[noise] Noise HFS Kyber question
dawuud at riseup.net
Mon Feb 4 18:47:24 PST 2019
> The parameter set of Kyber that is closest in terms of security to
> NewHope-1024 is indeed Kyber-1024. For Kyber we recommend the 768
> parameter set as "default", because we believe that it offers the best
> tradeoffs between conservative security margins and performance (in
> particular in terms of ciphertext and public-key sizes). For NewHope,
> there is no parameter set between 512 and 1024, so the recommendation is
> to stay on the safe side and go with 1024.
> Does that help?
I'm not sure if this is a good question for Peter or for someone else to answer
regarding Noise Kyber HFS... I hope this is not too annoying of me to ask on
this mailing list. I had hoped that reading the HFS Kyber specification would
be sufficient for me to implement this Noise extension but it seems like the
specification document is wrong.
Here's the Noise HFS Kyber specification document:
which is linked to from the HFS page on the Noise wiki:
In section 2 it says:
* If `rf` is empty, then set `f.public_key` and `f.private_key`
to the result of `crypto_kem_keypair()`.
* If `rf` is not empty, then set `f.public_key` and `f.shared` to
the ciphertext and shared secret that result from calling
`crypto_kem_enc()` with `rf.public_key`.
If `rf` is not empty, then set the f.public_key to ciphertext?
There is a length mismatch because ciphertext is KYBER_CIPHERTEXTBYTES bytes long
and public keys are KYBER_CIPHERTEXTBYTES bytes long.
For Kyber1024 this means ciphertext len is 4 * 352 + 96 and public key
is len 4 * 352 + 32 which seems like an off by 64 byte error in the spec.
What am I missing?
Isn't the Kyber HFS spec wrong?
Has anyone actually implemented Kyber HFS for Noise?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the Noise