[Cryptography] Kyber PQC Key Exchange

Sun Jul 31 11:11:49 EDT 2022

I am trying to get some info on the mechanism underlying NIST's chosen key
exchange, Kyber. So far the most accessible explanation is the Python
implementation.

If we are going to adopt a new approach to public key, some of us will want
to understand it. And academic papers that spend the entire time
referring to the differences with the previous papers are really no help at
all.

So does anyone have a pointer to a YouTube with a good description of the
Lattice crypto approach? Just telling me something is a lattice is really
telling me nothing at all. It might as well be a Hausdorffian Manifold with
Lipschitz signature.

At least some of the information I have received is inconsistent. I am told
that I can't use Kyber as a drop in for ECDH because it is an interactive
key exchange. The API seems to suggest otherwise. From a protocol design
point of view, there is really no difference between a Key Agreement and a
Key Encapsulation that can't be fixed with a bit of Key Wrap.

The use case I have in mind is:

1) Alice exchanges public keys with Bob.
2) Alice writes a Word document and encrypts to Bob's public key
3) Alice puts enveloped Word document on thumb drive and mails it to Bob
4) Bob gets the thumb drive and decrypts the document.

>From what was said at the CFRG meeting, I was expecting I might have to do
an El Gamal like move and create an ephemeral key pair per document to
encrypt. But that doesn't seem to be the case looking at the API.

Then I find mention of 'malleability' which seems utterly odd to me since
that is an integrity issue and not a confidentiality concern. And I can't
find the word 'malleable' in the paper.

>From my point of view as a protocol designer, I am really not in the least
bit concerned about the key sizes, ~1500 bytes is only a concern if you
need to squeeze public keys into a single Ethernet packet and only then
because the IEEE can't pull its finger out and give us 64K frames. [That is
easier than they imagine, just limit the CRC check to the first 1000 bytes
of a packet so that it covers the headers and allows misrouting of packets
to be avoided. Payload integrity is now a transport concern.]

NIST announcement
NIST Announces First Four Quantum-Resistant Cryptographic Algorithms | NIST
<https://www.nist.gov/news-events/news/2022/07/nist-announces-first-four-quantum-resistant-cryptographic-algorithms>

Kyber home page
Kyber (pq-crystals.org) <https://pq-crystals.org/kyber/index.shtml>

Kyber submission
kyber-specification-round3-20210804.pdf (pq-crystals.org)
<https://pq-crystals.org/kyber/data/kyber-specification-round3-20210804.pdf>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20220731/c621fec3/attachment.htm>