Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [kem]

For questions about Key Encapsulation Mechanisms (KEMs). KEMs are frequentely used in Cryptography to create public key encryption schemes and are a way to formalize a specific subset of hybrid encryption schemes where derivation of a message space element are used as the key rather than directly a key.

65 questions
9
votes
3 answers

Key Exchange vs Key Encapsulation

From what I understand, the steps of a key exchange protocol are Alice and Bob each encrypt something using their public key and private key and send the result to each other Alice and Bob each do some mechanism with their private key and the…
user76015
  • 91
  • 1
  • 2
9
votes
3 answers

Why did post-quantum key exchanges go extinct?

On July 5, 2022, NIST chooses one KEM (Key Encapsulation Mechanism) as a PQC standard and 4 KEMs as four-round candidates. Why aren't there any key exchanges? Similarly, KEMs are usually studied in literature. The post-quantum key exchanges in…
user
  • 313
  • 2
  • 8
7
votes
1 answer

Differences between NewHope-CPA-KEM and NewHope-CCA-KEM

According to the web page for NewHope, an R-LWE post-quantum key encapsulation mechanism (KEM) candidate for standardization, it comes in types that are IND-CPA or IND-CCA secure. I know what CPA and CCA security are, but I don't understand the…
forest
  • 15,626
  • 2
  • 49
  • 103
6
votes
2 answers

Using XOR to derive a data key for ECIES

I have been thinking about a rather simple enhancement for (EC)IES / RSA-KEM. The scheme would allow you to encrypt data while the calculation of the session / data key can be performed afterwards or in parallel. It would also allow you to encrypt…
Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
5
votes
1 answer

Openssl speed vs TLS speed with post-quantum KEM

I'm studying the performance of post-quantum KEM in TLS with the OQS (OQS is a project that integrate liboqs to openssl). I don't know why, but the KEM algorithms performance in TLS is 10 times slower than using the openssl speed command. For…
jmr
  • 95
  • 5
5
votes
1 answer

What are the public key and output sizes for the four remaining PQC KEM candidates?

Currently there are only 4 direct candidates left that provide KEM. Generally performance seems to be "OK" for those candidates. However, the key and encapsulated key sizes (i.e. the output size of the algorithm) may require some interesting tweaks…
Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
5
votes
1 answer

Use RSA keys to derive AES key

I have 2 end points where I would like to derive the same AES key. Every end point has its own RSA key pair and RSA public key from the other end point, and I would like to combine them somehow on both sides to derive the same symmetric key. How it…
user1563721
  • 583
  • 4
  • 17
5
votes
1 answer

Attacks exploiting decryption failures in KYBER

I am going through the portion mentioned under the heading Original KYBER analysis inside Section 5.5 titled Attacks exploiting decryption failures. $${\sf Pr}[\|v\|> k\sigma \sqrt{m}]< k^m e^{\frac{m}{2}(1-k^2)} \hskip5em (1)$$ Equation $1$ is used…
Swaminathan V
  • 161
  • 8
4
votes
1 answer

How decryption failure reveals information about the secret key?

I have been studying the CRYSTALS-KYBER cryptosystem and came across the description of a Decryption Failure Attack in the paper. The specific part (Section 5.5 https://pq-crystals.org/kyber/data/kyber-specification-round3-20210804.pdf) that caught…
ABCD
  • 95
  • 4
4
votes
0 answers

What are the binding properties of post-quantum KEMs?

Performing a key exchange with post-quantum KEMs is very different to ECDH, which will likely cause vulnerabilities in protocols during the migration to post-quantum cryptography. One example is that different KEMs can have different binding…
samuel-lucas6
  • 2,211
  • 9
  • 20
3
votes
1 answer

Can a KEM shared secret be used directly as a symmetric key?

As an example, both Classic-McEliece and Kyber KEMs produce 32 byte shared secrets. How convenient since that's exactly the size I need for an AES-256 key! Is this safe to do? My question can be formalized into these (I believe) equivalent questions…
Mike Ounsworth
  • 3,717
  • 1
  • 20
  • 29
3
votes
2 answers

How does TLS with PQC use key encapsulation?

As there don't seem to be any PQC alternatives for Diffie-Hellman (DH / ECDH), DH must have been replaced by key encapsulation using an ephemeral key pair. However, since TLS 1.3 always performs ephmemeral key agreement during the handshake I think…
Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
3
votes
1 answer

Key transport vs key encapsulation?

What exactly is the difference between key transport and key encapsulation? Either they seem to be used interchangeably or I'm mixing stuff up.
Daniel B
  • 357
  • 2
  • 11
3
votes
2 answers

Doing RSA-KEM with RSA-OAEP

I am fiddling around with the JS Web Crypto API and creating a hybrid encryption system that uses a symmetric key to encrypt form data with AES256-CBC and and a public/private key-pair to wrap/encapsulate the symmetric key using RSA-OAEP. Currently…
HenningCash
  • 133
  • 5
3
votes
1 answer

Authenticate encrypted seed for KEM + AEAD hybrid cryptosystem

Say I want to encrypt something using RSA / KEM and an authenticated cipher. I encrypt using the following scheme: generate random seed z using n - 1 bits - where n is the size of the modulus N interpret the seed z as unsigned number and encrypt…
Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
1
2 3 4 5