Implementation of PQC Algorithms in libgcrypt

Stephan Mueller smueller at
Mon May 15 17:51:12 CEST 2023

Am Montag, 15. Mai 2023, 17:39:23 CEST schrieb Simon Josefsson via Gcrypt-

Hi Simon,

> Does kyber have any requirements on the API that wouldn't work well with
> any of these?

I am experimenting with Kyber in [1]. For KEM, your API would work.

There you see that I use an additional parameter, an RNG context. This allows 
me to also derive Kyber keys straight from a KDF (which is accessed like an 
RNG context). But that is not really needed.

However, how do you propose to handle the KEX scenario? See [2] for the full 
Kyber KEX exchange and the API. I think the KEX is much more important than 
the KEM, as the KEX is conceptually what is DH today. Kyber KEM can be used in 
an integrated encryption schema as suggested in [3].

Unfortunately, the Kyber KEX cannot be acting as a direct replacement for DH. 
Due to its 7 total steps. However, it is possible to coalescing all of them 
into 2 handshake network exchanges and one final data blob that is sent along 
with the already encrypted first payload.





More information about the Gcrypt-devel mailing list