--- title: 'Noise Extension: Hybrid Forward Secrecy with Kyber' author: 'Rhys Weatherley (rhys.weatherley@gmail.com)' revision: '1draft' date: '2017-07-03' --- 1. Introduction --------------- This document describes the post-quantum key exchange algorithm Kyber and provides information for using it with the Noise protocol and the Hybrid Forward Secrecy extension. Kyber [1] is a post-quantum key-encapsulation mechanism (KEM) based on the hardness of Module-LWE (Learning With Errors). The KEM is similar in behaviour to the classical RSA algorithm in that Alice generates a random value, encrypts it with the Bob's public key, and then sends that to Bob. Using his public key, Bob can recover the random value and decrypt any ciphertext that follows. With the reference implementation of Kyber [2], public keys are 1088 bytes in size, private keys are 1248 bytes in size, and the encrypted ciphertext values are 1184 bytes in size. The result is a 32-byte shared secret. In this extension, the initiator generates a Kyber keypair and sends the public key to the responder. The responder generates a random shared secret and encrypts it with the public key. The encrypted value is sent back to initiator who decrypts it with their private key to recover the shared secret. At the end of the Noise handshake, all key values are discarded. Other HFS primitives such as 25519, 448, and NewHope derive an emphemeral shared secret through mutual agreement with both parties possessing a keypair. The Kyber CCA transform that we use here has mutual/contributory behaviour as well despite only using a single keypair: both parties contribute to the final result and neither party can solely determine the value of the shared secret. 2. Definition of `Kyber` for use in Noise ----------------------------------------- The name of the algorithm shall be `Kyber`. In this definition, we use the function names from the `kem.c` file in the reference implementation of Kyber [2]: * `crypto_kem_keypair()` returns the 1088-byte public and 1248-byte private components of a new random keypair. * `crypto_kem_enc()` generates a 1184-byte ciphertext and a 32-byte secret given a remote 1088-byte public key. * `crypto_kem_dec()` recovers a 32-byte secret given a 1184-byte ciphertext and a local 1248-byte private key. The function and constants for hybrid forward secrecy are defined formally as follows: * **`GENERATE_KEYPAIR_F(rf)`**: * If `rf` is empty, then set `f.public_key` and `f.private_key` to the result of `crypto_kem_keypair()`. * If `rf` is not empty, then set `f.public_key` and `f.shared` to the ciphertext and shared secret that result from calling `crypto_kem_enc()` with `rf.public_key`. * **`FF(key_pair, public_key)`**: If `key_pair` was generated by `GENERATE_KEYPAIR_F(rf)` with an empty `rf`, then return the result of `crypto_kem_dec(key_pair.private_key, public_key)`. Otherwise return `key_pair.shared` and ignore `public_key`. * **`FLEN1`** = 1088 * **`FLEN2`** = 1184 * **`FFLEN`** = 32 3. Examples ----------- The following are examples of protocol names involving Kyber: * `Noise_XXhfs_25519+Kyber_AESGCM_SHA256` * `Noise_XXfallback+hfs_448+Kyber_ChaChaPoly_BLAKE2b` 4. Discussion ------------- Kyber has support for static keys in addition to the ephemeral key mechanism described above. This extension does not currently describe how Kyber could be used with static keys in Noise, although we certainly do not rule out the possibility. The formulation here is a little odd in that it is trying to use a KEM to perform the role of an ephemeral DH-like function. If Noise had native support for KEM functions, perhaps though the addition of new tokens, then it would be easier to incorporate Kyber into Noise with both ephemeral and static key roles. 5. References ------------- [1] Joppe Bos, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, John M. Schanck, Peter Schwabe, and Damien Stehlé [CRYSTALS – Kyber: a CCA-secure module-lattice-based KEM](https://cryptojedi.org/peter/index.shtml#kyber). [2] [Reference implementation of Kyber](https://github.com/pq-crystals/kyber).