Implementation of PQC Algorithms in libgcrypt
Stephan Mueller
smueller at chronox.de
Mon May 15 17:51:12 CEST 2023
Am Montag, 15. Mai 2023, 17:39:23 CEST schrieb Simon Josefsson via Gcrypt-
devel:
Hi Simon,
> Does kyber have any requirements on the API that wouldn't work well with
> any of these?
I am experimenting with Kyber in [1]. For KEM, your API would work.
There you see that I use an additional parameter, an RNG context. This allows
me to also derive Kyber keys straight from a KDF (which is accessed like an
RNG context). But that is not really needed.
However, how do you propose to handle the KEX scenario? See [2] for the full
Kyber KEX exchange and the API. I think the KEX is much more important than
the KEM, as the KEX is conceptually what is DH today. Kyber KEM can be used in
an integrated encryption schema as suggested in [3].
Unfortunately, the Kyber KEX cannot be acting as a direct replacement for DH.
Due to its 7 total steps. However, it is possible to coalescing all of them
into 2 handshake network exchanges and one final data blob that is sent along
with the already encrypted first payload.
[1] https://github.com/smuellerDD/leancrypto/blob/master/kem/api/
lc_kyber.h#L121
[2] https://github.com/smuellerDD/leancrypto/blob/master/kem/api/
lc_kyber.h#L294
[3] https://github.com/smuellerDD/leancrypto/blob/master/kem/api/
lc_kyber.h#L425
Ciao
Stephan
More information about the Gcrypt-devel
mailing list