-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Missing KEMs #1
Comments
There's already a pure Rust implementation of Kyber here: https://github.com/Argyle-Software/kyber Unfortunately it doesn't yet implement the That said, since there is an existing pure Rust implementation of Kyber I think it might be more interesting to start with X25519Kyber768. |
Hmm, I guess there's already an implementation of X25519Kyber768 in @rozbb we're trying to decide what to do with this repo and I guess a big question is whether or not it makes sense to extract KEMs from something like rust-hpke into their own per-algorithm crates so they can be used in applications outside HPKE (though what those applications would be, I'm not sure) |
Perhaps something like post-quantum Noise (RWC 2023) or SSH would be good candidates. Snow even has some basic support for Kyber in it due to an older proposed Noise extension. In general it seems like it'd be good for protocols that have their own public key exchanges/formats defined and won't be adopting HPKE. |
Yeah, transport encryption seems like a good use case |
It's merged in an upstream branch: https://github.com/rozbb/rust-hpke/tree/unstable-pq-xyber Note that there are unfortunately two variants of X25519Kyber768: the one used in TLS and the one used in HPKE. The TLS variant was first and doesn't hash the X25519 ciphertext into the shared secret — the HPKE variant does. HPKE needs this to remain IND-CCA2 if either X25519 or Kyber is broken. For TLS this is not required, as it has a transcript. Kyber hashes the ciphertext into the shared secret itself, so there is no need to do that in the hybrid. ML-KEM, the final version of Kyber, is expected not to hash the ciphertext into the shared secret. So for HPKE the hybrid with X25519 needs to hash both the X25519 ciphertext and the Kyber ciphertext. I prefer to converge on the same hybrid for TLS and HPKE for ML-KEM, but those ciphertext hashes aren't completely negligible with respect to performance, so there is a decent chance the TLS working group will want to keep using its own hybrid. |
My understanding is the output of the HPKE KEM is the concatenation of the Kyber and X25519 secrets, with the hashing performed by HPKE? |
HPKE doesn't use X25519 directly, but DHKEM(X25519), which adds some hashing. So the X25519Kyber variant for HPKE also uses DHKEM(X25519) instead of X25519 itself. |
would there be interest in adding KEMs other than the one standardized by NIST, in particular NTRU-prime and McEliece. I also want to ask about the scope of RustCrypto, is it just to offer interfaces or also implementation? |
@oddcoder I've added NTRU Prime and Classic McEliece to the list. We mostly provide algorithm implementations using a common interface (the However, in some cases, primarily https://github.com/rustcrypto/signatures, we have provided some common types that various implementations of the same algorithm can share. The main purpose of this is typically so things like hardware-backed implementations of signature algorithms can "plug in" in place of software implementations via traits. |
Alright then noted, I assume that mean I can try to start implementing NTRU-Prime. Unfortunately I cannot offer proper time line because I do this in my free time. If there is common coding guidelines particular to RustCrypto or anything I should be aware of, please let me know. |
Some broad guidelines now that I've written a KEM impl.
I hope that's helpful and not just idle ranting |
Note: it's also useful for the recently discussed Kyber timing variability in |
This is a tracking issue for KEMs we could potentially add to this repo:
Lacking a better place to put this, I'll stick it here, although if someone wants to implement it in earnest it could probably use its own repo since it isn't a proper "KEM":
The text was updated successfully, but these errors were encountered: