[noise] Post-Quantum Kyber and Noise

Rhys Weatherley rhys.weatherley at gmail.com
Mon Jul 3 03:21:40 PDT 2017


There is a new post-quantum algorithm called Kyber, which comes from the
same family as NewHope.  Where NewHope only supported DH-like ephemeral
operations, Kyber is a key encapsulation method (KEM) that can be used for
both ephemeral and static use cases.  The paper [1] and reference code [2]
are linked below.

I have thrown together a quick draft as to how Kyber could be used for
Hybrid Forward Secrecy (I haven't implemented this - it's all theoretical)
in [3].  This uses Kyber in ephemeral-only mode to augment the forward
secrecy of a classical DH-using Noise handshake.  But Kyber is of course
capable of much more.

To make the best use of Kyber, we need to think about how KEM's in general
would work with Noise.  New tokens?  Hijack existing tokens?  I'm not
really sure right now.

Looking at the paper, some of the mechanics of authenticated key exchange
would come for free from the way Noise's chaining key works.  The paper
talks about hashing together the results of ephemeral and a static KEM
exchanges to generate a common shared key.  We already get that for free
with how es and se work.

Off the top of my head: if we had ekem and skem tokens for example, we
could treat the ephemeral and static parts of the exchange separately and
then get the authenticated aspect by chaining together applications of
MixKey() in the appropriate order.

Cheers,

Rhys.

[1] Paper: https://cryptojedi.org/peter/index.shtml#kyber
[2] Reference code: https://github.com/pq-crystals/kyber
[3]
https://github.com/rweather/noise_spec/blob/kyber/extensions/ext_kyber.md
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20170703/2019877f/attachment.html>


More information about the Noise mailing list