[Cryptography] Kyber PQC Key Exchange
Stephan Mueller
smueller at chronox.de
Thu Aug 4 01:19:13 EDT 2022
Am Sonntag, 31. Juli 2022, 17:11:49 CEST schrieb Phillip Hallam-Baker:
Hi Phillip,
> I am trying to get some info on the mechanism underlying NIST's chosen key
> exchange, Kyber. So far the most accessible explanation is the Python
> implementation.
>
> If we are going to adopt a new approach to public key, some of us will want
> to understand it. And academic papers that spend the entire time
> referring to the differences with the previous papers are really no help at
> all.
>
> So does anyone have a pointer to a YouTube with a good description of the
> Lattice crypto approach? Just telling me something is a lattice is really
> telling me nothing at all. It might as well be a Hausdorffian Manifold with
> Lipschitz signature.
>
> At least some of the information I have received is inconsistent. I am told
> that I can't use Kyber as a drop in for ECDH because it is an interactive
> key exchange. The API seems to suggest otherwise. From a protocol design
> point of view, there is really no difference between a Key Agreement and a
> Key Encapsulation that can't be fixed with a bit of Key Wrap.
>
> The use case I have in mind is:
>
> 1) Alice exchanges public keys with Bob.
> 2) Alice writes a Word document and encrypts to Bob's public key
> 3) Alice puts enveloped Word document on thumb drive and mails it to Bob
> 4) Bob gets the thumb drive and decrypts the document.
I have integrated Kyber into my small little crypto library. During that
process, unfortunately I have not fully understood yet what mathematical
problem truly is the heart of the issue that is not solvable without the keys.
But I have fully documented the Kex operation in [1] and [2] which should
answer your 2nd part of your question.
>
> From what was said at the CFRG meeting, I was expecting I might have to do
> an El Gamal like move and create an ephemeral key pair per document to
> encrypt. But that doesn't seem to be the case looking at the API.
It is creating an ephemeral key, see [1] and [2].
>
> Then I find mention of 'malleability' which seems utterly odd to me since
> that is an integrity issue and not a confidentiality concern. And I can't
> find the word 'malleable' in the paper.
>
> From my point of view as a protocol designer, I am really not in the least
> bit concerned about the key sizes, ~1500 bytes is only a concern if you
> need to squeeze public keys into a single Ethernet packet and only then
> because the IEEE can't pull its finger out and give us 64K frames. [That is
> easier than they imagine, just limit the CRC check to the first 1000 bytes
> of a packet so that it covers the headers and allows misrouting of packets
> to be avoided. Payload integrity is now a transport concern.]
[1] Unilateral: https://github.com/smuellerDD/leancrypto/blob/master/kem/api/
lc_kyber.h#L171
[2] Authenticated: https://github.com/smuellerDD/leancrypto/blob/master/kem/
api/lc_kyber.h#L280
>
>
> NIST announcement
> NIST Announces First Four Quantum-Resistant Cryptographic Algorithms | NIST
> <https://www.nist.gov/news-events/news/2022/07/nist-announces-first-four-qua
> ntum-resistant-cryptographic-algorithms>
>
> Kyber home page
> Kyber (pq-crystals.org) <https://pq-crystals.org/kyber/index.shtml>
>
> Kyber submission
> kyber-specification-round3-20210804.pdf (pq-crystals.org)
> <https://pq-crystals.org/kyber/data/kyber-specification-round3-20210804.pdf>
Ciao
Stephan
More information about the cryptography
mailing list