X-Wing is a hybrid key encapsulation mechanism (KEM) designed to be resistant to cryptanalytic with future powerful quantum computers as well as still being secure against classical (e.g. non-quantum) attacks when the underlying, relatively new, post-quantum cryptography algorithm is found to be weak. It combines the classical X25519 ECDH key exchange with ML-KEM-768 as post-quantum algorithm. It is used to establish a shared secret between two communicating parties without an (IND-CCA2) attacker in the transmission system being able to decrypt it.[1]

Hybrid key exchange

edit

X-Wing implements a hybrid key exchange, meaning that it combines multiple key exchange algorithms to create one shared secret. This is motivated by the transition to post-quantum cryptography[2] that has undergone less cryptanalysis than the classical algorithms. To ensure that the key exchange is not weakened by these post-quantum algorithms, both key exchanges are combined in such a way that if one is completely broken, the system still has the security properties of the non-broken algorithm.

Key derivation

edit

While ML-KEM-768 is IND-CCA2 resistant, X25519 is not.[1] X-Wing chooses to rely on the IND-CCA2 properties of ML-KEM-768 while including the public key and ciphertext of X25519 in the final key-derivation. This final key derivation uses SHA3-256 which combines the (already IND-CCA2 secure) ML-KEM-768 shared secret with the X25519 shared secret, public key and ciphertext.

Any modification by an attacker to the public key or ciphertext will result in an incorrect key, which shall fail subsequent key confirmation.

Limitations

edit

X-Wing, and KEMs in general, provide no authentication of the key exchange. A separate authentication scheme needs to be used to validate that the key exchange was executed with a trusted party[3], which is not part of the X-Wing mechanism.

In general, a hybrid KEM provides a small performance penalty compared to a post-quantum only algorithm, but the penalty is low.[4]

References

edit
  1. ^ a b Barbosa, Manuel; Connolly, Deirdre; Duarte, João Diogo; Kaiser, Aaron; Schwabe, Peter; Varner, Karolin; Westerbaan, Bas (2024-04-09). "X-Wing". IACR Communications in Cryptology. 1 (1). doi:10.62056/a3qj89n4e. ISSN 3006-5496.
  2. ^ Stebila, Douglas; Fluhrer, Scott; Gueron, Shay (2024-04-05). Hybrid key exchange in TLS 1.3 (Report). Internet Engineering Task Force.
  3. ^ Boyd, Colin; de Kock, Bor; Millerjord, Lise (2023-07-05). "Modular Design of KEM-Based Authenticated Key Exchange". Lecture Notes in Computer Science. Berlin, Heidelberg: Springer-Verlag. pp. 553–579. doi:10.1007/978-3-031-35486-1_24. ISBN 978-3-031-35485-4.553-579&rft.pub=Springer-Verlag&rft.date=2023-07-05&rft_id=info:doi/10.1007/978-3-031-35486-1_24&rft.isbn=978-3-031-35485-4&rft.aulast=Boyd&rft.aufirst=Colin&rft.au=de Kock, Bor&rft.au=Millerjord, Lise&rft_id=https://dl.acm.org/doi/abs/10.1007/978-3-031-35486-1_24&rfr_id=info:sid/en.wikipedia.org:Draft:X-Wing KEM" class="Z3988">
  4. ^ Giron, Alexandre Augusto; Nascimento, João Pedro Adami do; Custódio, Ricardo; Perin, Lucas Pandolfo (2022), Post-Quantum Hybrid KEMTLS Performance in Simulated and Real Network Environments, retrieved 2024-09-17