Documentation ¶
Overview ¶
Package hybrid defines several hybrid classical/quantum KEMs.
KEMs are combined by simple concatenation of shared secrets, cipher texts, public keys, etc, see
https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/ https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf
Note that this is only fine if the shared secret is used in its entirety in a next step, such as being hashed or used as key.
For deriving a KEM keypair deterministically and encapsulating deterministically, we expand a single seed to both using SHAKE256, so that a non-uniform seed (such as a shared secret generated by a hybrid KEM where one of the KEMs is weak) doesn't impact just one of the KEMs.
Of our XOF (SHAKE256), we desire two security properties:
- The internal state of the XOF should be big enough so that we do not loose entropy.
- From one of the new seeds, we shouldn't be able to derive the other or the original seed.
SHAKE256, and all siblings in the SHA3 family, have a 200B internal state, so (1) is fine if our seeds are less than 200B. If SHAKE256 is computationally indistinguishable from a random sponge, then it affords us 256b security against (2) by the flat sponge claim [https://keccak.team/files/SpongeFunctions.pdf]. None of the implemented schemes claim more than 256b security and so SHAKE256 will do fine.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ErrUninitialized = errors.New("public or private key not initialized")
Functions ¶
func Kyber1024X448 ¶
Returns the hybrid KEM of Kyber1024Draft00 and X448.
func Kyber512X25519 ¶
Returns the hybrid KEM of Kyber512Draft00 and X25519.
func Kyber768X25519 ¶ added in v1.3.0
Returns the hybrid KEM of Kyber768Draft00 and X25519.
func Kyber768X448 ¶
Returns the hybrid KEM of Kyber768Draft00 and X448.
func P256Kyber768Draft00 ¶ added in v1.3.3
Returns the hybrid KEM of Kyber768Draft00 and P-256.
Types ¶
This section is empty.