[Cryptography] Kyber PQC Key Exchange
Phillip Hallam-Baker
phill at hallambaker.com
Fri Aug 5 02:31:39 EDT 2022
On Thu, Aug 4, 2022 at 4:11 PM Viktor Dukhovni <cryptography at dukhovni.org>
wrote:
> On Sun, Jul 31, 2022 at 11:11:49AM -0400, Phillip Hallam-Baker wrote:
>
> > I am trying to get some info on the mechanism underlying NIST's chosen
> key
> > exchange, Kyber. [...]
> >
> > So does anyone have a pointer to a YouTube with a good description of the
> > Lattice crypto approach? Just telling me something is a lattice is really
> > telling me nothing at all. It might as well be a Hausdorffian Manifold
> with
> > Lipschitz signature.
>
> Do you really want to open the black box, or are you looking for a
> better description of the knobs on the front panel? My guess is mostly
> the latter...
>
Actually, I am trying to understand what I now believe was misunderstanding
on the part of the cryptographers supposedly providing an explanation.
The NIST competition has a very specific interface which is indeed a black
box
that can slot into the same hole that is already in my code.
What people seem to have provided in the 'explanations' is explanations of
what is inside the box. The Kyber algorithm is a Key Encapsulation, it has
plaintext recovery. But the NIST interface requires this to be wrapped so
that what we actually have doesn't allow the key to be chosen by the
encryptor.
The main difference is that with DH, if you know the recipient's public
> key, you can perform the agreement without the recipient's help. With
> Kyber, none of the the published protocols in figures 1, 2 and 3 on page
> 8 of:
>
> https://eprint.iacr.org/2017/634.pdf
>
> seem to make it possible to encapsulate a key without a full round-trip.
> But it should be noted that figure 1 is ephemeral-ephemeral, while
> figures 2 and 3 are *authenticated* key agreement protocols.
>
And that paper is 2017 and the algorithm that was selected was not the one
in the paper, there is a wrapper around the IND-CPA functions.
People have been telling me that Kyber requires a complete redesign of
existing systems and that does not appear to be the case at all.
So yes I do actually need to understand more than just the black box
because
there are actually two boxes at issue here. There is an outer box which is
the
one that NIST selected and there is an inner box.
The confused commentary being provided is coming from people who are
making incorrect assertions about what the algorithm is actually capable of
based on using the IND-CPA primitive directly rather than the KEM-ENC
wrapper selected by NIST.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20220805/08fe6f74/attachment.htm>
More information about the cryptography
mailing list