1].coeffs + ctr3, KYBER_N - ctr3, buf[3].coeffs, SHAKE128_RATE);
   }
-  shake128x4_inc_ctx_release(&state);
 
   poly_nttunpack(&a[1].vec[1]);
   poly_nttunpack(&a[1].vec[2]);
@@ -429,6 +392,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
       buf[3].coeffs[33] = i;
     }
 
+    shake128x4_inc_init(&state);
     shake128x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 34);
     shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_AVX_NBLOCKS, &state);
 
@@ -454,10 +418,9 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
   shake128x4_inc_ctx_release(&state);
 }
 #endif
-#endif
 
 /*************************************************
-* Name:        indcpa_keypair
+* Name:        indcpa_keypair_derand
 *
 * Description: Generates public and private key for the CPA-secure
 *              public-key encryption scheme underlying Kyber
@@ -465,10 +428,13 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
 * Arguments:   - uint8_t *pk: pointer to output public key
 *                             (of length KYBER_INDCPA_PUBLICKEYBYTES bytes)
 *              - uint8_t *sk: pointer to output private key
-                              (of length KYBER_INDCPA_SECRETKEYBYTES bytes)
+*                             (of length KYBER_INDCPA_SECRETKEYBYTES bytes)
+*              - const uint8_t *coins: pointer to input randomness
+*                             (of length KYBER_SYMBYTES bytes)
 **************************************************/
-void indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
-                    uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES])
+void indcpa_keypair_derand(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
+                           uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES],
+                           const uint8_t coins[KYBER_SYMBYTES])
 {
   unsigned int i;
   uint8_t buf[2*KYBER_SYMBYTES];
@@ -476,31 +442,10 @@ void indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
   const uint8_t *noiseseed = buf + KYBER_SYMBYTES;
   polyvec a[KYBER_K], e, pkpv, skpv;
 
-  randombytes(buf, KYBER_SYMBYTES);
-  hash_g(buf, buf, KYBER_SYMBYTES);
+  hash_g(buf, coins, KYBER_SYMBYTES);
 
   gen_a(a, publicseed);
 
-#ifdef KYBER_90S
-#define NOISE_NBLOCKS ((KYBER_ETA1*KYBER_N/4)/AES256CTR_BLOCKBYTES) /* Assumes divisibility */
-  uint64_t nonce = 0;
-  ALIGNED_UINT8(NOISE_NBLOCKS*AES256CTR_BLOCKBYTES+32) coins; // +32 bytes as required by poly_cbd_eta1
-  aes256ctr_ctx state;
-  aes256ctr_init_u64(&state, noiseseed, nonce++);
-  for(i=0;i<KYBER_K;i++) {
-    aes256ctr_squeezeblocks(coins.coeffs, NOISE_NBLOCKS, &state);
-    aes256ctr_init_iv_u64(&state, nonce);
-    nonce += 1;
-    poly_cbd_eta1(&skpv.vec[i], coins.vec);
-  }
-  for(i=0;i<KYBER_K;i++) {
-    aes256ctr_squeezeblocks(coins.coeffs, NOISE_NBLOCKS, &state);
-    aes256ctr_init_iv_u64(&state, nonce);
-    nonce += 1;
-    poly_cbd_eta1(&e.vec[i], coins.vec);
-  }
-  aes256_ctx_release(&state);
-#else
 #if KYBER_K == 2
   poly_getnoise_eta1_4x(skpv.vec+0, skpv.vec+1, e.vec+0, e.vec+1, noiseseed, 0, 1, 2, 3);
 #elif KYBER_K == 3
@@ -509,7 +454,6 @@ void indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
 #elif KYBER_K == 4
   poly_getnoise_eta1_4x(skpv.vec+0, skpv.vec+1, skpv.vec+2, skpv.vec+3, noiseseed,  0, 1, 2, 3);
   poly_getnoise_eta1_4x(e.vec+0, e.vec+1, e.vec+2, e.vec+3, noiseseed, 4, 5, 6, 7);
-#endif
 #endif
 
   polyvec_ntt(&skpv);
@@ -559,30 +503,6 @@ void indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES],
   poly_frommsg(&k, m);
   gen_at(at, seed);
 
-#ifdef KYBER_90S
-#define NOISE_NBLOCKS ((KYBER_ETA1*KYBER_N/4)/AES256CTR_BLOCKBYTES) /* Assumes divisibility */
-#define CIPHERTEXTNOISE_NBLOCKS ((KYBER_ETA2*KYBER_N/4)/AES256CTR_BLOCKBYTES) /* Assumes divisibility */
-  uint64_t nonce = 0;
-  ALIGNED_UINT8(NOISE_NBLOCKS*AES256CTR_BLOCKBYTES+32) buf; /* +32 bytes as required by poly_cbd_eta1 */
-  aes256ctr_ctx state;
-  aes256ctr_init_u64(&state, coins, nonce++);
-  for(i=0;i<KYBER_K;i++) {
-    aes256ctr_squeezeblocks(buf.coeffs, NOISE_NBLOCKS, &state);
-    aes256ctr_init_iv_u64(&state, nonce);
-    nonce += 1;
-    poly_cbd_eta1(&sp.vec[i], buf.vec);
-  }
-  for(i=0;i<KYBER_K;i++) {
-    aes256ctr_squeezeblocks(buf.coeffs, CIPHERTEXTNOISE_NBLOCKS, &state);
-    aes256ctr_init_iv_u64(&state, nonce);
-    nonce += 1;
-    poly_cbd_eta2(&ep.vec[i], buf.vec);
-  }
-  aes256ctr_squeezeblocks(buf.coeffs, CIPHERTEXTNOISE_NBLOCKS, &state);
-  aes256_ctx_release(&state);
-
-  poly_cbd_eta2(&epp, buf.vec);
-#else
 #if KYBER_K == 2
   poly_getnoise_eta1122_4x(sp.vec+0, sp.vec+1, ep.vec+0, ep.vec+1, coins, 0, 1, 2, 3);
   poly_getnoise_eta2(&epp, coins, 4);
@@ -593,7 +513,6 @@ void indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES],
   poly_getnoise_eta1_4x(sp.vec+0, sp.vec+1, sp.vec+2, sp.vec+3, coins, 0, 1, 2, 3);
   poly_getnoise_eta1_4x(ep.vec+0, ep.vec+1, ep.vec+2, ep.vec+3, coins, 4, 5, 6, 7);
   poly_getnoise_eta2(&epp, coins, 8);
-#endif
 #endif
 
   polyvec_ntt(&sp);
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/indcpa.h b/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/indcpa.h
index 57bd5ead3a..6dd5088c85 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/indcpa.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/indcpa.h
@@ -7,9 +7,11 @@
 
 #define gen_matrix KYBER_NAMESPACE(gen_matrix)
 void gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed);
-#define indcpa_keypair KYBER_NAMESPACE(indcpa_keypair)
-void indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
-                    uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]);
+
+#define indcpa_keypair_derand KYBER_NAMESPACE(indcpa_keypair_derand)
+void indcpa_keypair_derand(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
+                           uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES],
+                           const uint8_t coins[KYBER_SYMBYTES]);
 
 #define indcpa_enc KYBER_NAMESPACE(indcpa_enc)
 void indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES],
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/kem.c b/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/kem.c
index c48a955d49..63abc1029c 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/kem.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/kem.c
@@ -7,6 +7,32 @@
 #include "verify.h"
 #include "symmetric.h"
 #include "randombytes.h"
+/*************************************************
+* Name:        crypto_kem_keypair_derand
+*
+* Description: Generates public and private key
+*              for CCA-secure Kyber key encapsulation mechanism
+*
+* Arguments:   - uint8_t *pk: pointer to output public key
+*                (an already allocated array of KYBER_PUBLICKEYBYTES bytes)
+*              - uint8_t *sk: pointer to output private key
+*                (an already allocated array of KYBER_SECRETKEYBYTES bytes)
+*              - uint8_t *coins: pointer to input randomness
+*                (an already allocated array filled with 2*KYBER_SYMBYTES random bytes)
+**
+* Returns 0 (success)
+**************************************************/
+int crypto_kem_keypair_derand(uint8_t *pk,
+                              uint8_t *sk,
+                              const uint8_t *coins)
+{
+  indcpa_keypair_derand(pk, sk, coins);
+  memcpy(sk+KYBER_INDCPA_SECRETKEYBYTES, pk, KYBER_PUBLICKEYBYTES);
+  hash_h(sk+KYBER_SECRETKEYBYTES-2*KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
+  /* Value z for pseudo-random output on reject */
+  memcpy(sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES, coins+KYBER_SYMBYTES, KYBER_SYMBYTES);
+  return 0;
+}
 
 /*************************************************
 * Name:        crypto_kem_keypair
@@ -24,16 +50,14 @@
 int crypto_kem_keypair(uint8_t *pk,
                        uint8_t *sk)
 {
-  indcpa_keypair(pk, sk);
-  memcpy(sk+KYBER_INDCPA_SECRETKEYBYTES, pk, KYBER_INDCPA_PUBLICKEYBYTES);
-  hash_h(sk+KYBER_SECRETKEYBYTES-2*KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
-  /* Value z for pseudo-random output on reject */
-  randombytes(sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES, KYBER_SYMBYTES);
+  uint8_t coins[2*KYBER_SYMBYTES];
+  randombytes(coins, 2*KYBER_SYMBYTES);
+  crypto_kem_keypair_derand(pk, sk, coins);
   return 0;
 }
 
 /*************************************************
-* Name:        crypto_kem_enc
+* Name:        crypto_kem_enc_derand
 *
 * Description: Generates cipher text and shared
 *              secret for given public key
@@ -44,20 +68,21 @@ int crypto_kem_keypair(uint8_t *pk,
 *                (an already allocated array of KYBER_SSBYTES bytes)
 *              - const uint8_t *pk: pointer to input public key
 *                (an already allocated array of KYBER_PUBLICKEYBYTES bytes)
-*
+*              - const uint8_t *coins: pointer to input randomness
+*                (an already allocated array filled with KYBER_SYMBYTES random bytes)
+**
 * Returns 0 (success)
 **************************************************/
-int crypto_kem_enc(uint8_t *ct,
-                   uint8_t *ss,
-                   const uint8_t *pk)
+int crypto_kem_enc_derand(uint8_t *ct,
+                          uint8_t *ss,
+                          const uint8_t *pk,
+                          const uint8_t *coins)
 {
   uint8_t buf[2*KYBER_SYMBYTES];
   /* Will contain key, coins */
   uint8_t kr[2*KYBER_SYMBYTES];
 
-  randombytes(buf, KYBER_SYMBYTES);
-  /* Don't release system RNG output */
-  hash_h(buf, buf, KYBER_SYMBYTES);
+  memcpy(buf, coins, KYBER_SYMBYTES);
 
   /* Multitarget countermeasure for coins + contributory KEM */
   hash_h(buf+KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
@@ -66,10 +91,32 @@ int crypto_kem_enc(uint8_t *ct,
   /* coins are in kr+KYBER_SYMBYTES */
   indcpa_enc(ct, buf, pk, kr+KYBER_SYMBYTES);
 
-  /* overwrite coins in kr with H(c) */
-  hash_h(kr+KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES);
-  /* hash concatenation of pre-k and H(c) to k */
-  kdf(ss, kr, 2*KYBER_SYMBYTES);
+  memcpy(ss,kr,KYBER_SYMBYTES);
+  return 0;
+}
+
+/*************************************************
+* Name:        crypto_kem_enc
+*
+* Description: Generates cipher text and shared
+*              secret for given public key
+*
+* Arguments:   - uint8_t *ct: pointer to output cipher text
+*                (an already allocated array of KYBER_CIPHERTEXTBYTES bytes)
+*              - uint8_t *ss: pointer to output shared secret
+*                (an already allocated array of KYBER_SSBYTES bytes)
+*              - const uint8_t *pk: pointer to input public key
+*                (an already allocated array of KYBER_PUBLICKEYBYTES bytes)
+*
+* Returns 0 (success)
+**************************************************/
+int crypto_kem_enc(uint8_t *ct,
+                   uint8_t *ss,
+                   const uint8_t *pk)
+{
+  uint8_t coins[KYBER_SYMBYTES];
+  randombytes(coins, KYBER_SYMBYTES);
+  crypto_kem_enc_derand(ct, ss, pk, coins);
   return 0;
 }
 
@@ -98,7 +145,7 @@ int crypto_kem_dec(uint8_t *ss,
   uint8_t buf[2*KYBER_SYMBYTES];
   /* Will contain key, coins */
   uint8_t kr[2*KYBER_SYMBYTES];
-  ALIGNED_UINT8(KYBER_CIPHERTEXTBYTES) cmp;
+  uint8_t cmp[KYBER_CIPHERTEXTBYTES+KYBER_SYMBYTES];
   const uint8_t *pk = sk+KYBER_INDCPA_SECRETKEYBYTES;
 
   indcpa_dec(buf, ct, sk);
@@ -108,17 +155,15 @@ int crypto_kem_dec(uint8_t *ss,
   hash_g(kr, buf, 2*KYBER_SYMBYTES);
 
   /* coins are in kr+KYBER_SYMBYTES */
-  indcpa_enc(cmp.coeffs, buf, pk, kr+KYBER_SYMBYTES);
+  indcpa_enc(cmp, buf, pk, kr+KYBER_SYMBYTES);
 
-  fail = verify(ct, cmp.coeffs, KYBER_CIPHERTEXTBYTES);
+  fail = verify(ct, cmp, KYBER_CIPHERTEXTBYTES);
 
-  /* overwrite coins in kr with H(c) */
-  hash_h(kr+KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES);
+  /* Compute rejection key */
+  rkprf(ss,sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES,ct);
 
-  /* Overwrite pre-k with z on re-encryption failure */
-  cmov(kr, sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES, KYBER_SYMBYTES, fail);
+  /* Copy true key to return buffer if fail is false */
+  cmov(ss,kr,KYBER_SYMBYTES,!fail);
 
-  /* hash concatenation of pre-k and H(c) to k */
-  kdf(ss, kr, 2*KYBER_SYMBYTES);
   return 0;
 }
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/kem.h b/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/kem.h
index 3f3eff697c..234f11966b 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/kem.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/kem.h
@@ -10,28 +10,22 @@
 #define CRYPTO_BYTES           KYBER_SSBYTES
 
 #if   (KYBER_K == 2)
-#ifdef KYBER_90S
-#define CRYPTO_ALGNAME "Kyber512-90s"
-#else
 #define CRYPTO_ALGNAME "Kyber512"
-#endif
 #elif (KYBER_K == 3)
-#ifdef KYBER_90S
-#define CRYPTO_ALGNAME "Kyber768-90s"
-#else
 #define CRYPTO_ALGNAME "Kyber768"
-#endif
 #elif (KYBER_K == 4)
-#ifdef KYBER_90S
-#define CRYPTO_ALGNAME "Kyber1024-90s"
-#else
 #define CRYPTO_ALGNAME "Kyber1024"
 #endif
-#endif
+
+#define crypto_kem_keypair_derand KYBER_NAMESPACE(keypair_derand)
+int crypto_kem_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
 
 #define crypto_kem_keypair KYBER_NAMESPACE(keypair)
 int crypto_kem_keypair(uint8_t *pk, uint8_t *sk);
 
+#define crypto_kem_enc_derand KYBER_NAMESPACE(enc_derand)
+int crypto_kem_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
+
 #define crypto_kem_enc KYBER_NAMESPACE(enc)
 int crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
 
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/poly.c b/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/poly.c
index 93e246011b..96bad864f2 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/poly.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/poly.c
@@ -361,7 +361,6 @@ void poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const poly * restrict a)
   }
 }
 
-#ifndef KYBER_90S
 /*************************************************
 * Name:        poly_getnoise_eta1
 *
@@ -399,7 +398,6 @@ void poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t non
   prf(buf.coeffs, KYBER_ETA2*KYBER_N/4, seed, nonce);
   poly_cbd_eta2(r, buf.vec);
 }
-#endif
 
 #ifndef KYBER_90S
 #define NOISE_NBLOCKS ((KYBER_ETA1*KYBER_N/4+SHAKE256_RATE-1)/SHAKE256_RATE)
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/rejsample.c b/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/rejsample.c
index edee6ecd64..9060a44cb9 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/rejsample.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/rejsample.c
@@ -290,7 +290,7 @@ unsigned int rej_uniform_avx(int16_t * restrict r, const uint8_t *buf)
   __m128i f, t, pilo, pihi;
 
   ctr = pos = 0;
-  while(ctr <= KYBER_N - 32 && pos <= REJ_UNIFORM_AVX_BUFLEN - 48) {
+  while(ctr <= KYBER_N - 32 && pos <= REJ_UNIFORM_AVX_BUFLEN - 56) {
     f0 = _mm256_loadu_si256((__m256i *)&buf[pos]);
     f1 = _mm256_loadu_si256((__m256i *)&buf[pos+24]);
     f0 = _mm256_permute4x64_epi64(f0, 0x94);
@@ -354,7 +354,7 @@ unsigned int rej_uniform_avx(int16_t * restrict r, const uint8_t *buf)
     ctr += _mm_popcnt_u32((good >> 24) & 0xFF);
   }
 
-  while(ctr <= KYBER_N - 8 && pos <= REJ_UNIFORM_AVX_BUFLEN - 12) {
+  while(ctr <= KYBER_N - 8 && pos <= REJ_UNIFORM_AVX_BUFLEN - 16) {
     f = _mm_loadu_si128((__m128i *)&buf[pos]);
     f = _mm_shuffle_epi8(f, _mm256_castsi256_si128(idx8));
     t = _mm_srli_epi16(f, 4);
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/symmetric-shake.c b/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/symmetric-shake.c
index 2317c06276..20f451882e 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/symmetric-shake.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/symmetric-shake.c
@@ -49,3 +49,26 @@ void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYM
 
   shake256(out, outlen, extkey, sizeof(extkey));
 }
+
+/*************************************************
+* Name:        kyber_shake256_prf
+*
+* Description: Usage of SHAKE256 as a PRF, concatenates secret and public input
+*              and then generates outlen bytes of SHAKE256 output
+*
+* Arguments:   - uint8_t *out: pointer to output
+*              - size_t outlen: number of requested output bytes
+*              - const uint8_t *key: pointer to the key (of length KYBER_SYMBYTES)
+*              - uint8_t nonce: single-byte nonce (public PRF input)
+**************************************************/
+void kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SYMBYTES], const uint8_t input[KYBER_CIPHERTEXTBYTES])
+{
+  shake256incctx s;
+
+  shake256_inc_init(&s);
+  shake256_inc_absorb(&s, key, KYBER_SYMBYTES);
+  shake256_inc_absorb(&s, input, KYBER_CIPHERTEXTBYTES);
+  shake256_inc_finalize(&s);
+  shake256_inc_squeeze(out, KYBER_SSBYTES, &s);
+  shake256_inc_ctx_release(&s);
+}
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/symmetric.h b/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/symmetric.h
index 483eabc494..e4941f7a86 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/symmetric.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber512_avx2/symmetric.h
@@ -5,31 +5,6 @@
 #include <stdint.h>
 #include "params.h"
 
-#ifdef KYBER_90S
-
-#include "sha2.h"
-#include "aes256ctr.h"
-
-#if (KYBER_SSBYTES != 32)
-#error "90s variant of Kyber can only generate keys of length 256 bits"
-#endif
-
-typedef aes256ctr_ctx xof_state;
-
-#define XOF_BLOCKBYTES AES256CTR_BLOCKBYTES
-
-#define hash_h(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES)
-#define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES)
-#define xof_absorb(STATE, SEED, X, Y) \
-        aes256ctr_init(STATE, SEED, (X) | ((uint16_t)(Y) << 8))
-#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) \
-        aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define prf(OUT, OUTBYTES, KEY, NONCE) \
-        aes256ctr_prf(OUT, OUTBYTES, KEY, NONCE)
-#define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES)
-
-#else
-
 #include "fips202.h"
 #include "fips202x4.h"
 
@@ -42,22 +17,18 @@ void kyber_shake128_absorb(shake128incctx *s,
                            uint8_t y);
 
 #define kyber_shake256_prf KYBER_NAMESPACE(kyber_shake256_prf)
-void kyber_shake256_prf(uint8_t *out,
-                        size_t outlen,
-                        const uint8_t key[KYBER_SYMBYTES],
-                        uint8_t nonce);
+void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYMBYTES], uint8_t nonce);
+
+#define kyber_shake256_rkprf KYBER_NAMESPACE(kyber_shake256_rkprf)
+void kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SYMBYTES], const uint8_t input[KYBER_CIPHERTEXTBYTES]);
 
 #define XOF_BLOCKBYTES SHAKE128_RATE
 
 #define hash_h(OUT, IN, INBYTES) sha3_256(OUT, IN, INBYTES)
 #define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES)
 #define xof_absorb(STATE, SEED, X, Y) kyber_shake128_absorb(STATE, SEED, X, Y)
-#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) \
-        shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define prf(OUT, OUTBYTES, KEY, NONCE) \
-        kyber_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
-#define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES)
-
-#endif /* KYBER_90S */
+#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
+#define prf(OUT, OUTBYTES, KEY, NONCE) kyber_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
+#define rkprf(OUT, KEY, INPUT) kyber_shake256_rkprf(OUT, KEY, INPUT)
 
 #endif /* SYMMETRIC_H */
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber512_ref/api.h b/src/kem/kyber/pqcrystals-kyber_kyber512_ref/api.h
index b34eab9705..70d40f3f3e 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber512_ref/api.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber512_ref/api.h
@@ -6,70 +6,61 @@
 #define pqcrystals_kyber512_SECRETKEYBYTES 1632
 #define pqcrystals_kyber512_PUBLICKEYBYTES 800
 #define pqcrystals_kyber512_CIPHERTEXTBYTES 768
+#define pqcrystals_kyber512_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber512_ENCCOINBYTES 32
 #define pqcrystals_kyber512_BYTES 32
 
 #define pqcrystals_kyber512_ref_SECRETKEYBYTES pqcrystals_kyber512_SECRETKEYBYTES
 #define pqcrystals_kyber512_ref_PUBLICKEYBYTES pqcrystals_kyber512_PUBLICKEYBYTES
 #define pqcrystals_kyber512_ref_CIPHERTEXTBYTES pqcrystals_kyber512_CIPHERTEXTBYTES
+#define pqcrystals_kyber512_ref_KEYPAIRCOINBYTES pqcrystals_kyber512_KEYPAIRCOINBYTES
+#define pqcrystals_kyber512_ref_ENCCOINBYTES pqcrystals_kyber512_ENCCOINBYTES
 #define pqcrystals_kyber512_ref_BYTES pqcrystals_kyber512_BYTES
 
+int pqcrystals_kyber512_ref_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
 int pqcrystals_kyber512_ref_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber512_ref_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
 int pqcrystals_kyber512_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
 int pqcrystals_kyber512_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
 
-#define pqcrystals_kyber512_90s_ref_SECRETKEYBYTES pqcrystals_kyber512_SECRETKEYBYTES
-#define pqcrystals_kyber512_90s_ref_PUBLICKEYBYTES pqcrystals_kyber512_PUBLICKEYBYTES
-#define pqcrystals_kyber512_90s_ref_CIPHERTEXTBYTES pqcrystals_kyber512_CIPHERTEXTBYTES
-#define pqcrystals_kyber512_90s_ref_BYTES pqcrystals_kyber512_BYTES
-
-int pqcrystals_kyber512_90s_ref_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber512_90s_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber512_90s_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
 #define pqcrystals_kyber768_SECRETKEYBYTES 2400
 #define pqcrystals_kyber768_PUBLICKEYBYTES 1184
 #define pqcrystals_kyber768_CIPHERTEXTBYTES 1088
+#define pqcrystals_kyber768_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber768_ENCCOINBYTES 32
 #define pqcrystals_kyber768_BYTES 32
 
 #define pqcrystals_kyber768_ref_SECRETKEYBYTES pqcrystals_kyber768_SECRETKEYBYTES
 #define pqcrystals_kyber768_ref_PUBLICKEYBYTES pqcrystals_kyber768_PUBLICKEYBYTES
 #define pqcrystals_kyber768_ref_CIPHERTEXTBYTES pqcrystals_kyber768_CIPHERTEXTBYTES
+#define pqcrystals_kyber768_ref_KEYPAIRCOINBYTES pqcrystals_kyber768_KEYPAIRCOINBYTES
+#define pqcrystals_kyber768_ref_ENCCOINBYTES pqcrystals_kyber768_ENCCOINBYTES
 #define pqcrystals_kyber768_ref_BYTES pqcrystals_kyber768_BYTES
 
+int pqcrystals_kyber768_ref_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
 int pqcrystals_kyber768_ref_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber768_ref_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
 int pqcrystals_kyber768_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
 int pqcrystals_kyber768_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
 
-#define pqcrystals_kyber768_90s_ref_SECRETKEYBYTES pqcrystals_kyber768_SECRETKEYBYTES
-#define pqcrystals_kyber768_90s_ref_PUBLICKEYBYTES pqcrystals_kyber768_PUBLICKEYBYTES
-#define pqcrystals_kyber768_90s_ref_CIPHERTEXTBYTES pqcrystals_kyber768_CIPHERTEXTBYTES
-#define pqcrystals_kyber768_90s_ref_BYTES pqcrystals_kyber768_BYTES
-
-int pqcrystals_kyber768_90s_ref_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber768_90s_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber768_90s_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
 #define pqcrystals_kyber1024_SECRETKEYBYTES 3168
 #define pqcrystals_kyber1024_PUBLICKEYBYTES 1568
 #define pqcrystals_kyber1024_CIPHERTEXTBYTES 1568
+#define pqcrystals_kyber1024_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber1024_ENCCOINBYTES 32
 #define pqcrystals_kyber1024_BYTES 32
 
 #define pqcrystals_kyber1024_ref_SECRETKEYBYTES pqcrystals_kyber1024_SECRETKEYBYTES
 #define pqcrystals_kyber1024_ref_PUBLICKEYBYTES pqcrystals_kyber1024_PUBLICKEYBYTES
 #define pqcrystals_kyber1024_ref_CIPHERTEXTBYTES pqcrystals_kyber1024_CIPHERTEXTBYTES
+#define pqcrystals_kyber1024_ref_KEYPAIRCOINBYTES pqcrystals_kyber1024_KEYPAIRCOINBYTES
+#define pqcrystals_kyber1024_ref_ENCCOINBYTES pqcrystals_kyber1024_ENCCOINBYTES
 #define pqcrystals_kyber1024_ref_BYTES pqcrystals_kyber1024_BYTES
 
+int pqcrystals_kyber1024_ref_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
 int pqcrystals_kyber1024_ref_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber1024_ref_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
 int pqcrystals_kyber1024_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
 int pqcrystals_kyber1024_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
 
-#define pqcrystals_kyber1024_90s_ref_SECRETKEYBYTES pqcrystals_kyber1024_SECRETKEYBYTES
-#define pqcrystals_kyber1024_90s_ref_PUBLICKEYBYTES pqcrystals_kyber1024_PUBLICKEYBYTES
-#define pqcrystals_kyber1024_90s_ref_CIPHERTEXTBYTES pqcrystals_kyber1024_CIPHERTEXTBYTES
-#define pqcrystals_kyber1024_90s_ref_BYTES pqcrystals_kyber1024_BYTES
-
-int pqcrystals_kyber1024_90s_ref_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber1024_90s_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber1024_90s_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
 #endif
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber512_ref/indcpa.c b/src/kem/kyber/pqcrystals-kyber_kyber512_ref/indcpa.c
index f0129aa046..4a8b4c894f 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber512_ref/indcpa.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber512_ref/indcpa.c
@@ -1,5 +1,6 @@
 #include <stddef.h>
 #include <stdint.h>
+#include <string.h>
 #include "params.h"
 #include "indcpa.h"
 #include "polyvec.h"
@@ -23,10 +24,8 @@ static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES],
                     polyvec *pk,
                     const uint8_t seed[KYBER_SYMBYTES])
 {
-  size_t i;
   polyvec_tobytes(r, pk);
-  for(i=0;i<KYBER_SYMBYTES;i++)
-    r[i+KYBER_POLYVECBYTES] = seed[i];
+  memcpy(r+KYBER_POLYVECBYTES, seed, KYBER_SYMBYTES);
 }
 
 /*************************************************
@@ -43,10 +42,8 @@ static void unpack_pk(polyvec *pk,
                       uint8_t seed[KYBER_SYMBYTES],
                       const uint8_t packedpk[KYBER_INDCPA_PUBLICKEYBYTES])
 {
-  size_t i;
   polyvec_frombytes(pk, packedpk);
-  for(i=0;i<KYBER_SYMBYTES;i++)
-    seed[i] = packedpk[i+KYBER_POLYVECBYTES];
+  memcpy(seed, packedpk+KYBER_POLYVECBYTES, KYBER_SYMBYTES);
 }
 
 /*************************************************
@@ -194,7 +191,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed)
 }
 
 /*************************************************
-* Name:        indcpa_keypair
+* Name:        indcpa_keypair_derand
 *
 * Description: Generates public and private key for the CPA-secure
 *              public-key encryption scheme underlying Kyber
@@ -202,10 +199,13 @@ void gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed)
 * Arguments:   - uint8_t *pk: pointer to output public key
 *                             (of length KYBER_INDCPA_PUBLICKEYBYTES bytes)
 *              - uint8_t *sk: pointer to output private key
-                              (of length KYBER_INDCPA_SECRETKEYBYTES bytes)
+*                             (of length KYBER_INDCPA_SECRETKEYBYTES bytes)
+*              - const uint8_t *coins: pointer to input randomness
+*                             (of length KYBER_SYMBYTES bytes)
 **************************************************/
-void indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
-                    uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES])
+void indcpa_keypair_derand(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
+                           uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES],
+                           const uint8_t coins[KYBER_SYMBYTES])
 {
   unsigned int i;
   uint8_t buf[2*KYBER_SYMBYTES];
@@ -214,8 +214,7 @@ void indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
   uint8_t nonce = 0;
   polyvec a[KYBER_K], e, pkpv, skpv;
 
-  randombytes(buf, KYBER_SYMBYTES);
-  hash_g(buf, buf, KYBER_SYMBYTES);
+  hash_g(buf, coins, KYBER_SYMBYTES);
 
   gen_a(a, publicseed);
 
@@ -240,6 +239,7 @@ void indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
   pack_pk(pk, &pkpv, publicseed);
 }
 
+
 /*************************************************
 * Name:        indcpa_enc
 *
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber512_ref/indcpa.h b/src/kem/kyber/pqcrystals-kyber_kyber512_ref/indcpa.h
index 57bd5ead3a..6dd5088c85 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber512_ref/indcpa.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber512_ref/indcpa.h
@@ -7,9 +7,11 @@
 
 #define gen_matrix KYBER_NAMESPACE(gen_matrix)
 void gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed);
-#define indcpa_keypair KYBER_NAMESPACE(indcpa_keypair)
-void indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
-                    uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]);
+
+#define indcpa_keypair_derand KYBER_NAMESPACE(indcpa_keypair_derand)
+void indcpa_keypair_derand(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
+                           uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES],
+                           const uint8_t coins[KYBER_SYMBYTES]);
 
 #define indcpa_enc KYBER_NAMESPACE(indcpa_enc)
 void indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES],
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber512_ref/kem.c b/src/kem/kyber/pqcrystals-kyber_kyber512_ref/kem.c
index f376bd236a..63abc1029c 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber512_ref/kem.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber512_ref/kem.c
@@ -1,11 +1,38 @@
 #include <stddef.h>
 #include <stdint.h>
+#include <string.h>
 #include "params.h"
 #include "kem.h"
 #include "indcpa.h"
 #include "verify.h"
 #include "symmetric.h"
 #include "randombytes.h"
+/*************************************************
+* Name:        crypto_kem_keypair_derand
+*
+* Description: Generates public and private key
+*              for CCA-secure Kyber key encapsulation mechanism
+*
+* Arguments:   - uint8_t *pk: pointer to output public key
+*                (an already allocated array of KYBER_PUBLICKEYBYTES bytes)
+*              - uint8_t *sk: pointer to output private key
+*                (an already allocated array of KYBER_SECRETKEYBYTES bytes)
+*              - uint8_t *coins: pointer to input randomness
+*                (an already allocated array filled with 2*KYBER_SYMBYTES random bytes)
+**
+* Returns 0 (success)
+**************************************************/
+int crypto_kem_keypair_derand(uint8_t *pk,
+                              uint8_t *sk,
+                              const uint8_t *coins)
+{
+  indcpa_keypair_derand(pk, sk, coins);
+  memcpy(sk+KYBER_INDCPA_SECRETKEYBYTES, pk, KYBER_PUBLICKEYBYTES);
+  hash_h(sk+KYBER_SECRETKEYBYTES-2*KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
+  /* Value z for pseudo-random output on reject */
+  memcpy(sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES, coins+KYBER_SYMBYTES, KYBER_SYMBYTES);
+  return 0;
+}
 
 /*************************************************
 * Name:        crypto_kem_keypair
@@ -23,18 +50,14 @@
 int crypto_kem_keypair(uint8_t *pk,
                        uint8_t *sk)
 {
-  size_t i;
-  indcpa_keypair(pk, sk);
-  for(i=0;i<KYBER_INDCPA_PUBLICKEYBYTES;i++)
-    sk[i+KYBER_INDCPA_SECRETKEYBYTES] = pk[i];
-  hash_h(sk+KYBER_SECRETKEYBYTES-2*KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
-  /* Value z for pseudo-random output on reject */
-  randombytes(sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES, KYBER_SYMBYTES);
+  uint8_t coins[2*KYBER_SYMBYTES];
+  randombytes(coins, 2*KYBER_SYMBYTES);
+  crypto_kem_keypair_derand(pk, sk, coins);
   return 0;
 }
 
 /*************************************************
-* Name:        crypto_kem_enc
+* Name:        crypto_kem_enc_derand
 *
 * Description: Generates cipher text and shared
 *              secret for given public key
@@ -45,20 +68,21 @@ int crypto_kem_keypair(uint8_t *pk,
 *                (an already allocated array of KYBER_SSBYTES bytes)
 *              - const uint8_t *pk: pointer to input public key
 *                (an already allocated array of KYBER_PUBLICKEYBYTES bytes)
-*
+*              - const uint8_t *coins: pointer to input randomness
+*                (an already allocated array filled with KYBER_SYMBYTES random bytes)
+**
 * Returns 0 (success)
 **************************************************/
-int crypto_kem_enc(uint8_t *ct,
-                   uint8_t *ss,
-                   const uint8_t *pk)
+int crypto_kem_enc_derand(uint8_t *ct,
+                          uint8_t *ss,
+                          const uint8_t *pk,
+                          const uint8_t *coins)
 {
   uint8_t buf[2*KYBER_SYMBYTES];
   /* Will contain key, coins */
   uint8_t kr[2*KYBER_SYMBYTES];
 
-  randombytes(buf, KYBER_SYMBYTES);
-  /* Don't release system RNG output */
-  hash_h(buf, buf, KYBER_SYMBYTES);
+  memcpy(buf, coins, KYBER_SYMBYTES);
 
   /* Multitarget countermeasure for coins + contributory KEM */
   hash_h(buf+KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
@@ -67,10 +91,32 @@ int crypto_kem_enc(uint8_t *ct,
   /* coins are in kr+KYBER_SYMBYTES */
   indcpa_enc(ct, buf, pk, kr+KYBER_SYMBYTES);
 
-  /* overwrite coins in kr with H(c) */
-  hash_h(kr+KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES);
-  /* hash concatenation of pre-k and H(c) to k */
-  kdf(ss, kr, 2*KYBER_SYMBYTES);
+  memcpy(ss,kr,KYBER_SYMBYTES);
+  return 0;
+}
+
+/*************************************************
+* Name:        crypto_kem_enc
+*
+* Description: Generates cipher text and shared
+*              secret for given public key
+*
+* Arguments:   - uint8_t *ct: pointer to output cipher text
+*                (an already allocated array of KYBER_CIPHERTEXTBYTES bytes)
+*              - uint8_t *ss: pointer to output shared secret
+*                (an already allocated array of KYBER_SSBYTES bytes)
+*              - const uint8_t *pk: pointer to input public key
+*                (an already allocated array of KYBER_PUBLICKEYBYTES bytes)
+*
+* Returns 0 (success)
+**************************************************/
+int crypto_kem_enc(uint8_t *ct,
+                   uint8_t *ss,
+                   const uint8_t *pk)
+{
+  uint8_t coins[KYBER_SYMBYTES];
+  randombytes(coins, KYBER_SYMBYTES);
+  crypto_kem_enc_derand(ct, ss, pk, coins);
   return 0;
 }
 
@@ -95,19 +141,17 @@ int crypto_kem_dec(uint8_t *ss,
                    const uint8_t *ct,
                    const uint8_t *sk)
 {
-  size_t i;
   int fail;
   uint8_t buf[2*KYBER_SYMBYTES];
   /* Will contain key, coins */
   uint8_t kr[2*KYBER_SYMBYTES];
-  uint8_t cmp[KYBER_CIPHERTEXTBYTES];
+  uint8_t cmp[KYBER_CIPHERTEXTBYTES+KYBER_SYMBYTES];
   const uint8_t *pk = sk+KYBER_INDCPA_SECRETKEYBYTES;
 
   indcpa_dec(buf, ct, sk);
 
   /* Multitarget countermeasure for coins + contributory KEM */
-  for(i=0;i<KYBER_SYMBYTES;i++)
-    buf[KYBER_SYMBYTES+i] = sk[KYBER_SECRETKEYBYTES-2*KYBER_SYMBYTES+i];
+  memcpy(buf+KYBER_SYMBYTES, sk+KYBER_SECRETKEYBYTES-2*KYBER_SYMBYTES, KYBER_SYMBYTES);
   hash_g(kr, buf, 2*KYBER_SYMBYTES);
 
   /* coins are in kr+KYBER_SYMBYTES */
@@ -115,13 +159,11 @@ int crypto_kem_dec(uint8_t *ss,
 
   fail = verify(ct, cmp, KYBER_CIPHERTEXTBYTES);
 
-  /* overwrite coins in kr with H(c) */
-  hash_h(kr+KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES);
+  /* Compute rejection key */
+  rkprf(ss,sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES,ct);
 
-  /* Overwrite pre-k with z on re-encryption failure */
-  cmov(kr, sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES, KYBER_SYMBYTES, fail);
+  /* Copy true key to return buffer if fail is false */
+  cmov(ss,kr,KYBER_SYMBYTES,!fail);
 
-  /* hash concatenation of pre-k and H(c) to k */
-  kdf(ss, kr, 2*KYBER_SYMBYTES);
   return 0;
 }
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber512_ref/kem.h b/src/kem/kyber/pqcrystals-kyber_kyber512_ref/kem.h
index 3f3eff697c..234f11966b 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber512_ref/kem.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber512_ref/kem.h
@@ -10,28 +10,22 @@
 #define CRYPTO_BYTES           KYBER_SSBYTES
 
 #if   (KYBER_K == 2)
-#ifdef KYBER_90S
-#define CRYPTO_ALGNAME "Kyber512-90s"
-#else
 #define CRYPTO_ALGNAME "Kyber512"
-#endif
 #elif (KYBER_K == 3)
-#ifdef KYBER_90S
-#define CRYPTO_ALGNAME "Kyber768-90s"
-#else
 #define CRYPTO_ALGNAME "Kyber768"
-#endif
 #elif (KYBER_K == 4)
-#ifdef KYBER_90S
-#define CRYPTO_ALGNAME "Kyber1024-90s"
-#else
 #define CRYPTO_ALGNAME "Kyber1024"
 #endif
-#endif
+
+#define crypto_kem_keypair_derand KYBER_NAMESPACE(keypair_derand)
+int crypto_kem_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
 
 #define crypto_kem_keypair KYBER_NAMESPACE(keypair)
 int crypto_kem_keypair(uint8_t *pk, uint8_t *sk);
 
+#define crypto_kem_enc_derand KYBER_NAMESPACE(enc_derand)
+int crypto_kem_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
+
 #define crypto_kem_enc KYBER_NAMESPACE(enc)
 int crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
 
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber512_ref/params.h b/src/kem/kyber/pqcrystals-kyber_kyber512_ref/params.h
index 3d02a0f9e6..0802c74805 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber512_ref/params.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber512_ref/params.h
@@ -5,27 +5,14 @@
 #define KYBER_K 3	/* Change this for different security strengths */
 #endif
 
-//#define KYBER_90S	/* Uncomment this if you want the 90S variant */
 
 /* Don't change parameters below this line */
 #if   (KYBER_K == 2)
-#ifdef KYBER_90S
-#define KYBER_NAMESPACE(s) pqcrystals_kyber512_90s_ref_##s
-#else
 #define KYBER_NAMESPACE(s) pqcrystals_kyber512_ref_##s
-#endif
 #elif (KYBER_K == 3)
-#ifdef KYBER_90S
-#define KYBER_NAMESPACE(s) pqcrystals_kyber768_90s_ref_##s
-#else
 #define KYBER_NAMESPACE(s) pqcrystals_kyber768_ref_##s
-#endif
 #elif (KYBER_K == 4)
-#ifdef KYBER_90S
-#define KYBER_NAMESPACE(s) pqcrystals_kyber1024_90s_ref_##s
-#else
 #define KYBER_NAMESPACE(s) pqcrystals_kyber1024_ref_##s
-#endif
 #else
 #error "KYBER_K must be in {2,3,4}"
 #endif
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber512_ref/symmetric-shake.c b/src/kem/kyber/pqcrystals-kyber_kyber512_ref/symmetric-shake.c
index 2317c06276..20f451882e 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber512_ref/symmetric-shake.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber512_ref/symmetric-shake.c
@@ -49,3 +49,26 @@ void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYM
 
   shake256(out, outlen, extkey, sizeof(extkey));
 }
+
+/*************************************************
+* Name:        kyber_shake256_prf
+*
+* Description: Usage of SHAKE256 as a PRF, concatenates secret and public input
+*              and then generates outlen bytes of SHAKE256 output
+*
+* Arguments:   - uint8_t *out: pointer to output
+*              - size_t outlen: number of requested output bytes
+*              - const uint8_t *key: pointer to the key (of length KYBER_SYMBYTES)
+*              - uint8_t nonce: single-byte nonce (public PRF input)
+**************************************************/
+void kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SYMBYTES], const uint8_t input[KYBER_CIPHERTEXTBYTES])
+{
+  shake256incctx s;
+
+  shake256_inc_init(&s);
+  shake256_inc_absorb(&s, key, KYBER_SYMBYTES);
+  shake256_inc_absorb(&s, input, KYBER_CIPHERTEXTBYTES);
+  shake256_inc_finalize(&s);
+  shake256_inc_squeeze(out, KYBER_SSBYTES, &s);
+  shake256_inc_ctx_release(&s);
+}
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber512_ref/symmetric.h b/src/kem/kyber/pqcrystals-kyber_kyber512_ref/symmetric.h
index 2f2fb63647..2acc66f98d 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber512_ref/symmetric.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber512_ref/symmetric.h
@@ -5,36 +5,6 @@
 #include <stdint.h>
 #include "params.h"
 
-#ifdef KYBER_90S
-
-#include "aes256ctr.h"
-#include "sha2.h"
-
-#if (KYBER_SSBYTES != 32)
-#error "90s variant of Kyber can only generate keys of length 256 bits"
-#endif
-
-typedef aes256ctr_ctx xof_state;
-
-#define kyber_aes256xof_absorb KYBER_NAMESPACE(kyber_aes256xof_absorb)
-void kyber_aes256xof_absorb(aes256ctr_ctx *state, const uint8_t seed[32], uint8_t x, uint8_t y);
-
-#define kyber_aes256ctr_prf KYBER_NAMESPACE(kyber_aes256ctr_prf)
-void kyber_aes256ctr_prf(uint8_t *out, size_t outlen, const uint8_t key[32], uint8_t nonce);
-
-#define XOF_BLOCKBYTES AES256CTR_BLOCKBYTES
-
-#define hash_h(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES)
-#define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES)
-#define xof_init(STATE, SEED) aes256ctr_init_key(STATE, SEED)
-#define xof_absorb(STATE, SEED, X, Y) kyber_aes256xof_absorb(STATE, SEED, X, Y)
-#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define xof_release(STATE) aes256_ctx_release(STATE)
-#define prf(OUT, OUTBYTES, KEY, NONCE) kyber_aes256ctr_prf(OUT, OUTBYTES, KEY, NONCE)
-#define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES)
-
-#else
-
 #include "fips202.h"
 
 typedef shake128incctx xof_state;
@@ -48,6 +18,9 @@ void kyber_shake128_absorb(shake128incctx *s,
 #define kyber_shake256_prf KYBER_NAMESPACE(kyber_shake256_prf)
 void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYMBYTES], uint8_t nonce);
 
+#define kyber_shake256_rkprf KYBER_NAMESPACE(kyber_shake256_rkprf)
+void kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SYMBYTES], const uint8_t input[KYBER_CIPHERTEXTBYTES]);
+
 #define XOF_BLOCKBYTES SHAKE128_RATE
 
 #define hash_h(OUT, IN, INBYTES) sha3_256(OUT, IN, INBYTES)
@@ -57,8 +30,6 @@ void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYM
 #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
 #define xof_release(STATE) shake128_inc_ctx_release(STATE)
 #define prf(OUT, OUTBYTES, KEY, NONCE) kyber_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
-#define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES)
-
-#endif /* KYBER_90S */
+#define rkprf(OUT, KEY, INPUT) kyber_shake256_rkprf(OUT, KEY, INPUT)
 
 #endif /* SYMMETRIC_H */
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/api.h b/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/api.h
index 4ae94cbab7..a154e80f1d 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/api.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/api.h
@@ -6,70 +6,61 @@
 #define pqcrystals_kyber512_SECRETKEYBYTES 1632
 #define pqcrystals_kyber512_PUBLICKEYBYTES 800
 #define pqcrystals_kyber512_CIPHERTEXTBYTES 768
+#define pqcrystals_kyber512_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber512_ENCCOINBYTES 32
 #define pqcrystals_kyber512_BYTES 32
 
 #define pqcrystals_kyber512_avx2_SECRETKEYBYTES pqcrystals_kyber512_SECRETKEYBYTES
 #define pqcrystals_kyber512_avx2_PUBLICKEYBYTES pqcrystals_kyber512_PUBLICKEYBYTES
 #define pqcrystals_kyber512_avx2_CIPHERTEXTBYTES pqcrystals_kyber512_CIPHERTEXTBYTES
+#define pqcrystals_kyber512_avx2_KEYPAIRCOINBYTES pqcrystals_kyber512_KEYPAIRCOINBYTES
+#define pqcrystals_kyber512_avx2_ENCCOINBYTES pqcrystals_kyber512_ENCCOINBYTES
 #define pqcrystals_kyber512_avx2_BYTES pqcrystals_kyber512_BYTES
 
+int pqcrystals_kyber512_avx2_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
 int pqcrystals_kyber512_avx2_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber512_avx2_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
 int pqcrystals_kyber512_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
 int pqcrystals_kyber512_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
 
-#define pqcrystals_kyber512_90s_avx2_SECRETKEYBYTES pqcrystals_kyber512_SECRETKEYBYTES
-#define pqcrystals_kyber512_90s_avx2_PUBLICKEYBYTES pqcrystals_kyber512_PUBLICKEYBYTES
-#define pqcrystals_kyber512_90s_avx2_CIPHERTEXTBYTES pqcrystals_kyber512_CIPHERTEXTBYTES
-#define pqcrystals_kyber512_90s_avx2_BYTES pqcrystals_kyber512_BYTES
-
-int pqcrystals_kyber512_90s_avx2_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber512_90s_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber512_90s_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
 #define pqcrystals_kyber768_SECRETKEYBYTES 2400
 #define pqcrystals_kyber768_PUBLICKEYBYTES 1184
 #define pqcrystals_kyber768_CIPHERTEXTBYTES 1088
+#define pqcrystals_kyber768_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber768_ENCCOINBYTES 32
 #define pqcrystals_kyber768_BYTES 32
 
 #define pqcrystals_kyber768_avx2_SECRETKEYBYTES pqcrystals_kyber768_SECRETKEYBYTES
 #define pqcrystals_kyber768_avx2_PUBLICKEYBYTES pqcrystals_kyber768_PUBLICKEYBYTES
 #define pqcrystals_kyber768_avx2_CIPHERTEXTBYTES pqcrystals_kyber768_CIPHERTEXTBYTES
+#define pqcrystals_kyber768_avx2_KEYPAIRCOINBYTES pqcrystals_kyber768_KEYPAIRCOINBYTES
+#define pqcrystals_kyber768_avx2_ENCCOINBYTES pqcrystals_kyber768_ENCCOINBYTES
 #define pqcrystals_kyber768_avx2_BYTES pqcrystals_kyber768_BYTES
 
+int pqcrystals_kyber768_avx2_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
 int pqcrystals_kyber768_avx2_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber768_avx2_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
 int pqcrystals_kyber768_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
 int pqcrystals_kyber768_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
 
-#define pqcrystals_kyber768_90s_avx2_SECRETKEYBYTES pqcrystals_kyber768_SECRETKEYBYTES
-#define pqcrystals_kyber768_90s_avx2_PUBLICKEYBYTES pqcrystals_kyber768_PUBLICKEYBYTES
-#define pqcrystals_kyber768_90s_avx2_CIPHERTEXTBYTES pqcrystals_kyber768_CIPHERTEXTBYTES
-#define pqcrystals_kyber768_90s_avx2_BYTES pqcrystals_kyber768_BYTES
-
-int pqcrystals_kyber768_90s_avx2_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber768_90s_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber768_90s_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
 #define pqcrystals_kyber1024_SECRETKEYBYTES 3168
 #define pqcrystals_kyber1024_PUBLICKEYBYTES 1568
 #define pqcrystals_kyber1024_CIPHERTEXTBYTES 1568
+#define pqcrystals_kyber1024_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber1024_ENCCOINBYTES 32
 #define pqcrystals_kyber1024_BYTES 32
 
 #define pqcrystals_kyber1024_avx2_SECRETKEYBYTES pqcrystals_kyber1024_SECRETKEYBYTES
 #define pqcrystals_kyber1024_avx2_PUBLICKEYBYTES pqcrystals_kyber1024_PUBLICKEYBYTES
 #define pqcrystals_kyber1024_avx2_CIPHERTEXTBYTES pqcrystals_kyber1024_CIPHERTEXTBYTES
+#define pqcrystals_kyber1024_avx2_KEYPAIRCOINBYTES pqcrystals_kyber1024_KEYPAIRCOINBYTES
+#define pqcrystals_kyber1024_avx2_ENCCOINBYTES pqcrystals_kyber1024_ENCCOINBYTES
 #define pqcrystals_kyber1024_avx2_BYTES pqcrystals_kyber1024_BYTES
 
+int pqcrystals_kyber1024_avx2_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
 int pqcrystals_kyber1024_avx2_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber1024_avx2_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
 int pqcrystals_kyber1024_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
 int pqcrystals_kyber1024_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
 
-#define pqcrystals_kyber1024_90s_avx2_SECRETKEYBYTES pqcrystals_kyber1024_SECRETKEYBYTES
-#define pqcrystals_kyber1024_90s_avx2_PUBLICKEYBYTES pqcrystals_kyber1024_PUBLICKEYBYTES
-#define pqcrystals_kyber1024_90s_avx2_CIPHERTEXTBYTES pqcrystals_kyber1024_CIPHERTEXTBYTES
-#define pqcrystals_kyber1024_90s_avx2_BYTES pqcrystals_kyber1024_BYTES
-
-int pqcrystals_kyber1024_90s_avx2_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber1024_90s_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber1024_90s_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
 #endif
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/indcpa.c b/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/indcpa.c
index b88408631b..cf93531178 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/indcpa.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/indcpa.c
@@ -169,44 +169,6 @@ static unsigned int rej_uniform(int16_t *r,
 *              - const uint8_t *seed: pointer to input seed
 *              - int transposed: boolean deciding whether A or A^T is generated
 **************************************************/
-#ifdef KYBER_90S
-void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
-{
-  unsigned int ctr, i, j, k;
-  unsigned int buflen, off;
-  uint64_t nonce = 0;
-  ALIGNED_UINT8(REJ_UNIFORM_AVX_NBLOCKS*AES256CTR_BLOCKBYTES) buf;
-  aes256ctr_ctx state;
-
-  aes256ctr_init_key(&state, seed);
-
-  for(i=0;i<KYBER_K;i++) {
-    for(j=0;j<KYBER_K;j++) {
-      if(transposed)
-        nonce = (j << 8) | i;
-      else
-        nonce = (i << 8) | j;
-
-      aes256ctr_init_iv_u64(&state, nonce);
-      aes256ctr_squeezeblocks(buf.coeffs, REJ_UNIFORM_AVX_NBLOCKS, &state);
-      buflen = REJ_UNIFORM_AVX_NBLOCKS*AES256CTR_BLOCKBYTES;
-      ctr = rej_uniform_avx(a[i].vec[j].coeffs, buf.coeffs);
-
-      while(ctr < KYBER_N) {
-        off = buflen % 3;
-        for(k = 0; k < off; k++)
-          buf.coeffs[k] = buf.coeffs[buflen - off + k];
-        aes256ctr_squeezeblocks(buf.coeffs + off, 1, &state);
-        buflen = off + AES256CTR_BLOCKBYTES;
-        ctr += rej_uniform(a[i].vec[j].coeffs + ctr, KYBER_N - ctr, buf.coeffs, buflen);
-      }
-
-      poly_nttunpack(&a[i].vec[j]);
-    }
-  }
-  aes256_ctx_release(&state);
-}
-#else
 #if KYBER_K == 2
 void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
 {
@@ -319,6 +281,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
     ctr2 += rej_uniform(a[0].vec[2].coeffs + ctr2, KYBER_N - ctr2, buf[2].coeffs, SHAKE128_RATE);
     ctr3 += rej_uniform(a[1].vec[0].coeffs + ctr3, KYBER_N - ctr3, buf[3].coeffs, SHAKE128_RATE);
   }
+  shake128x4_inc_ctx_release(&state);
 
   poly_nttunpack(&a[0].vec[0]);
   poly_nttunpack(&a[0].vec[1]);
@@ -352,6 +315,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
     buf[3].coeffs[33] = 2;
   }
 
+  shake128x4_inc_init(&state);
   shake128x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 34);
   shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_AVX_NBLOCKS, &state);
 
@@ -368,7 +332,6 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
     ctr2 += rej_uniform(a[2].vec[0].coeffs + ctr2, KYBER_N - ctr2, buf[2].coeffs, SHAKE128_RATE);
     ctr3 += rej_uniform(a[2].vec[1].coeffs + ctr3, KYBER_N - ctr3, buf[3].coeffs, SHAKE128_RATE);
   }
-  shake128x4_inc_ctx_release(&state);
 
   poly_nttunpack(&a[1].vec[1]);
   poly_nttunpack(&a[1].vec[2]);
@@ -429,6 +392,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
       buf[3].coeffs[33] = i;
     }
 
+    shake128x4_inc_init(&state);
     shake128x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 34);
     shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_AVX_NBLOCKS, &state);
 
@@ -454,10 +418,9 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
   shake128x4_inc_ctx_release(&state);
 }
 #endif
-#endif
 
 /*************************************************
-* Name:        indcpa_keypair
+* Name:        indcpa_keypair_derand
 *
 * Description: Generates public and private key for the CPA-secure
 *              public-key encryption scheme underlying Kyber
@@ -465,10 +428,13 @@ void gen_matrix(polyvec *a, const uint8_t seed[32], int transposed)
 * Arguments:   - uint8_t *pk: pointer to output public key
 *                             (of length KYBER_INDCPA_PUBLICKEYBYTES bytes)
 *              - uint8_t *sk: pointer to output private key
-                              (of length KYBER_INDCPA_SECRETKEYBYTES bytes)
+*                             (of length KYBER_INDCPA_SECRETKEYBYTES bytes)
+*              - const uint8_t *coins: pointer to input randomness
+*                             (of length KYBER_SYMBYTES bytes)
 **************************************************/
-void indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
-                    uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES])
+void indcpa_keypair_derand(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
+                           uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES],
+                           const uint8_t coins[KYBER_SYMBYTES])
 {
   unsigned int i;
   uint8_t buf[2*KYBER_SYMBYTES];
@@ -476,31 +442,10 @@ void indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
   const uint8_t *noiseseed = buf + KYBER_SYMBYTES;
   polyvec a[KYBER_K], e, pkpv, skpv;
 
-  randombytes(buf, KYBER_SYMBYTES);
-  hash_g(buf, buf, KYBER_SYMBYTES);
+  hash_g(buf, coins, KYBER_SYMBYTES);
 
   gen_a(a, publicseed);
 
-#ifdef KYBER_90S
-#define NOISE_NBLOCKS ((KYBER_ETA1*KYBER_N/4)/AES256CTR_BLOCKBYTES) /* Assumes divisibility */
-  uint64_t nonce = 0;
-  ALIGNED_UINT8(NOISE_NBLOCKS*AES256CTR_BLOCKBYTES+32) coins; // +32 bytes as required by poly_cbd_eta1
-  aes256ctr_ctx state;
-  aes256ctr_init_u64(&state, noiseseed, nonce++);
-  for(i=0;i<KYBER_K;i++) {
-    aes256ctr_squeezeblocks(coins.coeffs, NOISE_NBLOCKS, &state);
-    aes256ctr_init_iv_u64(&state, nonce);
-    nonce += 1;
-    poly_cbd_eta1(&skpv.vec[i], coins.vec);
-  }
-  for(i=0;i<KYBER_K;i++) {
-    aes256ctr_squeezeblocks(coins.coeffs, NOISE_NBLOCKS, &state);
-    aes256ctr_init_iv_u64(&state, nonce);
-    nonce += 1;
-    poly_cbd_eta1(&e.vec[i], coins.vec);
-  }
-  aes256_ctx_release(&state);
-#else
 #if KYBER_K == 2
   poly_getnoise_eta1_4x(skpv.vec+0, skpv.vec+1, e.vec+0, e.vec+1, noiseseed, 0, 1, 2, 3);
 #elif KYBER_K == 3
@@ -509,7 +454,6 @@ void indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
 #elif KYBER_K == 4
   poly_getnoise_eta1_4x(skpv.vec+0, skpv.vec+1, skpv.vec+2, skpv.vec+3, noiseseed,  0, 1, 2, 3);
   poly_getnoise_eta1_4x(e.vec+0, e.vec+1, e.vec+2, e.vec+3, noiseseed, 4, 5, 6, 7);
-#endif
 #endif
 
   polyvec_ntt(&skpv);
@@ -559,30 +503,6 @@ void indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES],
   poly_frommsg(&k, m);
   gen_at(at, seed);
 
-#ifdef KYBER_90S
-#define NOISE_NBLOCKS ((KYBER_ETA1*KYBER_N/4)/AES256CTR_BLOCKBYTES) /* Assumes divisibility */
-#define CIPHERTEXTNOISE_NBLOCKS ((KYBER_ETA2*KYBER_N/4)/AES256CTR_BLOCKBYTES) /* Assumes divisibility */
-  uint64_t nonce = 0;
-  ALIGNED_UINT8(NOISE_NBLOCKS*AES256CTR_BLOCKBYTES+32) buf; /* +32 bytes as required by poly_cbd_eta1 */
-  aes256ctr_ctx state;
-  aes256ctr_init_u64(&state, coins, nonce++);
-  for(i=0;i<KYBER_K;i++) {
-    aes256ctr_squeezeblocks(buf.coeffs, NOISE_NBLOCKS, &state);
-    aes256ctr_init_iv_u64(&state, nonce);
-    nonce += 1;
-    poly_cbd_eta1(&sp.vec[i], buf.vec);
-  }
-  for(i=0;i<KYBER_K;i++) {
-    aes256ctr_squeezeblocks(buf.coeffs, CIPHERTEXTNOISE_NBLOCKS, &state);
-    aes256ctr_init_iv_u64(&state, nonce);
-    nonce += 1;
-    poly_cbd_eta2(&ep.vec[i], buf.vec);
-  }
-  aes256ctr_squeezeblocks(buf.coeffs, CIPHERTEXTNOISE_NBLOCKS, &state);
-  aes256_ctx_release(&state);
-
-  poly_cbd_eta2(&epp, buf.vec);
-#else
 #if KYBER_K == 2
   poly_getnoise_eta1122_4x(sp.vec+0, sp.vec+1, ep.vec+0, ep.vec+1, coins, 0, 1, 2, 3);
   poly_getnoise_eta2(&epp, coins, 4);
@@ -593,7 +513,6 @@ void indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES],
   poly_getnoise_eta1_4x(sp.vec+0, sp.vec+1, sp.vec+2, sp.vec+3, coins, 0, 1, 2, 3);
   poly_getnoise_eta1_4x(ep.vec+0, ep.vec+1, ep.vec+2, ep.vec+3, coins, 4, 5, 6, 7);
   poly_getnoise_eta2(&epp, coins, 8);
-#endif
 #endif
 
   polyvec_ntt(&sp);
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/indcpa.h b/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/indcpa.h
index 57bd5ead3a..6dd5088c85 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/indcpa.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/indcpa.h
@@ -7,9 +7,11 @@
 
 #define gen_matrix KYBER_NAMESPACE(gen_matrix)
 void gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed);
-#define indcpa_keypair KYBER_NAMESPACE(indcpa_keypair)
-void indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
-                    uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]);
+
+#define indcpa_keypair_derand KYBER_NAMESPACE(indcpa_keypair_derand)
+void indcpa_keypair_derand(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
+                           uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES],
+                           const uint8_t coins[KYBER_SYMBYTES]);
 
 #define indcpa_enc KYBER_NAMESPACE(indcpa_enc)
 void indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES],
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/kem.c b/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/kem.c
index c48a955d49..63abc1029c 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/kem.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/kem.c
@@ -7,6 +7,32 @@
 #include "verify.h"
 #include "symmetric.h"
 #include "randombytes.h"
+/*************************************************
+* Name:        crypto_kem_keypair_derand
+*
+* Description: Generates public and private key
+*              for CCA-secure Kyber key encapsulation mechanism
+*
+* Arguments:   - uint8_t *pk: pointer to output public key
+*                (an already allocated array of KYBER_PUBLICKEYBYTES bytes)
+*              - uint8_t *sk: pointer to output private key
+*                (an already allocated array of KYBER_SECRETKEYBYTES bytes)
+*              - uint8_t *coins: pointer to input randomness
+*                (an already allocated array filled with 2*KYBER_SYMBYTES random bytes)
+**
+* Returns 0 (success)
+**************************************************/
+int crypto_kem_keypair_derand(uint8_t *pk,
+                              uint8_t *sk,
+                              const uint8_t *coins)
+{
+  indcpa_keypair_derand(pk, sk, coins);
+  memcpy(sk+KYBER_INDCPA_SECRETKEYBYTES, pk, KYBER_PUBLICKEYBYTES);
+  hash_h(sk+KYBER_SECRETKEYBYTES-2*KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
+  /* Value z for pseudo-random output on reject */
+  memcpy(sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES, coins+KYBER_SYMBYTES, KYBER_SYMBYTES);
+  return 0;
+}
 
 /*************************************************
 * Name:        crypto_kem_keypair
@@ -24,16 +50,14 @@
 int crypto_kem_keypair(uint8_t *pk,
                        uint8_t *sk)
 {
-  indcpa_keypair(pk, sk);
-  memcpy(sk+KYBER_INDCPA_SECRETKEYBYTES, pk, KYBER_INDCPA_PUBLICKEYBYTES);
-  hash_h(sk+KYBER_SECRETKEYBYTES-2*KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
-  /* Value z for pseudo-random output on reject */
-  randombytes(sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES, KYBER_SYMBYTES);
+  uint8_t coins[2*KYBER_SYMBYTES];
+  randombytes(coins, 2*KYBER_SYMBYTES);
+  crypto_kem_keypair_derand(pk, sk, coins);
   return 0;
 }
 
 /*************************************************
-* Name:        crypto_kem_enc
+* Name:        crypto_kem_enc_derand
 *
 * Description: Generates cipher text and shared
 *              secret for given public key
@@ -44,20 +68,21 @@ int crypto_kem_keypair(uint8_t *pk,
 *                (an already allocated array of KYBER_SSBYTES bytes)
 *              - const uint8_t *pk: pointer to input public key
 *                (an already allocated array of KYBER_PUBLICKEYBYTES bytes)
-*
+*              - const uint8_t *coins: pointer to input randomness
+*                (an already allocated array filled with KYBER_SYMBYTES random bytes)
+**
 * Returns 0 (success)
 **************************************************/
-int crypto_kem_enc(uint8_t *ct,
-                   uint8_t *ss,
-                   const uint8_t *pk)
+int crypto_kem_enc_derand(uint8_t *ct,
+                          uint8_t *ss,
+                          const uint8_t *pk,
+                          const uint8_t *coins)
 {
   uint8_t buf[2*KYBER_SYMBYTES];
   /* Will contain key, coins */
   uint8_t kr[2*KYBER_SYMBYTES];
 
-  randombytes(buf, KYBER_SYMBYTES);
-  /* Don't release system RNG output */
-  hash_h(buf, buf, KYBER_SYMBYTES);
+  memcpy(buf, coins, KYBER_SYMBYTES);
 
   /* Multitarget countermeasure for coins + contributory KEM */
   hash_h(buf+KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
@@ -66,10 +91,32 @@ int crypto_kem_enc(uint8_t *ct,
   /* coins are in kr+KYBER_SYMBYTES */
   indcpa_enc(ct, buf, pk, kr+KYBER_SYMBYTES);
 
-  /* overwrite coins in kr with H(c) */
-  hash_h(kr+KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES);
-  /* hash concatenation of pre-k and H(c) to k */
-  kdf(ss, kr, 2*KYBER_SYMBYTES);
+  memcpy(ss,kr,KYBER_SYMBYTES);
+  return 0;
+}
+
+/*************************************************
+* Name:        crypto_kem_enc
+*
+* Description: Generates cipher text and shared
+*              secret for given public key
+*
+* Arguments:   - uint8_t *ct: pointer to output cipher text
+*                (an already allocated array of KYBER_CIPHERTEXTBYTES bytes)
+*              - uint8_t *ss: pointer to output shared secret
+*                (an already allocated array of KYBER_SSBYTES bytes)
+*              - const uint8_t *pk: pointer to input public key
+*                (an already allocated array of KYBER_PUBLICKEYBYTES bytes)
+*
+* Returns 0 (success)
+**************************************************/
+int crypto_kem_enc(uint8_t *ct,
+                   uint8_t *ss,
+                   const uint8_t *pk)
+{
+  uint8_t coins[KYBER_SYMBYTES];
+  randombytes(coins, KYBER_SYMBYTES);
+  crypto_kem_enc_derand(ct, ss, pk, coins);
   return 0;
 }
 
@@ -98,7 +145,7 @@ int crypto_kem_dec(uint8_t *ss,
   uint8_t buf[2*KYBER_SYMBYTES];
   /* Will contain key, coins */
   uint8_t kr[2*KYBER_SYMBYTES];
-  ALIGNED_UINT8(KYBER_CIPHERTEXTBYTES) cmp;
+  uint8_t cmp[KYBER_CIPHERTEXTBYTES+KYBER_SYMBYTES];
   const uint8_t *pk = sk+KYBER_INDCPA_SECRETKEYBYTES;
 
   indcpa_dec(buf, ct, sk);
@@ -108,17 +155,15 @@ int crypto_kem_dec(uint8_t *ss,
   hash_g(kr, buf, 2*KYBER_SYMBYTES);
 
   /* coins are in kr+KYBER_SYMBYTES */
-  indcpa_enc(cmp.coeffs, buf, pk, kr+KYBER_SYMBYTES);
+  indcpa_enc(cmp, buf, pk, kr+KYBER_SYMBYTES);
 
-  fail = verify(ct, cmp.coeffs, KYBER_CIPHERTEXTBYTES);
+  fail = verify(ct, cmp, KYBER_CIPHERTEXTBYTES);
 
-  /* overwrite coins in kr with H(c) */
-  hash_h(kr+KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES);
+  /* Compute rejection key */
+  rkprf(ss,sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES,ct);
 
-  /* Overwrite pre-k with z on re-encryption failure */
-  cmov(kr, sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES, KYBER_SYMBYTES, fail);
+  /* Copy true key to return buffer if fail is false */
+  cmov(ss,kr,KYBER_SYMBYTES,!fail);
 
-  /* hash concatenation of pre-k and H(c) to k */
-  kdf(ss, kr, 2*KYBER_SYMBYTES);
   return 0;
 }
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/kem.h b/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/kem.h
index 3f3eff697c..234f11966b 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/kem.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/kem.h
@@ -10,28 +10,22 @@
 #define CRYPTO_BYTES           KYBER_SSBYTES
 
 #if   (KYBER_K == 2)
-#ifdef KYBER_90S
-#define CRYPTO_ALGNAME "Kyber512-90s"
-#else
 #define CRYPTO_ALGNAME "Kyber512"
-#endif
 #elif (KYBER_K == 3)
-#ifdef KYBER_90S
-#define CRYPTO_ALGNAME "Kyber768-90s"
-#else
 #define CRYPTO_ALGNAME "Kyber768"
-#endif
 #elif (KYBER_K == 4)
-#ifdef KYBER_90S
-#define CRYPTO_ALGNAME "Kyber1024-90s"
-#else
 #define CRYPTO_ALGNAME "Kyber1024"
 #endif
-#endif
+
+#define crypto_kem_keypair_derand KYBER_NAMESPACE(keypair_derand)
+int crypto_kem_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
 
 #define crypto_kem_keypair KYBER_NAMESPACE(keypair)
 int crypto_kem_keypair(uint8_t *pk, uint8_t *sk);
 
+#define crypto_kem_enc_derand KYBER_NAMESPACE(enc_derand)
+int crypto_kem_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
+
 #define crypto_kem_enc KYBER_NAMESPACE(enc)
 int crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
 
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/poly.c b/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/poly.c
index 93e246011b..96bad864f2 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/poly.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/poly.c
@@ -361,7 +361,6 @@ void poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const poly * restrict a)
   }
 }
 
-#ifndef KYBER_90S
 /*************************************************
 * Name:        poly_getnoise_eta1
 *
@@ -399,7 +398,6 @@ void poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t non
   prf(buf.coeffs, KYBER_ETA2*KYBER_N/4, seed, nonce);
   poly_cbd_eta2(r, buf.vec);
 }
-#endif
 
 #ifndef KYBER_90S
 #define NOISE_NBLOCKS ((KYBER_ETA1*KYBER_N/4+SHAKE256_RATE-1)/SHAKE256_RATE)
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/rejsample.c b/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/rejsample.c
index edee6ecd64..9060a44cb9 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/rejsample.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/rejsample.c
@@ -290,7 +290,7 @@ unsigned int rej_uniform_avx(int16_t * restrict r, const uint8_t *buf)
   __m128i f, t, pilo, pihi;
 
   ctr = pos = 0;
-  while(ctr <= KYBER_N - 32 && pos <= REJ_UNIFORM_AVX_BUFLEN - 48) {
+  while(ctr <= KYBER_N - 32 && pos <= REJ_UNIFORM_AVX_BUFLEN - 56) {
     f0 = _mm256_loadu_si256((__m256i *)&buf[pos]);
     f1 = _mm256_loadu_si256((__m256i *)&buf[pos+24]);
     f0 = _mm256_permute4x64_epi64(f0, 0x94);
@@ -354,7 +354,7 @@ unsigned int rej_uniform_avx(int16_t * restrict r, const uint8_t *buf)
     ctr += _mm_popcnt_u32((good >> 24) & 0xFF);
   }
 
-  while(ctr <= KYBER_N - 8 && pos <= REJ_UNIFORM_AVX_BUFLEN - 12) {
+  while(ctr <= KYBER_N - 8 && pos <= REJ_UNIFORM_AVX_BUFLEN - 16) {
     f = _mm_loadu_si128((__m128i *)&buf[pos]);
     f = _mm_shuffle_epi8(f, _mm256_castsi256_si128(idx8));
     t = _mm_srli_epi16(f, 4);
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/symmetric-shake.c b/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/symmetric-shake.c
index 2317c06276..20f451882e 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/symmetric-shake.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/symmetric-shake.c
@@ -49,3 +49,26 @@ void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYM
 
   shake256(out, outlen, extkey, sizeof(extkey));
 }
+
+/*************************************************
+* Name:        kyber_shake256_prf
+*
+* Description: Usage of SHAKE256 as a PRF, concatenates secret and public input
+*              and then generates outlen bytes of SHAKE256 output
+*
+* Arguments:   - uint8_t *out: pointer to output
+*              - size_t outlen: number of requested output bytes
+*              - const uint8_t *key: pointer to the key (of length KYBER_SYMBYTES)
+*              - uint8_t nonce: single-byte nonce (public PRF input)
+**************************************************/
+void kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SYMBYTES], const uint8_t input[KYBER_CIPHERTEXTBYTES])
+{
+  shake256incctx s;
+
+  shake256_inc_init(&s);
+  shake256_inc_absorb(&s, key, KYBER_SYMBYTES);
+  shake256_inc_absorb(&s, input, KYBER_CIPHERTEXTBYTES);
+  shake256_inc_finalize(&s);
+  shake256_inc_squeeze(out, KYBER_SSBYTES, &s);
+  shake256_inc_ctx_release(&s);
+}
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/symmetric.h b/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/symmetric.h
index 483eabc494..e4941f7a86 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/symmetric.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber768_avx2/symmetric.h
@@ -5,31 +5,6 @@
 #include <stdint.h>
 #include "params.h"
 
-#ifdef KYBER_90S
-
-#include "sha2.h"
-#include "aes256ctr.h"
-
-#if (KYBER_SSBYTES != 32)
-#error "90s variant of Kyber can only generate keys of length 256 bits"
-#endif
-
-typedef aes256ctr_ctx xof_state;
-
-#define XOF_BLOCKBYTES AES256CTR_BLOCKBYTES
-
-#define hash_h(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES)
-#define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES)
-#define xof_absorb(STATE, SEED, X, Y) \
-        aes256ctr_init(STATE, SEED, (X) | ((uint16_t)(Y) << 8))
-#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) \
-        aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define prf(OUT, OUTBYTES, KEY, NONCE) \
-        aes256ctr_prf(OUT, OUTBYTES, KEY, NONCE)
-#define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES)
-
-#else
-
 #include "fips202.h"
 #include "fips202x4.h"
 
@@ -42,22 +17,18 @@ void kyber_shake128_absorb(shake128incctx *s,
                            uint8_t y);
 
 #define kyber_shake256_prf KYBER_NAMESPACE(kyber_shake256_prf)
-void kyber_shake256_prf(uint8_t *out,
-                        size_t outlen,
-                        const uint8_t key[KYBER_SYMBYTES],
-                        uint8_t nonce);
+void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYMBYTES], uint8_t nonce);
+
+#define kyber_shake256_rkprf KYBER_NAMESPACE(kyber_shake256_rkprf)
+void kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SYMBYTES], const uint8_t input[KYBER_CIPHERTEXTBYTES]);
 
 #define XOF_BLOCKBYTES SHAKE128_RATE
 
 #define hash_h(OUT, IN, INBYTES) sha3_256(OUT, IN, INBYTES)
 #define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES)
 #define xof_absorb(STATE, SEED, X, Y) kyber_shake128_absorb(STATE, SEED, X, Y)
-#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) \
-        shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define prf(OUT, OUTBYTES, KEY, NONCE) \
-        kyber_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
-#define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES)
-
-#endif /* KYBER_90S */
+#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
+#define prf(OUT, OUTBYTES, KEY, NONCE) kyber_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
+#define rkprf(OUT, KEY, INPUT) kyber_shake256_rkprf(OUT, KEY, INPUT)
 
 #endif /* SYMMETRIC_H */
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber768_ref/api.h b/src/kem/kyber/pqcrystals-kyber_kyber768_ref/api.h
index b34eab9705..70d40f3f3e 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber768_ref/api.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber768_ref/api.h
@@ -6,70 +6,61 @@
 #define pqcrystals_kyber512_SECRETKEYBYTES 1632
 #define pqcrystals_kyber512_PUBLICKEYBYTES 800
 #define pqcrystals_kyber512_CIPHERTEXTBYTES 768
+#define pqcrystals_kyber512_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber512_ENCCOINBYTES 32
 #define pqcrystals_kyber512_BYTES 32
 
 #define pqcrystals_kyber512_ref_SECRETKEYBYTES pqcrystals_kyber512_SECRETKEYBYTES
 #define pqcrystals_kyber512_ref_PUBLICKEYBYTES pqcrystals_kyber512_PUBLICKEYBYTES
 #define pqcrystals_kyber512_ref_CIPHERTEXTBYTES pqcrystals_kyber512_CIPHERTEXTBYTES
+#define pqcrystals_kyber512_ref_KEYPAIRCOINBYTES pqcrystals_kyber512_KEYPAIRCOINBYTES
+#define pqcrystals_kyber512_ref_ENCCOINBYTES pqcrystals_kyber512_ENCCOINBYTES
 #define pqcrystals_kyber512_ref_BYTES pqcrystals_kyber512_BYTES
 
+int pqcrystals_kyber512_ref_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
 int pqcrystals_kyber512_ref_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber512_ref_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
 int pqcrystals_kyber512_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
 int pqcrystals_kyber512_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
 
-#define pqcrystals_kyber512_90s_ref_SECRETKEYBYTES pqcrystals_kyber512_SECRETKEYBYTES
-#define pqcrystals_kyber512_90s_ref_PUBLICKEYBYTES pqcrystals_kyber512_PUBLICKEYBYTES
-#define pqcrystals_kyber512_90s_ref_CIPHERTEXTBYTES pqcrystals_kyber512_CIPHERTEXTBYTES
-#define pqcrystals_kyber512_90s_ref_BYTES pqcrystals_kyber512_BYTES
-
-int pqcrystals_kyber512_90s_ref_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber512_90s_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber512_90s_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
 #define pqcrystals_kyber768_SECRETKEYBYTES 2400
 #define pqcrystals_kyber768_PUBLICKEYBYTES 1184
 #define pqcrystals_kyber768_CIPHERTEXTBYTES 1088
+#define pqcrystals_kyber768_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber768_ENCCOINBYTES 32
 #define pqcrystals_kyber768_BYTES 32
 
 #define pqcrystals_kyber768_ref_SECRETKEYBYTES pqcrystals_kyber768_SECRETKEYBYTES
 #define pqcrystals_kyber768_ref_PUBLICKEYBYTES pqcrystals_kyber768_PUBLICKEYBYTES
 #define pqcrystals_kyber768_ref_CIPHERTEXTBYTES pqcrystals_kyber768_CIPHERTEXTBYTES
+#define pqcrystals_kyber768_ref_KEYPAIRCOINBYTES pqcrystals_kyber768_KEYPAIRCOINBYTES
+#define pqcrystals_kyber768_ref_ENCCOINBYTES pqcrystals_kyber768_ENCCOINBYTES
 #define pqcrystals_kyber768_ref_BYTES pqcrystals_kyber768_BYTES
 
+int pqcrystals_kyber768_ref_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
 int pqcrystals_kyber768_ref_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber768_ref_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
 int pqcrystals_kyber768_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
 int pqcrystals_kyber768_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
 
-#define pqcrystals_kyber768_90s_ref_SECRETKEYBYTES pqcrystals_kyber768_SECRETKEYBYTES
-#define pqcrystals_kyber768_90s_ref_PUBLICKEYBYTES pqcrystals_kyber768_PUBLICKEYBYTES
-#define pqcrystals_kyber768_90s_ref_CIPHERTEXTBYTES pqcrystals_kyber768_CIPHERTEXTBYTES
-#define pqcrystals_kyber768_90s_ref_BYTES pqcrystals_kyber768_BYTES
-
-int pqcrystals_kyber768_90s_ref_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber768_90s_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber768_90s_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
 #define pqcrystals_kyber1024_SECRETKEYBYTES 3168
 #define pqcrystals_kyber1024_PUBLICKEYBYTES 1568
 #define pqcrystals_kyber1024_CIPHERTEXTBYTES 1568
+#define pqcrystals_kyber1024_KEYPAIRCOINBYTES 64
+#define pqcrystals_kyber1024_ENCCOINBYTES 32
 #define pqcrystals_kyber1024_BYTES 32
 
 #define pqcrystals_kyber1024_ref_SECRETKEYBYTES pqcrystals_kyber1024_SECRETKEYBYTES
 #define pqcrystals_kyber1024_ref_PUBLICKEYBYTES pqcrystals_kyber1024_PUBLICKEYBYTES
 #define pqcrystals_kyber1024_ref_CIPHERTEXTBYTES pqcrystals_kyber1024_CIPHERTEXTBYTES
+#define pqcrystals_kyber1024_ref_KEYPAIRCOINBYTES pqcrystals_kyber1024_KEYPAIRCOINBYTES
+#define pqcrystals_kyber1024_ref_ENCCOINBYTES pqcrystals_kyber1024_ENCCOINBYTES
 #define pqcrystals_kyber1024_ref_BYTES pqcrystals_kyber1024_BYTES
 
+int pqcrystals_kyber1024_ref_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
 int pqcrystals_kyber1024_ref_keypair(uint8_t *pk, uint8_t *sk);
+int pqcrystals_kyber1024_ref_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
 int pqcrystals_kyber1024_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
 int pqcrystals_kyber1024_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
 
-#define pqcrystals_kyber1024_90s_ref_SECRETKEYBYTES pqcrystals_kyber1024_SECRETKEYBYTES
-#define pqcrystals_kyber1024_90s_ref_PUBLICKEYBYTES pqcrystals_kyber1024_PUBLICKEYBYTES
-#define pqcrystals_kyber1024_90s_ref_CIPHERTEXTBYTES pqcrystals_kyber1024_CIPHERTEXTBYTES
-#define pqcrystals_kyber1024_90s_ref_BYTES pqcrystals_kyber1024_BYTES
-
-int pqcrystals_kyber1024_90s_ref_keypair(uint8_t *pk, uint8_t *sk);
-int pqcrystals_kyber1024_90s_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int pqcrystals_kyber1024_90s_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
 #endif
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber768_ref/indcpa.c b/src/kem/kyber/pqcrystals-kyber_kyber768_ref/indcpa.c
index f0129aa046..4a8b4c894f 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber768_ref/indcpa.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber768_ref/indcpa.c
@@ -1,5 +1,6 @@
 #include <stddef.h>
 #include <stdint.h>
+#include <string.h>
 #include "params.h"
 #include "indcpa.h"
 #include "polyvec.h"
@@ -23,10 +24,8 @@ static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES],
                     polyvec *pk,
                     const uint8_t seed[KYBER_SYMBYTES])
 {
-  size_t i;
   polyvec_tobytes(r, pk);
-  for(i=0;i<KYBER_SYMBYTES;i++)
-    r[i+KYBER_POLYVECBYTES] = seed[i];
+  memcpy(r+KYBER_POLYVECBYTES, seed, KYBER_SYMBYTES);
 }
 
 /*************************************************
@@ -43,10 +42,8 @@ static void unpack_pk(polyvec *pk,
                       uint8_t seed[KYBER_SYMBYTES],
                       const uint8_t packedpk[KYBER_INDCPA_PUBLICKEYBYTES])
 {
-  size_t i;
   polyvec_frombytes(pk, packedpk);
-  for(i=0;i<KYBER_SYMBYTES;i++)
-    seed[i] = packedpk[i+KYBER_POLYVECBYTES];
+  memcpy(seed, packedpk+KYBER_POLYVECBYTES, KYBER_SYMBYTES);
 }
 
 /*************************************************
@@ -194,7 +191,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed)
 }
 
 /*************************************************
-* Name:        indcpa_keypair
+* Name:        indcpa_keypair_derand
 *
 * Description: Generates public and private key for the CPA-secure
 *              public-key encryption scheme underlying Kyber
@@ -202,10 +199,13 @@ void gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed)
 * Arguments:   - uint8_t *pk: pointer to output public key
 *                             (of length KYBER_INDCPA_PUBLICKEYBYTES bytes)
 *              - uint8_t *sk: pointer to output private key
-                              (of length KYBER_INDCPA_SECRETKEYBYTES bytes)
+*                             (of length KYBER_INDCPA_SECRETKEYBYTES bytes)
+*              - const uint8_t *coins: pointer to input randomness
+*                             (of length KYBER_SYMBYTES bytes)
 **************************************************/
-void indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
-                    uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES])
+void indcpa_keypair_derand(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
+                           uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES],
+                           const uint8_t coins[KYBER_SYMBYTES])
 {
   unsigned int i;
   uint8_t buf[2*KYBER_SYMBYTES];
@@ -214,8 +214,7 @@ void indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
   uint8_t nonce = 0;
   polyvec a[KYBER_K], e, pkpv, skpv;
 
-  randombytes(buf, KYBER_SYMBYTES);
-  hash_g(buf, buf, KYBER_SYMBYTES);
+  hash_g(buf, coins, KYBER_SYMBYTES);
 
   gen_a(a, publicseed);
 
@@ -240,6 +239,7 @@ void indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
   pack_pk(pk, &pkpv, publicseed);
 }
 
+
 /*************************************************
 * Name:        indcpa_enc
 *
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber768_ref/indcpa.h b/src/kem/kyber/pqcrystals-kyber_kyber768_ref/indcpa.h
index 57bd5ead3a..6dd5088c85 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber768_ref/indcpa.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber768_ref/indcpa.h
@@ -7,9 +7,11 @@
 
 #define gen_matrix KYBER_NAMESPACE(gen_matrix)
 void gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed);
-#define indcpa_keypair KYBER_NAMESPACE(indcpa_keypair)
-void indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
-                    uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]);
+
+#define indcpa_keypair_derand KYBER_NAMESPACE(indcpa_keypair_derand)
+void indcpa_keypair_derand(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
+                           uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES],
+                           const uint8_t coins[KYBER_SYMBYTES]);
 
 #define indcpa_enc KYBER_NAMESPACE(indcpa_enc)
 void indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES],
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber768_ref/kem.c b/src/kem/kyber/pqcrystals-kyber_kyber768_ref/kem.c
index f376bd236a..63abc1029c 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber768_ref/kem.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber768_ref/kem.c
@@ -1,11 +1,38 @@
 #include <stddef.h>
 #include <stdint.h>
+#include <string.h>
 #include "params.h"
 #include "kem.h"
 #include "indcpa.h"
 #include "verify.h"
 #include "symmetric.h"
 #include "randombytes.h"
+/*************************************************
+* Name:        crypto_kem_keypair_derand
+*
+* Description: Generates public and private key
+*              for CCA-secure Kyber key encapsulation mechanism
+*
+* Arguments:   - uint8_t *pk: pointer to output public key
+*                (an already allocated array of KYBER_PUBLICKEYBYTES bytes)
+*              - uint8_t *sk: pointer to output private key
+*                (an already allocated array of KYBER_SECRETKEYBYTES bytes)
+*              - uint8_t *coins: pointer to input randomness
+*                (an already allocated array filled with 2*KYBER_SYMBYTES random bytes)
+**
+* Returns 0 (success)
+**************************************************/
+int crypto_kem_keypair_derand(uint8_t *pk,
+                              uint8_t *sk,
+                              const uint8_t *coins)
+{
+  indcpa_keypair_derand(pk, sk, coins);
+  memcpy(sk+KYBER_INDCPA_SECRETKEYBYTES, pk, KYBER_PUBLICKEYBYTES);
+  hash_h(sk+KYBER_SECRETKEYBYTES-2*KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
+  /* Value z for pseudo-random output on reject */
+  memcpy(sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES, coins+KYBER_SYMBYTES, KYBER_SYMBYTES);
+  return 0;
+}
 
 /*************************************************
 * Name:        crypto_kem_keypair
@@ -23,18 +50,14 @@
 int crypto_kem_keypair(uint8_t *pk,
                        uint8_t *sk)
 {
-  size_t i;
-  indcpa_keypair(pk, sk);
-  for(i=0;i<KYBER_INDCPA_PUBLICKEYBYTES;i++)
-    sk[i+KYBER_INDCPA_SECRETKEYBYTES] = pk[i];
-  hash_h(sk+KYBER_SECRETKEYBYTES-2*KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
-  /* Value z for pseudo-random output on reject */
-  randombytes(sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES, KYBER_SYMBYTES);
+  uint8_t coins[2*KYBER_SYMBYTES];
+  randombytes(coins, 2*KYBER_SYMBYTES);
+  crypto_kem_keypair_derand(pk, sk, coins);
   return 0;
 }
 
 /*************************************************
-* Name:        crypto_kem_enc
+* Name:        crypto_kem_enc_derand
 *
 * Description: Generates cipher text and shared
 *              secret for given public key
@@ -45,20 +68,21 @@ int crypto_kem_keypair(uint8_t *pk,
 *                (an already allocated array of KYBER_SSBYTES bytes)
 *              - const uint8_t *pk: pointer to input public key
 *                (an already allocated array of KYBER_PUBLICKEYBYTES bytes)
-*
+*              - const uint8_t *coins: pointer to input randomness
+*                (an already allocated array filled with KYBER_SYMBYTES random bytes)
+**
 * Returns 0 (success)
 **************************************************/
-int crypto_kem_enc(uint8_t *ct,
-                   uint8_t *ss,
-                   const uint8_t *pk)
+int crypto_kem_enc_derand(uint8_t *ct,
+                          uint8_t *ss,
+                          const uint8_t *pk,
+                          const uint8_t *coins)
 {
   uint8_t buf[2*KYBER_SYMBYTES];
   /* Will contain key, coins */
   uint8_t kr[2*KYBER_SYMBYTES];
 
-  randombytes(buf, KYBER_SYMBYTES);
-  /* Don't release system RNG output */
-  hash_h(buf, buf, KYBER_SYMBYTES);
+  memcpy(buf, coins, KYBER_SYMBYTES);
 
   /* Multitarget countermeasure for coins + contributory KEM */
   hash_h(buf+KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
@@ -67,10 +91,32 @@ int crypto_kem_enc(uint8_t *ct,
   /* coins are in kr+KYBER_SYMBYTES */
   indcpa_enc(ct, buf, pk, kr+KYBER_SYMBYTES);
 
-  /* overwrite coins in kr with H(c) */
-  hash_h(kr+KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES);
-  /* hash concatenation of pre-k and H(c) to k */
-  kdf(ss, kr, 2*KYBER_SYMBYTES);
+  memcpy(ss,kr,KYBER_SYMBYTES);
+  return 0;
+}
+
+/*************************************************
+* Name:        crypto_kem_enc
+*
+* Description: Generates cipher text and shared
+*              secret for given public key
+*
+* Arguments:   - uint8_t *ct: pointer to output cipher text
+*                (an already allocated array of KYBER_CIPHERTEXTBYTES bytes)
+*              - uint8_t *ss: pointer to output shared secret
+*                (an already allocated array of KYBER_SSBYTES bytes)
+*              - const uint8_t *pk: pointer to input public key
+*                (an already allocated array of KYBER_PUBLICKEYBYTES bytes)
+*
+* Returns 0 (success)
+**************************************************/
+int crypto_kem_enc(uint8_t *ct,
+                   uint8_t *ss,
+                   const uint8_t *pk)
+{
+  uint8_t coins[KYBER_SYMBYTES];
+  randombytes(coins, KYBER_SYMBYTES);
+  crypto_kem_enc_derand(ct, ss, pk, coins);
   return 0;
 }
 
@@ -95,19 +141,17 @@ int crypto_kem_dec(uint8_t *ss,
                    const uint8_t *ct,
                    const uint8_t *sk)
 {
-  size_t i;
   int fail;
   uint8_t buf[2*KYBER_SYMBYTES];
   /* Will contain key, coins */
   uint8_t kr[2*KYBER_SYMBYTES];
-  uint8_t cmp[KYBER_CIPHERTEXTBYTES];
+  uint8_t cmp[KYBER_CIPHERTEXTBYTES+KYBER_SYMBYTES];
   const uint8_t *pk = sk+KYBER_INDCPA_SECRETKEYBYTES;
 
   indcpa_dec(buf, ct, sk);
 
   /* Multitarget countermeasure for coins + contributory KEM */
-  for(i=0;i<KYBER_SYMBYTES;i++)
-    buf[KYBER_SYMBYTES+i] = sk[KYBER_SECRETKEYBYTES-2*KYBER_SYMBYTES+i];
+  memcpy(buf+KYBER_SYMBYTES, sk+KYBER_SECRETKEYBYTES-2*KYBER_SYMBYTES, KYBER_SYMBYTES);
   hash_g(kr, buf, 2*KYBER_SYMBYTES);
 
   /* coins are in kr+KYBER_SYMBYTES */
@@ -115,13 +159,11 @@ int crypto_kem_dec(uint8_t *ss,
 
   fail = verify(ct, cmp, KYBER_CIPHERTEXTBYTES);
 
-  /* overwrite coins in kr with H(c) */
-  hash_h(kr+KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES);
+  /* Compute rejection key */
+  rkprf(ss,sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES,ct);
 
-  /* Overwrite pre-k with z on re-encryption failure */
-  cmov(kr, sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES, KYBER_SYMBYTES, fail);
+  /* Copy true key to return buffer if fail is false */
+  cmov(ss,kr,KYBER_SYMBYTES,!fail);
 
-  /* hash concatenation of pre-k and H(c) to k */
-  kdf(ss, kr, 2*KYBER_SYMBYTES);
   return 0;
 }
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber768_ref/kem.h b/src/kem/kyber/pqcrystals-kyber_kyber768_ref/kem.h
index 3f3eff697c..234f11966b 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber768_ref/kem.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber768_ref/kem.h
@@ -10,28 +10,22 @@
 #define CRYPTO_BYTES           KYBER_SSBYTES
 
 #if   (KYBER_K == 2)
-#ifdef KYBER_90S
-#define CRYPTO_ALGNAME "Kyber512-90s"
-#else
 #define CRYPTO_ALGNAME "Kyber512"
-#endif
 #elif (KYBER_K == 3)
-#ifdef KYBER_90S
-#define CRYPTO_ALGNAME "Kyber768-90s"
-#else
 #define CRYPTO_ALGNAME "Kyber768"
-#endif
 #elif (KYBER_K == 4)
-#ifdef KYBER_90S
-#define CRYPTO_ALGNAME "Kyber1024-90s"
-#else
 #define CRYPTO_ALGNAME "Kyber1024"
 #endif
-#endif
+
+#define crypto_kem_keypair_derand KYBER_NAMESPACE(keypair_derand)
+int crypto_kem_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
 
 #define crypto_kem_keypair KYBER_NAMESPACE(keypair)
 int crypto_kem_keypair(uint8_t *pk, uint8_t *sk);
 
+#define crypto_kem_enc_derand KYBER_NAMESPACE(enc_derand)
+int crypto_kem_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
+
 #define crypto_kem_enc KYBER_NAMESPACE(enc)
 int crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
 
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber768_ref/params.h b/src/kem/kyber/pqcrystals-kyber_kyber768_ref/params.h
index 3d02a0f9e6..0802c74805 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber768_ref/params.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber768_ref/params.h
@@ -5,27 +5,14 @@
 #define KYBER_K 3	/* Change this for different security strengths */
 #endif
 
-//#define KYBER_90S	/* Uncomment this if you want the 90S variant */
 
 /* Don't change parameters below this line */
 #if   (KYBER_K == 2)
-#ifdef KYBER_90S
-#define KYBER_NAMESPACE(s) pqcrystals_kyber512_90s_ref_##s
-#else
 #define KYBER_NAMESPACE(s) pqcrystals_kyber512_ref_##s
-#endif
 #elif (KYBER_K == 3)
-#ifdef KYBER_90S
-#define KYBER_NAMESPACE(s) pqcrystals_kyber768_90s_ref_##s
-#else
 #define KYBER_NAMESPACE(s) pqcrystals_kyber768_ref_##s
-#endif
 #elif (KYBER_K == 4)
-#ifdef KYBER_90S
-#define KYBER_NAMESPACE(s) pqcrystals_kyber1024_90s_ref_##s
-#else
 #define KYBER_NAMESPACE(s) pqcrystals_kyber1024_ref_##s
-#endif
 #else
 #error "KYBER_K must be in {2,3,4}"
 #endif
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber768_ref/symmetric-shake.c b/src/kem/kyber/pqcrystals-kyber_kyber768_ref/symmetric-shake.c
index 2317c06276..20f451882e 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber768_ref/symmetric-shake.c
+++ b/src/kem/kyber/pqcrystals-kyber_kyber768_ref/symmetric-shake.c
@@ -49,3 +49,26 @@ void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYM
 
   shake256(out, outlen, extkey, sizeof(extkey));
 }
+
+/*************************************************
+* Name:        kyber_shake256_prf
+*
+* Description: Usage of SHAKE256 as a PRF, concatenates secret and public input
+*              and then generates outlen bytes of SHAKE256 output
+*
+* Arguments:   - uint8_t *out: pointer to output
+*              - size_t outlen: number of requested output bytes
+*              - const uint8_t *key: pointer to the key (of length KYBER_SYMBYTES)
+*              - uint8_t nonce: single-byte nonce (public PRF input)
+**************************************************/
+void kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SYMBYTES], const uint8_t input[KYBER_CIPHERTEXTBYTES])
+{
+  shake256incctx s;
+
+  shake256_inc_init(&s);
+  shake256_inc_absorb(&s, key, KYBER_SYMBYTES);
+  shake256_inc_absorb(&s, input, KYBER_CIPHERTEXTBYTES);
+  shake256_inc_finalize(&s);
+  shake256_inc_squeeze(out, KYBER_SSBYTES, &s);
+  shake256_inc_ctx_release(&s);
+}
diff --git a/src/kem/kyber/pqcrystals-kyber_kyber768_ref/symmetric.h b/src/kem/kyber/pqcrystals-kyber_kyber768_ref/symmetric.h
index 2f2fb63647..2acc66f98d 100644
--- a/src/kem/kyber/pqcrystals-kyber_kyber768_ref/symmetric.h
+++ b/src/kem/kyber/pqcrystals-kyber_kyber768_ref/symmetric.h
@@ -5,36 +5,6 @@
 #include <stdint.h>
 #include "params.h"
 
-#ifdef KYBER_90S
-
-#include "aes256ctr.h"
-#include "sha2.h"
-
-#if (KYBER_SSBYTES != 32)
-#error "90s variant of Kyber can only generate keys of length 256 bits"
-#endif
-
-typedef aes256ctr_ctx xof_state;
-
-#define kyber_aes256xof_absorb KYBER_NAMESPACE(kyber_aes256xof_absorb)
-void kyber_aes256xof_absorb(aes256ctr_ctx *state, const uint8_t seed[32], uint8_t x, uint8_t y);
-
-#define kyber_aes256ctr_prf KYBER_NAMESPACE(kyber_aes256ctr_prf)
-void kyber_aes256ctr_prf(uint8_t *out, size_t outlen, const uint8_t key[32], uint8_t nonce);
-
-#define XOF_BLOCKBYTES AES256CTR_BLOCKBYTES
-
-#define hash_h(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES)
-#define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES)
-#define xof_init(STATE, SEED) aes256ctr_init_key(STATE, SEED)
-#define xof_absorb(STATE, SEED, X, Y) kyber_aes256xof_absorb(STATE, SEED, X, Y)
-#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define xof_release(STATE) aes256_ctx_release(STATE)
-#define prf(OUT, OUTBYTES, KEY, NONCE) kyber_aes256ctr_prf(OUT, OUTBYTES, KEY, NONCE)
-#define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES)
-
-#else
-
 #include "fips202.h"
 
 typedef shake128incctx xof_state;
@@ -48,6 +18,9 @@ void kyber_shake128_absorb(shake128incctx *s,
 #define kyber_shake256_prf KYBER_NAMESPACE(kyber_shake256_prf)
 void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYMBYTES], uint8_t nonce);
 
+#define kyber_shake256_rkprf KYBER_NAMESPACE(kyber_shake256_rkprf)
+void kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SYMBYTES], const uint8_t input[KYBER_CIPHERTEXTBYTES]);
+
 #define XOF_BLOCKBYTES SHAKE128_RATE
 
 #define hash_h(OUT, IN, INBYTES) sha3_256(OUT, IN, INBYTES)
@@ -57,8 +30,6 @@ void kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYM
 #define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
 #define xof_release(STATE) shake128_inc_ctx_release(STATE)
 #define prf(OUT, OUTBYTES, KEY, NONCE) kyber_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
-#define kdf(OUT, IN, INBYTES) shake256(OUT, KYBER_SSBYTES, IN, INBYTES)
-
-#endif /* KYBER_90S */
+#define rkprf(OUT, KEY, INPUT) kyber_shake256_rkprf(OUT, KEY, INPUT)
 
 #endif /* SYMMETRIC_H */
diff --git a/src/oqsconfig.h.cmake b/src/oqsconfig.h.cmake
index 4075938d3d..7165e0725c 100644
--- a/src/oqsconfig.h.cmake
+++ b/src/oqsconfig.h.cmake
@@ -102,13 +102,10 @@
 #cmakedefine OQS_ENABLE_KEM_KYBER 1
 #cmakedefine OQS_ENABLE_KEM_kyber_512 1
 #cmakedefine OQS_ENABLE_KEM_kyber_512_avx2 1
-#cmakedefine OQS_ENABLE_KEM_kyber_512_aarch64 1
 #cmakedefine OQS_ENABLE_KEM_kyber_768 1
 #cmakedefine OQS_ENABLE_KEM_kyber_768_avx2 1
-#cmakedefine OQS_ENABLE_KEM_kyber_768_aarch64 1
 #cmakedefine OQS_ENABLE_KEM_kyber_1024 1
 #cmakedefine OQS_ENABLE_KEM_kyber_1024_avx2 1
-#cmakedefine OQS_ENABLE_KEM_kyber_1024_aarch64 1
 
 #cmakedefine OQS_ENABLE_SIG_DILITHIUM 1
 #cmakedefine OQS_ENABLE_SIG_dilithium_2 1
diff --git a/tests/KATs/kem/kats.json b/tests/KATs/kem/kats.json
index 0ca48ae58e..2aa233c92a 100644
--- a/tests/KATs/kem/kats.json
+++ b/tests/KATs/kem/kats.json
@@ -25,8 +25,8 @@
   "HQC-128": "b9d10eda065c8ff31d40b929ad7f742889544363aa031096850009a882d9d827",
   "HQC-192": "e0aaabf79ac558dc9d5e79a8abe88c313ecad1e55956de323f8811c81d0c0779",
   "HQC-256": "4a5bc02661794464576dc2742636bd6123a3c0fde9dd0b52d9703866beae2f32",
-  "Kyber1024": "5afcf2a568ad32d49b55105b032af1850f03f3888ff9e2a72f4059c58e968f60",
-  "Kyber512": "bb0481d3325d828817900b709d23917cefbc10026fc857f098979451f67bb0ca",
-  "Kyber768": "89e82a5bf2d4ddb2c6444e10409e6d9ca65dafbca67d1a0db2c9b54920a29172",
+  "Kyber1024": "03d6494b74c45d010e61b0328c1ab318c4df3b7f9dbd04d0e35b3468848584b7",
+  "Kyber512": "76aae1fa3f8367522700b22da635a5bc4ced4298edb0eb9947aa3ba60d62676f",
+  "Kyber768": "c7e76b4b30c786b5b70c152a446e7832c1cb42b3816ec048dbeaf7041211b310",
   "sntrup761": "afc42c3a5b10f4ef69654250097ebda9b9564570f4086744b24a6daf2bd1f89a"
 }
\ No newline at end of file