{"id":1121,"date":"2023-12-04T14:43:25","date_gmt":"2023-12-04T13:43:25","guid":{"rendered":"https:\/\/webdev.atsec.us\/?p=1121"},"modified":"2024-04-22T18:37:37","modified_gmt":"2024-04-22T16:37:37","slug":"a-fips-140-3-compliant-hybrid-kem-algorithm","status":"publish","type":"post","link":"https:\/\/webdev.atsec.us\/a-fips-140-3-compliant-hybrid-kem-algorithm\/","title":{"rendered":"A FIPS 140-3 compliant hybrid KEM algorithm"},"content":{"rendered":"\n<p><strong>Hybrid KEM &#8211; Kyber &amp; X25519<\/strong><\/p>\n\n\n\n<p>In addition to the sole use of Kyber KEM, a hybrid mechanism using X25519 can be devised that acts as a drop-in replacement for Kyber KEM. In this case, a PQC algorithm is merged with a classic key establishment algorithm. The basis is the enhancement of the Kyber KEM encapsulation and decapsulation algorithms as follows.<\/p>\n\n\n\n<p>When using the&nbsp;<a href=\"https:\/\/www.chronox.de\/papers\/KyberKEX_2way_handshake_specification.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">hybrid KEX algorithm<\/a>, instead of the sole KEM encapsulation and decapsulation operations, the hybrid variants that are outlined in the subsequent subsections are used. In addition, the Kyber KEX data along with the X25519 data is exchanged in the same manner as outlined for the standalone Kyber KEX. Thus, the KEX operation is not re-iterated here.<\/p>\n\n\n\n<p>The presented algorithm ensures that even if one algorithm is compromised, the resulting shared secret is still cryptographically strong and compliant with the strength of the uncompromised algorithm. However, it is to be noted that Kyber may have a cryptographic strength of up to 256 bits when using Kyber 1024. On the other hand, the cryptographic strength of X25519 is significantly lower &#8211; between 80 and 128 bits &#8211; depending on the analysis approach.<\/p>\n\n\n\n<p><strong>Hybrid KEM Key Generation<\/strong><br><br>As part of the hybrid KEM key generation, the following steps are performed:<\/p>\n\n\n\n<ol>\n<li>Generation of the Kyber key pair yielding the Kyber&nbsp;pk_kyber&nbsp;and&nbsp;sk_kyber.<\/li>\n\n\n\n<li>Generation of the X25519 key pair yielding the X25519&nbsp;pk_x25519&nbsp;and&nbsp;sk_x25519.<\/li>\n<\/ol>\n\n\n\n<p>Both public keys and both secret keys are maintained together so that every time the hybrid KEM requires a public key, the Kyber and X25519 public keys are provided. The same applies to the secret keys.<br><br>Thus the following holds:<\/p>\n\n\n\n<ul>\n<li>pk_hybrid&nbsp;=&nbsp;pk_kyber&nbsp;||&nbsp;pk_x25519<\/li>\n\n\n\n<li>sk_hybrid&nbsp;=&nbsp;sk_kyber&nbsp;||&nbsp;sk_x25519<\/li>\n<\/ul>\n\n\n\n<p>Both,&nbsp;pk_hybrid&nbsp;and&nbsp;sk_hybrid&nbsp;are the output of the hybrid KEM key generation operation.<\/p>\n\n\n\n<p><strong>Hybrid KEM Encapsulation<\/strong><br><br>The hybrid KEM encapsulation applies the following steps using the input of the hybrid KEM public key&nbsp;pk_hybrid:<\/p>\n\n\n\n<ol>\n<li>Invocation of the Kyber encapsulation operation to generate the Kyber shared secret&nbsp;ss_kyber&nbsp;and the Kyber ciphertext&nbsp;ct_kyber&nbsp;using the&nbsp;pk_kyber&nbsp;public key presented with&nbsp;pk_hybrid.<\/li>\n\n\n\n<li>Generation of an ephemeral X25519 key pair&nbsp;pk_x25519_e&nbsp;and&nbsp;sk_x25519_e.<\/li>\n\n\n\n<li>Invocation of the X25519 Diffie-Hellman operation with the X25519 public key&nbsp;pk_x25519&nbsp;provided via&nbsp;pk_hybrid&nbsp;and the ephemeral secret key&nbsp;sk_x25519_e. This generates the shared secret&nbsp;ss_x25519.<\/li>\n\n\n\n<li>Secure deletion of the\u00a0sk_x25519_e\u00a0ephemeral secret key.<br>The operation returns the following data:\n<ul>\n<li>Public data:&nbsp;ct_hybrid&nbsp;=&nbsp;ct_kyber&nbsp;||&nbsp;pk_x25519_e<\/li>\n\n\n\n<li>Secret data:&nbsp;ss_hybrid&nbsp;=&nbsp;ss_kyber&nbsp;||&nbsp;ss_x25519<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p>The data&nbsp;ct_hybrid&nbsp;is to be shared with the peer that performs the decapsulation operation.<br><br>On the other hand&nbsp;ss_hybrid&nbsp;is the raw shared secret obtained as part of the encapsulation operation and must remain secret. It is processed with a KDF as outlined in section&nbsp;<em>Hybrid KEM Shared Secret Derivation<\/em>below.<\/p>\n\n\n\n<p><strong>Hybrid KEM Decapsulation<\/strong><br><br>The hybrid KEM decapsulation applies the following steps using the input of the hybrid KEM secret key&nbsp;sk_hybrid&nbsp;and the public data resulting from the hybrid KEM encapsulation operation&nbsp;ct_hybrid.<\/p>\n\n\n\n<ol>\n<li>Invocation of the Kyber decapsulation operation to generate the Kyber shared secret&nbsp;ss_kyber&nbsp;by using&nbsp;ct_kyber&nbsp;present in&nbsp;ct_hybrid&nbsp;and the Kyber secret key&nbsp;sk_kyber&nbsp;found in&nbsp;sk_hybrid.<\/li>\n\n\n\n<li>Invocation of the X25519 Diffie-Hellman operation with the X25519 secret key&nbsp;sk_x25519&nbsp;provided via&nbsp;sk_hybrid&nbsp;and the ephemeral public key&nbsp;pk_x25519_e&nbsp;provided via&nbsp;ct_hybrid&nbsp;which returns the shared secret&nbsp;ss_x25519.<\/li>\n<\/ol>\n\n\n\n<p>The operation returns the following data:<\/p>\n\n\n\n<ul>\n<li>Secret data:&nbsp;ss_hybrid&nbsp;=&nbsp;ss_kyber&nbsp;||&nbsp;ss_x25519<\/li>\n<\/ul>\n\n\n\n<p>The data of&nbsp;ss_hybrid&nbsp;is the raw shared secret obtained as part of the encapsulation operation and must remain secret &#8211; it is the same data as calculated during the encapsulation step. It is processed with a KDF as outlined in the section&nbsp;<em>Hybrid KEM Shared Secret Derivation<\/em>&nbsp;below.<\/p>\n\n\n\n<p><strong>Hybrid KEM Shared Secret Derivation<\/strong><br><br>To obtain a shared secret of arbitrary length that can be used as key material, a key derivation function is used as allowed by SP800-56C rev 2 section 2:<\/p>\n\n\n\n<ul>\n<li>The chosen and KDF is based on SP800-108 rev 1.<\/li>\n\n\n\n<li>In addition, the input to the KDF is formatted such that the entire hybrid KEM construction is compliant with SP800-56C rev 2 assuming that Kyber KEM is the approved algorithm and X25519 provides an auxiliary key agreement mechanism. Thus, section 2 of SP800-56C rev 2 with its requirement&nbsp;Z&#8217; = Z || T&nbsp;is fulfilled by defining the &#8220;standard&#8221; shared secret&nbsp;Z&nbsp;is provided by Kyber and that the auxiliary shared secret&nbsp;T&nbsp;is provided by X25519.<\/li>\n<\/ul>\n\n\n\n<p>Considering that Kyber uses SHAKE \/ SHA-3 in its internal processing, the selected KDF is KMAC256 as defined in SP800-108 rev 1. KMAC is invoked as follows:<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; KMAC256(K = ss_hybrid,<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; X = ct_hybrid,<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; L = requested SS length,<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; S = &#8220;Kyber X25519 KEM SS&#8221;)<br><br>When considering the structure of&nbsp;ss_hybrid&nbsp;and&nbsp;ct_hybrid, the KDF operates on the following specific data:<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; KMAC256(K = ss_kyber || ss_x25519,<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; X = ct_kyber || pk_x25519_e,<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; L = requested SS length,<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; S = &#8220;Kyber X25519 KEM SS&#8221;)<br><br>The KMAC customization string&nbsp;S&nbsp;is selected arbitrarily and can contain any string including the&nbsp;NULL&nbsp;string.<br><br>The result of the KDF is intended to be usable as key material for other cryptographic operations. That derived key material now contains the individual security strengths of both Kyber and X25519. Both algorithms are used such that any security break of either algorithm will not impact the strength of the resulting shared secret of the respective other. By concatenating the individual shared secret values as input into the KDF, the result of the KDF will have the security strength of one algorithm even if the respective other algorithm is broken.<\/p>\n\n\n\n<p><strong>Hybrid KEX Algorithm<\/strong><br><br>Using the hybrid KEM algorithm outlined in the preceding subsections, the hybrid KEX algorithm as specified in the documentation of the secure connection approach can be obtained by the following considerations: use of the Kyber KEX approach outlined at the beginning, but apply the following changes:<\/p>\n\n\n\n<ol>\n<li>Replace all occurrences of&nbsp;pk&nbsp;with&nbsp;pk_hybrid.<\/li>\n\n\n\n<li>Replace all occurrences of&nbsp;sk&nbsp;with&nbsp;sk_hybrid.<\/li>\n\n\n\n<li>Replace all occurrences of&nbsp;ss&nbsp;with&nbsp;ss_hybrid.&nbsp;<\/li>\n\n\n\n<li>Replace all occurrences of&nbsp;ct&nbsp;with&nbsp;ct_hybrid.<\/li>\n\n\n\n<li>Replace all invocations of the Kyber standalone functions (key generation, encapsulation, decapsulation) with their respective hybrid variants outlined above.<\/li>\n<\/ol>\n\n\n\n<p>This implies that the hybrid KEM as well as the hybrid KEX algorithms are usable as a direct drop-in replacement for the standalone Kyber algorithm use case. The only difference is that the resulting data is larger as it contains the X25519 data as well.<\/p>\n\n\n\n<p><a href=\"https:\/\/www.chronox.de\/papers\/Hybrid_KEM_algorithm.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">You can download a PDF version of the process here.<\/a><a href=\"https:\/\/github.com\/smuellerDD\/leancrypto\" target=\"_blank\" rel=\"noreferrer noopener\">An implementation of both hybrid KEM and hybrid KEX is provided here.<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>n addition to the sole use of Kyber KEM, a hybrid mechanism using X25519 can be devised that acts as a drop-in replacement for Kyber KEM. <\/p>\n","protected":false},"author":2,"featured_media":1134,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[8],"tags":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/webdev.atsec.us\/wp-json\/wp\/v2\/posts\/1121"}],"collection":[{"href":"https:\/\/webdev.atsec.us\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/webdev.atsec.us\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/webdev.atsec.us\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/webdev.atsec.us\/wp-json\/wp\/v2\/comments?post=1121"}],"version-history":[{"count":3,"href":"https:\/\/webdev.atsec.us\/wp-json\/wp\/v2\/posts\/1121\/revisions"}],"predecessor-version":[{"id":1131,"href":"https:\/\/webdev.atsec.us\/wp-json\/wp\/v2\/posts\/1121\/revisions\/1131"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/webdev.atsec.us\/wp-json\/wp\/v2\/media\/1134"}],"wp:attachment":[{"href":"https:\/\/webdev.atsec.us\/wp-json\/wp\/v2\/media?parent=1121"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/webdev.atsec.us\/wp-json\/wp\/v2\/categories?post=1121"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/webdev.atsec.us\/wp-json\/wp\/v2\/tags?post=1121"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}