[Cryptography] Kyber-448 and Dilithium-448

Phillip Hallam-Baker phill at hallambaker.com
Thu Feb 2 12:30:51 EST 2023 

I have running code for a threshold key infrastructure but now people want
Post Quantum and there is no PQC threshold scheme I can use yet. So I am
going to need to use some form of hybrid.

The basis for threshold is to say that we know we cannot prevent every
possible compromise but we can design systems so that *more than one*
compromise must occur for a breach to be possible.

So in the current Mesh code, William creates a working group, Group-W on a
key server with members {Alice, Bob, Mallet}. Each member has one half of a
key share operation with the service (each user has a different share).

Mallet can read as much data as he likes for as long as he is a member of
the group. But once he has been ejected from the group, he only has a key
share, he cannot decrypt any more data unless the service is compromised.

This still leaves William as a single point of failure so let us split the
admin role for the group between William and Mary (not currently
implemented but could be)

So the possible sets of parties who can compromise the system are

* William + Mary
* Alice + Service
* Bob + Service
* Mallet + Service
* Q

Where Q is a party capable of performing Quantum Cryptanalysis.

If we try to use Kyber on its own to defend against Q, we end up with a
system with no separation of roles at all beyond splitting the operational
role. There are several ways we could go about this but they all force us
to choose between security and convenience in ways that are certain to lead
to breaches.

So, instead of using just Kyber or just X.448 to encrypt data, we create
hybrid keypairs with a Kyber and X.448 component. I am currently calling
this Kyber-448. There is only one Kyber keypair and the private key is held
by the key service. This allows us to achieve the following as possible
breach conditions.

* William + Mary
* Alice + Service
* Bob + Service
* Mallet + Service
* Q + Service

So basically, having the ability to do quantum cryptanalysis does provide
the attacker with an advantage but it is a limited one, they cannot achieve
a breach unless the service is also breached and we can expect that any
party that was deploying this type of infrastructure would also be using
HSMs to control access to the private key.

So for convenience, I am going to be using Kyber-448 and Dilithium-448 as
follows:

Kyber-448 = Kyber-1024 + X.448
Dilithium-448 = Dilithium-5 + Ed448

We could specify Kyber-25519 as well but I cannot see the point. I have
never seen the point of AES-192 because everyone is always going to use 128
or go all the way to 256 and I cannot see why anyone who cares enough to
use any PQC algorithm doing anything other than the level 5 strength
algorithms.


Comments?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20230202/2a1b3c93/attachment.htm>

More information about the cryptography mailing list