Post-Quantum Hybrid Encryption with Ballerina
- Udara Pathum
- Senior Software Engineer - WSO2
As highlighted in the Quantum-Safeness of WSO2 Products blog, there is an urgent need for alternative asymmetric encryption methods. Post-quantum algorithms (Q) are gradually gaining prominence but require time to establish trust within the industry. Therefore, combining classical (C) and post-quantum (Q) Key Encapsulation Mechanisms (KEMs) ensures resilience against classical and quantum attacks.
The Ballerina Swan Lake Update 9 release adds support for post-quantum secure end-to-end encryption. This update also introduces new APIs for the C + Q hybrid encryption algorithm: RSA-KEM-ML-KEM-768-HPKE.
RSA-KEM-ML-KEM768-HPKE is a hybrid public key encryption algorithm (HPKE) that combines the conventional RSA-KEM with the post-quantum ML-KEM-768. It serves as a robust alternative to traditional public key encryption methods, promising protection against both traditional and post-quantum threats.
C+Q Hybrid Public Key Encryption (HPKE)
Two key pairs are used for this hybrid encryption scheme: the RSA key pair and the ML-KEM-768 key pair. An RSA key pair consists of an RSA private key and an RSA public key as defined in Section 3 of RFC 8017: PKCS #1. An ML-KEM-768 key pair consists of an ML-KEM-768 private key and an ML-KEM-768 public key as defined in Section 5.1 of FIPS 203: ML-KEM Standard.
Figure 1: Hybrid Public Key Encryption with RSA and (ML-KEM) Kyber
Let’s assume a scenario where the sender (S) wants to send encrypted data to the receiver (R) using C+Q Hybrid Public Key Encryption.
- R initiates by generating two distinct key pairs: one using RSA and the other with ML-KEM-768.
- R then forwards both public keys to S, ensuring S’s access to the necessary encryption keys.
- S, upon receipt of the public keys, proceeds to generate two keys utilizing two Key Encapsulation Mechanisms (KEMs): RSA-KEM and ML-KEM-768. These keys are concatenated to form the shared-secret for symmetric encryption.
- Using the shared-secret, S encrypts the data and transmits both the shared-secret and the encrypted data to R for decryption.
Upon receiving the encrypted data and the shared-secret from the sender (S), the receiver (R) undertakes the following steps to decrypt the information:
- R retrieves the shared secret (SS) from the received data, obtained by decrypting the concatenated keys using the RSA private key and ML-KEM-768 private key pairs.
- With the shared secret (SS) now obtained, R decrypts the encrypted data utilizing symmetric encryption, effectively revealing the original message.
- The decrypted data is now accessible to R, completing the secure exchange initiated by S.
Post-Quantum HPKE with Ballerina
Implementing the described encryption and decryption process in Ballerina can be done via a series of steps.
Key Pair Generation
Both RSA and ML-KEM-768 key pairs need to be generated separately by the receiver.
RSA: Tools such as OpenSSL or Keytool can be used to create a PKCS12 keystore containing an RSA key pair. Here’s a general outline of the process:
ML-KEM-768: Use the Java tool provided in Kyber Keystore Generator to generate an ML-KEM-768 key pair.
Encryption
In this setup, a Ballerina client serves as the Sender. It uses two public certificates to encrypt a payload. Subsequently, the encrypted payload (ciphertext) along with the shared secret (`encapsulatedSecret`) are dispatched to the receiver.
Decryption
On the other end, a Ballerina server plays the role of the Receiver. Upon receiving the encrypted payload from Sender, it employs its private keys for payload decryption.
By supporting post-quantum algorithms, Ballerina allows developers to protect data against post-quantum threats. The integration of hybrid encryption schemes enables robust security by combining classical and post-quantum algorithms, offering resilience against both classical and post-quantum attacks. This balanced approach allows organizations to transition towards quantum-resistant cryptography gradually, ensuring their data security strategy is future-proof as post-quantum standards continue to evolve.