![]() ![]() In ECDH, the ciphertext is more commonly called the peer or ephemeral share. One way to implement a KEM that you might already be familiar with is with Elliptic Curve Diffie-Hellman. KeyGen() -> public key, secret keyĮncapsulate(public key) -> ciphertext, shared keyĭecapsulate(secret key, ciphertext) -> shared key What's a KEM and what does it mean for it to have IND-CCA2 security? A Key Encapsulation Method is an implementation of the following API. Four other KEMs based on codes and isogenies are continuing to a fourth round that will select a key exchange fallback in case lattices turn out to be a bad idea. I recommend Sections 2, 3.3, and 4.1.įor key exchange, NIST selected only CRYSTALS-Kyber, a KEM with IND-CCA2 security based on structured lattices, a successor of NewHope, with 800 bytes keys and ciphertexts (although the authors recommend using the category 3 parameters, with 1184 bytes public keys and 1088 bytes ciphertexts). The report is a nice read that explains a lot of the goals, candidates, selections, and rationales. ![]() They're here! NIST selected a first batch of post-quantum cryptographic key exchange and signature algorithms. This is an issue of Cryptography Dispatches, my lightly edited newsletter on cryptography engineering. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |