[noise] Post-Quantum Kyber and Noise

Peter Schwabe peter at cryptojedi.org
Thu Jul 6 09:25:24 PDT 2017

Trevor Perrin <trevp at trevp.net> wrote:

Dear Trevor, der Rhys, dear all,

> [As a minor point, the "KEM" notion returns a secret key as output of
> "encapsulation" and "decapsulation", it's not the case that the caller
> chooses the secret key and the KEM encrypts it, which is what
> "encapsulation" would make you think!  KEM is not a great name, but
> it's what cryptographers have chosen.]
> But you're right there's a difference:
>  - With DH, the second party performs a key-generation to get a
> (public key, private key), and later performs an "ee" DH to get a
> shared secret key.
>  - With KEM, the second party performs an encapsulation to get a
> (ciphertext, shared secret key) right away.

Not sure whether this comment is useful, but with a standard KEM API you
can just plug in DH, but the other way round it's not true. The reason
is that DH allows non-interactive key agreement, which a KEM doesn't.
So, in DH, Alice and Bob can send their messages (public keys) without
having seen the message from the other one before. In a KEM, Bob needs
to see Alice's message (public key) before sending his.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 811 bytes
Desc: not available
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20170706/d45321e1/attachment.sig>

More information about the Noise mailing list