Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [kem]

For questions about Key Encapsulation Mechanisms (KEMs). KEMs are frequentely used in Cryptography to create public key encryption schemes and are a way to formalize a specific subset of hybrid encryption schemes where derivation of a message space element are used as the key rather than directly a key.

30 questions
6
votes
2 answers

Using XOR to derive a data key for ECIES

I have been thinking about a rather simple enhancement for (EC)IES / RSA-KEM. The scheme would allow you to encrypt data while the calculation of the session / data key can be performed afterwards or in parallel. It would also allow you to encrypt…
Maarten Bodewes
  • 88,868
  • 12
  • 146
  • 304
6
votes
2 answers

Key Exchange vs Key Encapsulation

From what I understand, the steps of a key exchange protocol are Alice and Bob each encrypt something using their public key and private key and send the result to each other Alice and Bob each do some mechanism with their private key and the…
user76015
  • 61
  • 1
  • 2
6
votes
1 answer

Differences between NewHope-CPA-KEM and NewHope-CCA-KEM

According to the web page for NewHope, an R-LWE post-quantum key encapsulation mechanism (KEM) candidate for standardization, it comes in types that are IND-CPA or IND-CCA secure. I know what CPA and CCA security are, but I don't understand the…
forest
  • 14,683
  • 1
  • 45
  • 97
5
votes
1 answer

What are the public key and output sizes for the four remaining PQC KEM candidates?

Currently there are only 4 direct candidates left that provide KEM. Generally performance seems to be "OK" for those candidates. However, the key and encapsulated key sizes (i.e. the output size of the algorithm) may require some interesting tweaks…
Maarten Bodewes
  • 88,868
  • 12
  • 146
  • 304
5
votes
1 answer

Use RSA keys to derive AES key

I have 2 end points where I would like to derive the same AES key. Every end point has its own RSA key pair and RSA public key from the other end point, and I would like to combine them somehow on both sides to derive the same symmetric key. How it…
user1563721
  • 563
  • 4
  • 14
4
votes
1 answer

Openssl speed vs TLS speed with post-quantum KEM

I'm studying the performance of post-quantum KEM in TLS with the OQS (OQS is a project that integrate liboqs to openssl). I don't know why, but the KEM algorithms performance in TLS is 10 times slower than using the openssl speed command. For…
jmr
  • 85
  • 5
4
votes
3 answers

Why did post-quantum key exchanges go extinct?

On July 5, 2022, NIST chooses one KEM (Key Encapsulation Mechanism) as a PQC standard and 4 KEMs as four-round candidates. Why aren't there any key exchanges? Similarly, KEMs are usually studied in literature. The post-quantum key exchanges in…
user
  • 113
  • 1
  • 6
3
votes
1 answer

Can a KEM shared secret be used directly as a symmetric key?

As an example, both Classic-McEliece and Kyber KEMs produce 32 byte shared secrets. How convenient since that's exactly the size I need for an AES-256 key! Is this safe to do? My question can be formalized into these (I believe) equivalent questions…
Mike Ounsworth
  • 3,507
  • 1
  • 16
  • 27
3
votes
1 answer

Key transport vs key encapsulation?

What exactly is the difference between key transport and key encapsulation? Either they seem to be used interchangeably or I'm mixing stuff up.
Daniel B
  • 337
  • 1
  • 10
3
votes
2 answers

Doing RSA-KEM with RSA-OAEP

I am fiddling around with the JS Web Crypto API and creating a hybrid encryption system that uses a symmetric key to encrypt form data with AES256-CBC and and a public/private key-pair to wrap/encapsulate the symmetric key using RSA-OAEP. Currently…
HenningCash
  • 133
  • 5
3
votes
1 answer

Authenticate encrypted seed for KEM + AEAD hybrid cryptosystem

Say I want to encrypt something using RSA / KEM and an authenticated cipher. I encrypt using the following scheme: generate random seed z using n - 1 bits - where n is the size of the modulus N interpret the seed z as unsigned number and encrypt…
Maarten Bodewes
  • 88,868
  • 12
  • 146
  • 304
3
votes
1 answer

CRYSTALS-KYBER versus FrodoKEM, what makes each of them different than the other?

NIST's main recommendation for encryption/decryption mechanism is CRYSTALS-KYBER. Whereas, the BSI (German equivalent) chooses FrodoKEM. As far as my knowledge goes both these mechanisms use LWE lattice problem for their cryptographic…
Chirag Parmar
  • 85
  • 6
2
votes
1 answer

Grover algorithm for public key cryptography - FrodoKEM

I am wondering if one can apply Grover algorithm on a key encapsulation mechanism in order to crack the shared key. For example, FrodoKEM is a key generation protocol that, for some parameters, shares 128 key bits. Can we break it using Grover? i.e.…
C.S.
  • 385
  • 1
  • 8
2
votes
1 answer

What is the extra defense that McEliece 6960119 and 6688128 have that 8192128 does not?

From https://csrc.nist.gov/CSRC/media/Projects/post-quantum-cryptography/documents/round-3/official-comments/Classic-McEliece-round3-official-comment.pdf The 8192128 parameter set is bigger, but the 6960119 and 6688128 parameter sets include an…
augustus
  • 77
  • 3
2
votes
2 answers

How does TLS with PQC use key encapsulation?

As there don't seem to be any PQC alternatives for Diffie-Hellman (DH / ECDH), DH must have been replaced by key encapsulation using an ephemeral key pair. However, since TLS 1.3 always performs ephmemeral key agreement during the handshake I think…
Maarten Bodewes
  • 88,868
  • 12
  • 146
  • 304
1
2