[Cryptography] Kyber PQC Key Exchange
Viktor Dukhovni
cryptography at dukhovni.org
Fri Aug 5 13:04:29 EDT 2022
On Fri, Aug 05, 2022 at 02:31:39AM -0400, Phillip Hallam-Baker wrote:
> > Do you really want to open the black box, or are you looking for a
> > better description of the knobs on the front panel? My guess is mostly
> > the latter...
> >
>
> Actually, I am trying to understand what I now believe was misunderstanding
> on the part of the cryptographers supposedly providing an explanation.
>
> The NIST competition has a very specific interface which is indeed a
> black box that can slot into the same hole that is already in my code.
Right, we have a *layered* black box, and some of the knobs are hidden
on the inside. It may be too early to speculate about which operating
modes will be available when the standards are finalised. So some
confusion is perhaps to be expected at this time?
> What people seem to have provided in the 'explanations' is
> explanations of what is inside the box. The Kyber algorithm is a Key
> Encapsulation, it has plaintext recovery. But the NIST interface
> requires this to be wrapped so that what we actually have doesn't
> allow the key to be chosen by the encryptor.
TLS and similar ephemeral-ephemeral interactive protocols seem to be the
primary initial use-cases and the 1-RTT schemes are also *contributory*.
0-RTT unilateral key wrap may not yet have been in scope. We'll have to
wait and see what other operating modes are standardised (perhaps I
missed publication of Kyber-based proposed standard constructions of
this type).
> So yes I do actually need to understand more than just the black box
> because there are actually two boxes at issue here. There is an outer
> box which is the one that NIST selected and there is an inner box.
Indeed, and yes the published expository material is still often
confusingly incomplete.
--
Viktor.
More information about the cryptography
mailing list