Post-Quantum Cryptography Practice In KMS
Last updated:2025-03-03 15:41:23
Overview
With the rapid development of quantum computers, traditional cryptography faces severe challenges: public key cryptosystems based on prime factorization (RSA), discrete logarithm (DH), and elliptic curve cryptography (ECC) can all be cracked by quantum computers using Shor's algorithm. In the face of quantum threats, post-quantum cryptography (PQC) has been designed to resist the cracking by quantum computers, and Key Management Service (KMS) supports the following two PQC cryptographic algorithms:
Kyber-based PQC encryption and decryption algorithm to protect data confidentiality.
Dilithium-based PQC signature verification algorithm to ensure data integrity.
Data Encryption Algorithm
The Kyber algorithm is based on the Module Learning-With-Error (MLWE) challenge and provides a basic IND-CPA secure public key encryption scheme (PKE). An IND-CCA2 secure key encapsulation mechanism (KEM) can be obtained through the Fujisaki-Okamoto (FO) transform. KMS integrates Kyber-KEM with AES-256 to implement a data encapsulation scheme (KEM-DEM), providing users with an IND-CCA2 secure and efficient encryption solution.
Operation Steps
1. Log in to the KMS (Compliance Edition) console.
2. Refer to the document Creating a Key, select asymmetric encryption/decryption for the key purpose, and choose Kyber_AES for the encryption algorithm.
3. Refer to the document Post-Quantum Cryptography Encryption and Post-Quantum Cryptography Decryption, use Tencent Cloud SDK to call relevant APIs to perform encryption and decryption operations.
Data Signature Algorithm
The security of the Dilithium algorithm is based on the NP problem of finding the shortest vector in a lattice. The algorithm design takes into account the size of the public key and signature. NIST Level 3 can ensure high security strength. Dilithium supports DET and Random signatures, and its usage scenarios are flexible. It can be called through the SDK of KMS to use related signature verification algorithms.
Operation Steps
1. Log in to the KMS (Compliance Edition) console.
2. Refer to the document Creating a Key, select asymmetric signature verification for the key purpose, and choose Dilithium for the encryption algorithm.
3. Refer to the document Post-Quantum Cryptography Signature and Post-Quantum Cryptography Signature Verification, use Tencent Cloud SDK to call relevant APIs to perform signature verification operations.
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No
Feedback