[noise] Post-Quantum Kyber and Noise
Peter Schwabe
peter at cryptojedi.org
Thu Jul 6 09:25:24 PDT 2017
Trevor Perrin <trevp at trevp.net> wrote:
Dear Trevor, der Rhys, dear all,
> [As a minor point, the "KEM" notion returns a secret key as output of
> "encapsulation" and "decapsulation", it's not the case that the caller
> chooses the secret key and the KEM encrypts it, which is what
> "encapsulation" would make you think! KEM is not a great name, but
> it's what cryptographers have chosen.]
>
> But you're right there's a difference:
> - With DH, the second party performs a key-generation to get a
> (public key, private key), and later performs an "ee" DH to get a
> shared secret key.
> - With KEM, the second party performs an encapsulation to get a
> (ciphertext, shared secret key) right away.
Not sure whether this comment is useful, but with a standard KEM API you
can just plug in DH, but the other way round it's not true. The reason
is that DH allows non-interactive key agreement, which a KEM doesn't.
So, in DH, Alice and Bob can send their messages (public keys) without
having seen the message from the other one before. In a KEM, Bob needs
to see Alice's message (public key) before sending his.
Cheers,
Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 811 bytes
Desc: not available
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20170706/d45321e1/attachment.sig>
More information about the Noise
mailing list