[Cryptography] Kyber PQC Key Exchange
Natanael
natanael.l at gmail.com
Thu Aug 4 10:32:54 EDT 2022
Den tors 4 aug. 2022 02:33Phillip Hallam-Baker <phill at hallambaker.com>
skrev:
> I am trying to get some info on the mechanism underlying NIST's chosen key
> exchange, Kyber. So far the most accessible explanation is the Python
> implementation.
>
> [...]
>
> At least some of the information I have received is inconsistent. I am
> told that I can't use Kyber as a drop in for ECDH because it is an
> interactive key exchange. The API seems to suggest otherwise. From a
> protocol design point of view, there is really no difference between a Key
> Agreement and a Key Encapsulation that can't be fixed with a bit of Key
> Wrap.
>
> The use case I have in mind is:
>
> 1) Alice exchanges public keys with Bob.
> 2) Alice writes a Word document and encrypts to Bob's public key
> 3) Alice puts enveloped Word document on thumb drive and mails it to Bob
> 4) Bob gets the thumb drive and decrypts the document.
>
> From what was said at the CFRG meeting, I was expecting I might have to do
> an El Gamal like move and create an ephemeral key pair per document to
> encrypt. But that doesn't seem to be the case looking at the API.
>
I can't help with the math, but what I recall is that it needs multiple
round-trips to negotiate a key, therefore you must communicate before you
can send encrypted data. Regular DH can do "0 RTT" if the recipient's
public key already was shared, as you noted, because you don't need
additional information. However this algorithm needs an extra round of
messages first.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20220804/20eb7bee/attachment.htm>
More information about the cryptography
mailing list