[noise] Post-Quantum Kyber and Noise

Trevor Perrin trevp at trevp.net
Thu Jul 6 10:33:29 PDT 2017

On Thu, Jul 6, 2017 at 4:25 PM, Peter Schwabe <peter at cryptojedi.org> wrote:
> Not sure whether this comment is useful, but with a standard KEM API you
> can just plug in DH, but the other way round it's not true. The reason
> is that DH allows non-interactive key agreement, which a KEM doesn't.
> So, in DH, Alice and Bob can send their messages (public keys) without
> having seen the message from the other one before.

Right, and a lot of Noise patterns make use of DH flexibility, e.g. in
XX, both authentications (the server-auth "es" and client-auth "se"
calculations) are based on ephemerals that are sent before the static
public key:

-> e
<- e, ee, s, es
-> s, se

This isn't as nice with a KEM, since the post-quantum authentications
would have to occur later (compare es to kem2, and se to kem3).  This
doesn't affect the hybrid forward-secrecy case though (ee and kem1 are

-> e, e1
<- e, ee, kem1, s, s2, es
-> kem2, s, s3, se
<- kem3


More information about the Noise mailing list