{"id":1121,"date":"2023-12-04T14:43:25","date_gmt":"2023-12-04T13:43:25","guid":{"rendered":"http:\/\/10.0.1.197\/?p=1121"},"modified":"2024-04-22T18:37:37","modified_gmt":"2024-04-22T16:37:37","slug":"a-fips-140-3-compliant-hybrid-kem-algorithm","status":"publish","type":"post","link":"http:\/\/192.168.0.78\/a-fips-140-3-compliant-hybrid-kem-algorithm\/","title":{"rendered":"A FIPS 140-3 compliant hybrid KEM algorithm"},"content":{"rendered":"\n
Hybrid KEM – Kyber & X25519<\/strong><\/p>\n\n\n\n In addition to the sole use of Kyber KEM, a hybrid mechanism using X25519 can be devised that acts as a drop-in replacement for Kyber KEM. In this case, a PQC algorithm is merged with a classic key establishment algorithm. The basis is the enhancement of the Kyber KEM encapsulation and decapsulation algorithms as follows.<\/p>\n\n\n\n When using the hybrid KEX algorithm<\/a>, instead of the sole KEM encapsulation and decapsulation operations, the hybrid variants that are outlined in the subsequent subsections are used. In addition, the Kyber KEX data along with the X25519 data is exchanged in the same manner as outlined for the standalone Kyber KEX. Thus, the KEX operation is not re-iterated here.<\/p>\n\n\n\n The presented algorithm ensures that even if one algorithm is compromised, the resulting shared secret is still cryptographically strong and compliant with the strength of the uncompromised algorithm. However, it is to be noted that Kyber may have a cryptographic strength of up to 256 bits when using Kyber 1024. On the other hand, the cryptographic strength of X25519 is significantly lower – between 80 and 128 bits – depending on the analysis approach.<\/p>\n\n\n\n Hybrid KEM Key Generation<\/strong> Both public keys and both secret keys are maintained together so that every time the hybrid KEM requires a public key, the Kyber and X25519 public keys are provided. The same applies to the secret keys. Both, pk_hybrid and sk_hybrid are the output of the hybrid KEM key generation operation.<\/p>\n\n\n\n Hybrid KEM Encapsulation<\/strong> The data ct_hybrid is to be shared with the peer that performs the decapsulation operation. Hybrid KEM Decapsulation<\/strong> The operation returns the following data:<\/p>\n\n\n\n The data of ss_hybrid is the raw shared secret obtained as part of the encapsulation operation and must remain secret – it is the same data as calculated during the encapsulation step. It is processed with a KDF as outlined in the section Hybrid KEM Shared Secret Derivation<\/em> below.<\/p>\n\n\n\n Hybrid KEM Shared Secret Derivation<\/strong> Considering that Kyber uses SHAKE \/ SHA-3 in its internal processing, the selected KDF is KMAC256 as defined in SP800-108 rev 1. KMAC is invoked as follows: Hybrid KEX Algorithm<\/strong> This implies that the hybrid KEM as well as the hybrid KEX algorithms are usable as a direct drop-in replacement for the standalone Kyber algorithm use case. The only difference is that the resulting data is larger as it contains the X25519 data as well.<\/p>\n\n\n\n You can download a PDF version of the process here.<\/a>An implementation of both hybrid KEM and hybrid KEX is provided here.<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" n addition to the sole use of Kyber KEM, a hybrid mechanism using X25519 can be devised that acts as a drop-in replacement for Kyber KEM. <\/p>\n","protected":false},"author":2,"featured_media":1134,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[8],"tags":[],"_links":{"self":[{"href":"http:\/\/192.168.0.78\/wp-json\/wp\/v2\/posts\/1121"}],"collection":[{"href":"http:\/\/192.168.0.78\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/192.168.0.78\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/192.168.0.78\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/192.168.0.78\/wp-json\/wp\/v2\/comments?post=1121"}],"version-history":[{"count":3,"href":"http:\/\/192.168.0.78\/wp-json\/wp\/v2\/posts\/1121\/revisions"}],"predecessor-version":[{"id":1131,"href":"http:\/\/192.168.0.78\/wp-json\/wp\/v2\/posts\/1121\/revisions\/1131"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/192.168.0.78\/wp-json\/wp\/v2\/media\/1134"}],"wp:attachment":[{"href":"http:\/\/192.168.0.78\/wp-json\/wp\/v2\/media?parent=1121"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/192.168.0.78\/wp-json\/wp\/v2\/categories?post=1121"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/192.168.0.78\/wp-json\/wp\/v2\/tags?post=1121"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
As part of the hybrid KEM key generation, the following steps are performed:<\/p>\n\n\n\n\n
Thus the following holds:<\/p>\n\n\n\n\n
The hybrid KEM encapsulation applies the following steps using the input of the hybrid KEM public key pk_hybrid:<\/p>\n\n\n\n\n
The operation returns the following data:\n\n
On the other hand ss_hybrid is the raw shared secret obtained as part of the encapsulation operation and must remain secret. It is processed with a KDF as outlined in section Hybrid KEM Shared Secret Derivation<\/em>below.<\/p>\n\n\n\n
The hybrid KEM decapsulation applies the following steps using the input of the hybrid KEM secret key sk_hybrid and the public data resulting from the hybrid KEM encapsulation operation ct_hybrid.<\/p>\n\n\n\n\n
\n
To obtain a shared secret of arbitrary length that can be used as key material, a key derivation function is used as allowed by SP800-56C rev 2 section 2:<\/p>\n\n\n\n\n
KMAC256(K = ss_hybrid,
X = ct_hybrid,
L = requested SS length,
S = “Kyber X25519 KEM SS”)
When considering the structure of ss_hybrid and ct_hybrid, the KDF operates on the following specific data:
KMAC256(K = ss_kyber || ss_x25519,
X = ct_kyber || pk_x25519_e,
L = requested SS length,
S = “Kyber X25519 KEM SS”)
The KMAC customization string S is selected arbitrarily and can contain any string including the NULL string.
The result of the KDF is intended to be usable as key material for other cryptographic operations. That derived key material now contains the individual security strengths of both Kyber and X25519. Both algorithms are used such that any security break of either algorithm will not impact the strength of the resulting shared secret of the respective other. By concatenating the individual shared secret values as input into the KDF, the result of the KDF will have the security strength of one algorithm even if the respective other algorithm is broken.<\/p>\n\n\n\n
Using the hybrid KEM algorithm outlined in the preceding subsections, the hybrid KEX algorithm as specified in the documentation of the secure connection approach can be obtained by the following considerations: use of the Kyber KEX approach outlined at the beginning, but apply the following changes:<\/p>\n\n\n\n\n