Join Log in
Score:1
Jake Nelson avatar Crypto

ED25519, RSA, Post Quantum Encryption confirmation

gw flag
Jake Nelson

I am working on a chat feature to use both post quantum cryptography along with RSA, and want to confirm my thoughts.

As these algorithms haven't been fully battle tested, I have decided to use a combination of both PQE and usual public, secret key cryptography

I decided upon the best algorithms to use for security.

  • Signing: ED25519
  • PQE KEM: McEliece
  • NON-PQE KEM: RSA 4096

We are currently using McEliece's uniformly distributed entropy as a shared secret, but generating an AES-GCM key for use with RSA 4096 public-secret cryptography. I have decided upon ED25519, as no candidates have been chosen for Round 4 signing as of 05/2023.

My current thinking is the following

Alice:

  • Generate KEM keys
  • Generate RSA keys
  • Generate ED25519 keys
  • Share public portions

Bob:

  • Generate KEM keys
  • Generate RSA keys
  • Generate ED25519 keys
  • Share public portions

KEM

  • Run encapsulation using Alice's KEM public key -> cipher text #1, shared secret #1 (256-bit uniform)

RSA

  • Generate 256-bit AES-GCM key #2 (shared secret)
  • Encrypt ss #2 AES-GCM key using Alice's RSA 4096 n,e public key -> cipher text #2

Message

  • Message: "Hello world!"
  • Encrypt message using shared secret #1 (256-bit uniform / aes key)
  • Encrypt message using shared secret #2 (256-bit AES-GCM key)
  • Sign double encrypted message using Bob's secret ED25519 signing key -> signature

Send

  • Double encrypted message
  • Double encrypted message signature
  • KEM cipher text #1
  • RSA cipher text #2

Alice:

  • Verify double encrypted message signature against Bob's public ED25519 Key
  • Decapsulate KEM cipher text using Alice's secret KEM key -> shared secret #1
  • Decapsulate RSA cipher text using Alice's secret RSA key -> shared secret #2
  • Decrypt message using shared secret #2
  • Decrypt message using shared secret #1
  • "Hello world!"

My questions:

  • Does the above look correct, or are there any changes you think would make sense?
  • Is there an advantage to using RSA's encapsulate rather than encrypt?
  • Should the message be encrypted twice as I assume, or does it make sense to encapsulate the cipher text output from one public-secret key cryptography algorithm?
95
0 + 6
kem
Eugene Styer avatar
dz flag
Eugene Styer
Why not just generate the two AES keys and exclusive-or them together for the session key?
0
Reply
honzaik avatar
cn flag
honzaik
Just a side note. You say "no candidates have been chosen for Round 4 signing as of 05/2023.". NIST has already selected 3 signature algorithms (Dilithium, Falcon, SPHINCS+) that are going to be standardized and 1 KEM (Kyber) is also standardized. The 4th round is just to select an extra KEM based on a different hard problem than Kyber`s. NIST has also a parallel competition for digital signatures that was announced recently (and no submissions are public yet). Also, you seem to generate KEM/RSA keys twice and using only one pair.
0
Reply
honzaik avatar
cn flag
honzaik
Look into https://www.ietf.org/archive/id/draft-ounsworth-cfrg-kem-combiners-03.html, you want to do a hybrid KEM -> derive one secret from the 2 shared secrets and then use it for AES encryption etc. (or to derive more keys)
0
Reply
Jake Nelson avatar
gw flag
Jake Nelson
@honzaik https://csrc.nist.gov/projects/pqc-dig-sig "there are no remaining digital signature candidates under consideration". Sorry for the confusion. Until new PQC signature algoritms are available, we will stick to non-PQC
0
Reply
Jake Nelson avatar
gw flag
Jake Nelson
Does it make sense to XOR the two keys? Would this reduce the space complexity?
0
Reply
honzaik avatar
cn flag
honzaik
XORing is not CCA-secure. See https://eprint.iacr.org/2018/024.pdf page 7. What do you mean by saving space complexity? The IETF draft is incomplete but afaik the proposal is basically to hash the shared secrets + ciphertexts therefore the output size is small (depends on the hash).
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.