1

I am designing a Hybrid Key exchange library using x25519 and Kyber, and the scheme I have in mind is as follows:

Alice sending a file/message to Bob:

Bob's Kyber public key + Random Data -> KEM => ciphertext, Kyber shared secret
Bob's Ed25519 public key + Alice's Ed25519 Secret Key + Kyber ciphertext -> X25519 => x25519 shared secret
Kyber shared secret + X25519 shared secret -> KDF => encryption key

Alice encrypts the file/message using the encryption key and sends it to Bob with the Kyber ciphertext.

Bob receiving a file/message from Alice:

Kyber ciphertext + Bob's secret key -> KEM => Kyber Shared Secret
Bob's Ed25519 secret key + Alice's Ed25519 public key -> X25519 => X25519 Shared Secret
Kyber shared secret + X25519 shared secret -> KDF => decryption key

Bob decrypts the message using the decryption key.

To simplify the restoration of these keys, I wanted to use the Ed25519 secret key (which is 64 bytes) to derive the Kyber key (specified in draft-schwabe-cfrg-kyber). However, if the Ed25519 key is found by a quantum computer, it can be used to derive the Kyber key as well.

Can using a method like BIP32, which uses CKD to derive multiple elliptic curves from a seed, prevent that from happening?

Zola Gonano
  • 59
  • 6

1 Answers1

2

You can usually compress the key generation of a few primitives to the generation of a suitably long secret random seed. Then use a PRG to derive as many seeds as needed. Each resulting seed then feeds the key generation routine of each primitive.

A concrete example would use HKDF to derive two seeds: Generate a random 256-bit seed $s$. Then, produce $$k_1, k_2 = \text{HKDF (s, "unique-info-string", 2)}.$$

$k_1, k_2$ can be used as Ed25519 secret key and the key generation seed for Kyber. You could use another round of HKDF to generate the two seeds used in the key generation of Kyber, as described in the draft you've linked.

Not that, in this case, you don't need the full power of HKDF. HKDF-Expand is sufficient.

Marc Ilunga
  • 4,042
  • 1
  • 13
  • 24