Blog

Categories:
18. 3. 2025
Security Cryptography
Quantum Computers Resistant Cryptography - Key Exchange

Quantum Computer-Resistant Cryptography - Key Exchange

Key encapsulation and digital signature algorithms were published as part of the NIST competition. In my opinion, it is appropriate to describe the behavior of these algorithms in a popularization form, i.e. without the use of mathematics. The idea of how these algorithms work can be important to someone. Each of these algorithms has its own specific properties, which may bring certain limitations, these are suitable to understand. A rash implementation of these algorithms or a misunderstanding of their principles can have significant impacts on overall data protection. The first article will deal with the KEM algorithms CRYSTALS-Kyber, HQC and CSIDH. The abbreviation KEM stands for Key Encapsulation Mechanism. The second upcoming article will then deal with the DSA algorithms Falcon, Sphincs++ and the algorithms using Merkle trees. The name DSA stands for Digital Signature Algorithm. This is a family of algorithms and must not be confused with the obsolete standard for the digital DSA signature. Which were built over the Schnorr signature (or, as some sources say, the El-Gamal algorithm,).

Key Encapsulation Mechanism ML-KEM

ML-KEM is the FIPS-203 standard. The principle of key negotiation is quite simple. By using asymmetrical cryptography one party uses the public key of the opposing party to encrypt sensitive data and then sends it to the opposing party. The opposing party can perform the reverse decryption operation because only the opposing party has a private key. As a result, both parties have sensitive data that can be used directly as encryption keys or inserted into the key derivation function (KDF, Key Derivation Funcion). The key can be provided for both parties in the same way. In this case, both sending and receiving communications uses the same key for symmetric ciphers. Another option is to provide two separate keys, one for sending, the other for receiving data. While a symmetric algorithm will still be used, each of the data streams will be encrypted with a different key material. The key exchange process is somewhat reminiscent of the RSA algorithm's functionality.

Functional principle of the ML-KEM aka CRYSTALS-Kyber algorithm (only for the curious)

The algorithm uses a mathematical structure known as grids. This structure is created by repeatedly adding the same vectors. For an example of a grid, you can use tiles. Imagine that you are in a huge tiled room. Each tile has the same size, i.e. length and width (the result is a rectangle). Repeating these tiles produces a regular network pattern on the floor or even on the wall. This pattern is generated by a private key, i.e. the length and width of the tile. If you want to create a public key, you need to use a new one based on the basic grid pattern. It does not have to be rectangular, the vectors can be at any angle. It is important that they do not meet the intersections of the private key network (the underlying grid). For a public key, you will use for example, transparent rhomboid tiles. The values of the length of the rhomboid sides will be the individual parts of the public key. Their derivation is possible just from the mentioned secret key, to which we add uncertainty (error).
In encryption, we take advantage of the complexity of two problems. The first is LWE (Learning with Error), the second is SVP (Shortest Vector Problem). These problems are necessary to know for understanding the whole structure of encryption, but the explanation of each problem must be separated from the other.
LWE is based on the difficulty of finding multiples and the corresponding error for the equation N=v*w+e. In this case, two numbers are multiplied and the error is added. In a similar way, it is possible to multiply the vectors, in the case of encryption on grids it is not in only two dimensions, but the dimensions can be tens or hundreds. A new value of random error is added to each result, which creates noise and makes the attack more difficult. In our example, however, we will still use only two dimensions. It is LWE that is behind the secrecy of private keys, which due to the error value e become murky. The error is different for each edge of the tile (for example, the values -1;0;1). So we don't really know their exact dimensions, transparent tiles in this case won't be that transparent. To make matters worse, transparent tiles (public keys) are derived from private keys, but the private key is kept. At this point, we lose confidence and have to rely only on the pattern we see.
SVP is based on the difficulty of finding out what the shortest path is between two grid points. Specifically, between the point specified by public keys and between the point specified by private keys. If you need to find the shortest vector (shortest distance) from a particular grid point formed by a public key to any point of the grid formed by a private key, through transparent tiles you could find them. But what if we only see a rhomboid image? To make matters worse, what if the tiles aren't two-dimensional, but have a hundred or a thousand dimensions? Suddenly, a quite simple problem becomes a nightmare.
In the case of encryption, the actual encrypted record is broken into small pieces, which are added as an error to each individual transparent tile. The result is irregularities that could be challenged. But mathematics here allows you to create a procedure that translates these irregularities into a shape that is extremely difficult to interpret. So there will be a creation encrypted text. It does not make sense for the attacker and it is not possible to decrypt it just using a public key. But the owner the private key is in a different situation, it can subtract both its errors and the size of the "tiles" that these pieces were used for stuck. The result will be small pieces of encrypted text that only need to be folded into the corresponding shape. This will give the original text before encryption and both sides share the same secret.


Key Size Table for ML-KEM

Private keyPublic keyCiphertext size for 32B plaintext
ML-KEM-5126400b13056b6144b
ML-KEM-7689472b19200b8704b
ML-KEM-102412544b25344b12544b

HQC key encapsulation mechanism, standard in preparation

Recently, in the fourth round of NIST's selection of quantum-resistant algorithms, the HQC algorithm was accepted as the next winner. This algorithm was approved in March 2025, with an estimated release date of the standard sometime next year, i.e. 2026. Again, the key exchange algorithm, i.e. one side generates the key and sends it to the other side. To some extent functionality Reminds the key exchange options using the RSA algorithm.

Functional principle of the HQC algorithm (only for the curious)

The algorithm uses the so-called general linear code decoding problem for data protection. Explanation again required a certain idea and a little trip to history. The first question is what are linear codes. This is a data encoding in ways that can correct errors when transmitting, this mean prevet noise which can intercepts communication. One of the amazing uses is the code for communication with the Voyager spacecraft (Golay [24,12,8] and Reed Solomon). The listed codes provide protection against connection errors while allowing data to be properly decoded. This would not be possible without the self-correcting code provided.
How does this happen? Imagine someone sending out the phrase "Quis custodiet ipsos custodes" in the Morse alphabet? A series of dots and the commas will look like this:
--.- ..- .. ... / -.-. ..- ... - --- -.. .. . - / .. .--. ... --- ... / -.-. ..- ... - --- -.. . ... ..--..
But what to do when radio transmissions are jammed? What if we get a text that looks like this, when will the interference be marked with an X? Will we be able to read the message?
--.XX..X ..XX..XXX-.X.X..- ... XX--- -.X .. . X / .XX.-X. ... XXXX... XX-.-XX..- X.. X ---XX.. XX... ..XX..
Deciphering such a message is challenging and impossible under certain conditions. The sender and receiver generate their private and public keys, where the private key is composed of two vectors. Most bits of each vector are zero and only a few places have ones (sparse structure). The public key is generated on the basis of these private keys it is a control matrix multiplied by the second of the vectors, to which the first vector and a random error value are added.
There are several steps in the encryption of the message. The first, the message is converted into one of the loop codes with self-correcting capability (Reed-Muller or Reed-Solomon) and two working vectors are generated (in the same way as the parts of the private key). The first vector is multiplied with the control matrix and the result is used as the first part of the encrypted data. The second part is formed as a multiple of the public key with the first vector to which the content of the message and the error values are added. The two vectors are sent to the receiver. The receiver can easily remove the noise based on the private key and the received vectors. It multiplies the first part of its private key by the first vector and the second part of its key with the second vector, adds the values and has a message with the self-correcting code. After, there are need to correct noise issues. For some people this is o mathematical spells, but the result is difficult to challenge.


Key Size Table for HQC

Private KeyPublic KeyCiphertext size fo 64B plaintext
HQC-128448b19272b35976b
HQC-192512b36808b72336b
HQC-256576b57960b115880b

CSIDH key agreement algorithm

One of my favorite algorithms, which unfortunately was not selected, is built over a certain class of elliptic curves. Although for most people in the industry, elliptical curves are automatically vulnerable to quantum computers, this is not the case here. Depends on what kind problem provides data protection. On the other hand, the weaker brother of this algorithm (SIDH) was broken within a few hours on a common computer, so it is still necessary to verify its security for some time. But it has a huge advantage. Unlike the previous two algorithms, there is no one-party determination of the secret and subsequent transfer, there is a so-called key agreement. Both parties make a series of calculations and the result is a value equal on both sides. The key is not transferred anywhere, so we lack such algorithm. As will be mentioned below, it has certain security advantages. This sounds a bit like Diffie Helman over elliptic curves, but it is a very simplistic comparison.

Functional principle of the CSIDH algorithm (for the curious only)

As already mentioned here, this is an algorithm over elliptic curves. It sounds complicated, but in the case of cryptography on elliptic curves, modular arithmetic is used. This can be thought of as cropping the graph at a certain distance up and to the right, once this distance is crossed, it starts on the opposite side. In other words, it's as if I rolled the paper into a roll and turned the roll into a tire. Of course, the paper would have to be very flexible. This idea solves contemporary cryptography, but the one that is resistant to quantum computers is even more complicated.
In mathematics, there are so-called invariants. These denote a property that doesn't change. One example is elliptic curves, where their properties can be mutually invariant under certain conditions, so they have something constant and in common. In the case of SIDH/CSIDH, this is a so-called j-invariant (class of isomorphisms). So if we choose several curves that have the same invariant, and at the same time these curves have similar parameters, they can have the same number of points on the curve. In this case, it is possible to form relationships between these points, a kind of map of transitions. The whole principle is how we go through the curves. If we go from one to the other, we can get to the next point on the graph of the curve (on a given line around the circumference of that particular tire). We go to the next curve and we can find the next point again, or we can continue directly by changing the curve. Thanks to our passing key (I stand still, the transition between the curves, the change of a point on the curve), we make a specific map of the path. The paths listed can be complicated, but in the case of calculation, three points are important. The first, where we start. The second, which we change with the counterparty. And finally the third, on which we agree with the counterparty.
In the case of agreement on the keys, the initial curve and a specific point are determined. Each of the parties goes their own way until it gets after a predefined number of repetitions to the place where the key describing the passage through the curves ends. At this point, the two parties exchange their points with the counterparty. They then begin to insert their path map again, this time from the exchanged points. After the end, they must agree on the same result, because in fact, the passage map for the first and second sides has been composed. This algorithm still has a lot of open questions. These may or may not lead to its breaking. But we lack a mechanism capable of ensuring agreement on the keys without having to send the key material from one side to the other.


Key Size Table for CSIDH

Private KeyPublic Key
CSIDH (128)512b512b
CSIDH (192)1024b1024b
CSIDH (256)1792b1792b

Present and overall safety assessment

At the moment the accepted algorithms ML-KEM and HQC are safe, at least on the basis of current knowledge. The first problem is the connection based on current knowledge. As well as showing a possible threat to current algorithms in quantum computers, we may find other threats in the future. We can find other ways of attacking algorithms, or not. That's why why developments in cryptography need to be closely monitored.
Other threats are brought by surprisingly current technologies. The first is an operational threat, which lies in the structure of SSL/TLS. Each of the Record protocol must be smaller than 16384B, with additional values at the TLS level it is possible to extend another 2048B. (TLS Record protocol)+2048B(TLS Overhead)=18432B. If the record is larger, the connection is unlikely to be and will result in an error. This is because of the way the connection is established. In the TLS Handshake, the certificate is transmitted at the same time. And algorithms resistant to quantum computers simply have too large keys and signatures. If the message containing the certificate overflows over the specified value, the connection may not occur. This problem is partly solved by the fragmentation of the certificate (multiple records), but not every implementation supports it. The recommendation is to stick to a maximum of three records, sometimes it is possible to hit several hundred KB. Here, as a rule, TLS libraries supporting fragmentation also crash.
The second problem is the threat in the field of SSL inspection. As in the case of current algorithms, even in the case of quantum-resistant algorithms, SSL inspection protection depends on a suitable configuration. On the inspection system, the decoding of communication occurs thanks to the ability to falsify SSL certificates in an official way. In fact, there is a concatenated connection, where one encrypted communication is between the client and the inspection gate, the other between the inspection gate and the target system. The only reliable protection is the use of mTLS (mutual TLS). This allows to verify both the client and server certificate and at the same time to check the relationship between the client certificate and the user name. Quantum-resistant algorithms do not protect against this threat and it is not their goal. Thus, even in the case of their use it is possible to obtain decrypted data thanks to SSL inspection. Despite all the errors, the inspection has its justification in a large number of cases. Network protection, communication control to exfiltrate data and other purposes are understandable. But it is like any tool, even SSL inspection can be misused.
Thus, overall system security depends not only on the supported algorithms and methods of protection of the transferred data. Current algorithms are safe according to the available data. From an operational point of view, it is extremely important that we have a second algorithm available for key exchange resistant to quantum computers. Better when more are available, ideally with support for key agreement. But these matters must not be rushed and the background mathematics must ripen. Only then will it be possible to deploy other upcoming ones.
From a preventive point of view, it is advisable to consider even one obsolete option. What to do in the event of a technological breakthrough. In such a case, it is advisable to use alternative methods of key distribution at least temporarily. And as a fallback solution can still be served by … couriers. It is perhaps a crazy idea. This is a worst-case scenario, which I do not think will happen. But who is forewarned is also forewarned (Praemonitus, praemunitus.).

Conclusion

From a safety point of view, it is desirable to have several proven alternatives for switching to hybrid or pure post-quantum cryptography. It is excellent that we have different methods of protection at our disposal, but there is still a long way to go to be able to ensure the confidentiality of information in an appropriate manner. That is, including backup alternatives. All mechanisms it is necessary to examine and ensure not only their mathematical but also their implementation safety. It's just a matter of natural development. And it cannot be rushed. In the next part, I will deal with digital signature algorithms and differences, that occur in quantum-proof cryptography.

Reference:

  1. NIST FIPS-203
    Source: https://www.nist.gov/
  2. CRYSTALS Cryptographic Suite for Algebraic Lattices
    Source: https://pq-crystals.org/
  3. HQC (Hamming Quasi-Cyclic)
    Source: https://pqc-hqc.org/
  4. Trade-offs in Post-Quantum Cryptography: A Comparative Assesment of BIKE, HQC and Classic McEliece
    Source: https://ceur-ws.org/
  5. CSIDH: An efficient post-quantum commutative group action
    Source: https://csidh.isogeny.org/
  6. CSIDH: An efficient post-quantum commutative group action presentation
    Source: https://csidh.isogeny.org/

Autor článku:

Jan Dušátko
Jan Dušátko

Jan Dušátko has been working with computers and computer security for almost a quarter of a century. In the field of cryptography, he has cooperated with leading experts such as Vlastimil Klíma or Tomáš Rosa. Currently he works as a security consultant, his main focus is on topics related to cryptography, security, e-mail communication and Linux systems.

Podobné články

Sharing files with SMB protocol and cryptography
16. 9. 2024
Sharing files with SMB protocol and cryptography
Sharing files with NFS protocol and cryptography
17. 9. 2024
Sharing files with NFS protocol and cryptography
Quantum computer resistant algorithms
27. 9. 2024
Quantum computer resistant algorithms
Storing password with Crypt interface
8. 10. 2024
Storing password with Crypt interface
logo

Your learning platform for cryptography
and security.

Jan Dušátko
info@cryptosession.cz
+420 602 427 840

Pod Harfou 938/58
190 00, Praha 9

IČ: 43479766
DIČ: CZ 7208253041

Bank no.:
78-7768770207/0100

© 2025 Cryptosession.cz Design: Lukáš Kejha, Development: Karel Tropp

1. Introductory Provisions

1.1. These General Terms and Conditions are, unless otherwise agreed in writing in the contract, an integral part of all contracts relating to training organised or provided by the trainer, Jan Dušátko, IČ 434 797 66, DIČ 7208253041, with location Pod Harfou 938/58, Praha 9 (next as a „lector“).
1.2. The contracting parties in the general terms and conditions are meant to be the trainer and the ordering party, where the ordering party may also be the mediator of the contractual relationship.
1.3. Issues that are not regulated by these terms and conditions are dealt with according to the Czech Civil Code, i.e. Act No.89/2012 Coll.
1.4. All potential disputes will be resolved according to the law of the Czech Republic.

2. Creation of a contract by signing up for a course

2.1. Application means unilateral action of the client addressed to the trainer through a data box with identification euxesuf, e-mailu with address register@cryptosession.cz or register@cryptosession.info, internet pages cryptosession.cz, cryptosession.info or contact phone +420 602 427 840.
2.2. By submitting the application, the Client agrees with these General Terms and Conditions and declares that he has become acquainted with them.
2.3. The application is deemed to have been received at the time of confirmation (within 2 working days by default) by the trainer or intermediary. This confirmation is sent to the data box or to the contact e-mail.
2.4. The standard time for registration is no later than 14 working days before the educational event, unless otherwise stated. In the case of a natural non-business person, the order must be at least 28 working days before the educational event.
2.5. More than one participant can be registered for one application.
2.6. If there are more than 10 participants from one Client, it is possible to arrange for training at the place of residence of the intermediary or the Client.
2.7. Applications are received and processed in the order in which they have been received by the Provider. The Provider immediately informs the Client of all facts. These are the filling of capacity, too low number of participants, or any other serious reason, such as a lecturer's illness or force majeure. In this case, the Client will be offered a new term or participation in another educational event. In the event that the ordering party does not agree to move or participate in another educational event offered, the provider will refund the participation fee. The lack of participants is notified to the ordering party at least 14 days before the start of the planned term.
2.8. The contract between the provider and the ordering party arises by sending a confirmation from the provider to the ordering party.
2.9. The contract may be changed or cancelled only if the legal prerequisites are met and only in writing.

3. Termination of the contract by cancellation of the application

3.1. The application may be cancelled by the ordering party via e-mail or via a data mailbox.
3.2. The customer has the right to cancel his or her application for the course 14 days before the course takes place without any fees. If the period is shorter, the subsequent change takes place. In the interval of 7-13 days, an administrative fee of 10% is charged, cancellation of participation in a shorter interval than 7 days then a fee of 25%. In case of cancellation of the application or order by the customer, the possibility of the customer's participation in an alternative period without any additional fee is offered. The right to cancel the application expires with the implementation of the ordered training.
3.3. In case of cancellation of the application by the trainer, the ordering party is entitled to a full refund for the unrealized action.
3.4. The ordering party has the right to request an alternative date or an alternative training. In such case, the ordering party will be informed about all open courses. The alternative date cannot be enforced or enforced, it depends on the current availability of the course. If the alternative training is for a lower price, the ordering party will pay the difference. If the alternative training is for a lower price, the trainer will return the difference in the training prices to the ordering party.

4. Price and payment terms

4.1. By sending the application, the ordering party accepts the contract price (hereinafter referred to as the participation fee) indicated for the course.
4.2. In case of multiple participants registered with one application, a discount is possible.
4.3. The participation fee must be paid into the bank account of the company held with the company Komerční banka č. 78-7768770207/0100, IBAN:CZ5301000000787768770207, BIC:KOMBCZPPXXX. When making the payment, a variable symbol must be provided, which is indicated on the invoice sent to the client by the trainer.
4.4. The participation fee includes the provider's costs, including the training materials. The provider is a VAT payer.
4.5. The client is obliged to pay the participation fee within 14 working days of receipt of the invoice, unless otherwise stated by a separate contract.
4.6. If the person enrolled does not attend the training and no other agreement has been made, his or her absence is considered a cancellation application at an interval of less than 7 days, i.e. the trainer is entitled to a reward of 25% of the course price. The overpayment is returned within 14 days to the sender's payment account from which the funds were sent. Payment to another account number is not possible.
4.7. An invoice will be issued by the trainer no later than 5 working days from the beginning of the training, which will be sent by e-mail or data box as agreed.

5. Training conditions

5.1. The trainer is obliged to inform the client 14 days in advance of the location and time of the training, including the start and end dates of the daily programme.
5.2. If the client is not a student of the course, he is obliged to ensure the distribution of this information to the end participants. The trainer is not responsible for failure to comply with these terms and conditions.
5.2. By default, the training takes place from 9 a.m. to 5 p.m. at a predetermined location.
5.3. The trainer can be available from 8 a.m. to 9 a.m. and then from 17 a.m. to 6 p.m. for questions from the participants, according to the current terms and conditions.
5.4. At the end of the training, the certificate of absorption is handed over to the end users.
5.5. At the end of the training, the end users evaluate the trainer's approach and are asked to comment on the evaluation of his presentation, the manner of presentation and the significance of the information provided.

6. Complaints

6.1. If the participant is grossly dissatisfied with the course, the trainer is informed of this information.
6.2. The reasons for dissatisfaction are recorded in the minutes in two copies on the same day. One is handed over to the client and one is held by the trainer.
6.3. A statement on the complaint will be submitted by e-mail within two weeks. A solution will then be agreed within one week.
6.4. The customer's dissatisfaction may be a reason for discontinuing further cooperation, or financial compensation up to the price of the training, after deduction of costs.

7. Copyright of the provided materials

7.1. The training materials provided by the trainer in the course of the training meet the characteristics of a copyrighted work in accordance with Czech Act No 121/2000 Coll.
7.2. None of the training materials or any part thereof may be further processed, reproduced, distributed or used for further presentations or training in any way without the prior written consent of the trainer.

8. Liability

8.1. The trainer does not assume responsibility for any shortcomings in the services of any third party that he uses in the training.
8.2. The trainer does not assume responsibility for injuries, damages and losses incurred by the participants in the training events or caused by the participants. Such costs, caused by the above circumstances, shall be borne exclusively by the participant in the training event.

9. Validity of the Terms

9.1 These General Terms and Conditions shall be valid and effective from 1 October 2024.

Consent to the collection and processing of personal data

According to Regulation (EU) No 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as "the Regulation"), the processor xxx (hereinafter referred to as "the Controller") processes personal data. Individual personal data that are part of the processing during specific activities at this web presentation and in the course of trade are also broken down.
Although the collection of data is ubiquitous, the operation of this website is based on the right to privacy of each user. For this reason, the collection of information about users takes place to the extent absolutely necessary and only if the user decides to contact the operator. We consider any further collection and processing of data unethical.

Information about the records of access to the web presentation

This website does not collect any cookies. The site does not use any analytical scripts of third parties (social networks, cloud providers). For these reasons, an option is also offered for displaying the map in the form of a link, where the primary source is OpenStreet and alternatives then the frequently used Maps of Seznam, a.s., or Google Maps of Google LLC Inc. The use of any of these sources is entirely at the discretion of the users of this site. The administrator is not responsible for the collection of data carried out by these companies, does not provide them with data about users and does not cooperate on the collection of data.
Logging of access takes place only at the system level, the reason being the identification of any technical or security problems. Other reasons are overview access statistics. No specific data is collected or monitored in this area and all access records are deleted after three months.

Information about contacting the operator of the site

The form for contacting the operator of the site (administrator) contains the following personal data: name, surname, e-mail. These data are intended only for this communication, corresponding to the address of the user and are kept for the time necessary to fulfil the purpose, up to a maximum of one year, unless the user determines otherwise.

Information about the order form

In case of an interest in the order form, the form contains more data, i.e. name, surname, e-mail and contact details for the organisation. These data are intended only for this communication, corresponding to the address of the user and are kept for one year, unless the user determines otherwise. In the event that a business relationship is concluded on the basis of this order, only the information required by Czech law on the basis of business relations (company name and address, bank account number, type of course and its price) will continue to be kept by the administrator.

Information about the course completion document

Within the course, a course completion document is issued by the processor. This document contains the following data: student's name and surname, the name and date of the course completion and the employer's name. The information is subsequently used for the creation of a linear hash tree (non-modifiable record). This database contains only information about the provided names and company names, which may or may not correspond to reality and is maintained by the processor for possible re-issuance or verification of the document's issuance.

Rights of the personal data subject

The customer or visitor of this website has the possibility to request information about the processing of personal data, the right to request access to personal data, or the right to request the correction or deletion of any data held about him. In the case of deletion, this requirement cannot be fulfilled only if it is not data strictly necessary in the course of business. The customer or visitor of this website also has the right to obtain explanations regarding the processing of his personal data if he finds out or believes that the processing is carried out in violation of the protection of his private and personal life or in violation of applicable legislation, and the right to request removal of the resulting situation and to ensure the correction.
Furthermore, the customer/visitor of this website may request restriction of processing or object to the processing of personal data and has the right to withdraw his/her consent to the processing of personal data at any time in writing, without prejudice to the lawfulness of their processing prior to such withdrawal. For this purpose, the contact e-mail address support@cryptosession.cz is used.
The customer/visitor has the right to file a complaint against the processing of personal data with the supervisory authority, which is the Office for Personal Data Protection.