[noise] Noise HFS Kyber question

dawuud dawuud at riseup.net
Mon Feb 4 18:47:24 PST 2019 

> The parameter set of Kyber that is closest in terms of security to
> NewHope-1024 is indeed Kyber-1024. For Kyber we recommend the 768
> parameter set as "default", because we believe that it offers the best
> tradeoffs between conservative security margins and performance (in
> particular in terms of ciphertext and public-key sizes). For NewHope,
> there is no parameter set between 512 and 1024, so the recommendation is
> to stay on the safe side and go with 1024.
> 
> Does that help?

Yes thanks.

I'm not sure if this is a good question for Peter or for someone else to answer
regarding Noise Kyber HFS... I hope this is not too annoying of me to ask on
this mailing list. I had hoped that reading the HFS Kyber specification would
be sufficient for me to implement this Noise extension but it seems like the
specification document is wrong.

Here's the Noise HFS Kyber specification document:
https://raw.githubusercontent.com/rweather/noise_spec/kyber/extensions/ext_kyber.md

which is linked to from the HFS page on the Noise wiki:
https://github.com/noiseprotocol/noise_wiki/wiki/Hybrid-Forward-Secrecy

In section 2 it says:

 * **`GENERATE_KEYPAIR_F(rf)`**:
   * If `rf` is empty, then set `f.public_key` and `f.private_key`
     to the result of `crypto_kem_keypair()`.
   * If `rf` is not empty, then set `f.public_key` and `f.shared` to
     the ciphertext and shared secret that result from calling
     `crypto_kem_enc()` with `rf.public_key`.

If `rf` is not empty, then set the f.public_key to ciphertext?
There is a length mismatch because ciphertext is KYBER_CIPHERTEXTBYTES bytes long
and public keys are KYBER_CIPHERTEXTBYTES bytes long.

For Kyber1024 this means ciphertext len is 4 * 352 + 96 and public key
is len 4 * 352 + 32 which seems like an off by 64 byte error in the spec.

What am I missing?
Isn't the Kyber HFS spec wrong?
Has anyone actually implemented Kyber HFS for Noise?

Cheers,
David
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20190205/61d70b9d/attachment.sig>

More information about the Noise mailing list