docs/adr/ADR-108-kyber-post-quantum-key-exchange.md
Status: Proposed · Date: 2026-05-22 · Author: SOTA research loop tick-28 · Supersedes: none · Extends: ADR-107 (cross-installation federation)
ADR-107 specifies cross-installation federation using secure aggregation (Bonawitz 2016) with Diffie-Hellman key exchange for pairwise mask generation. The current implementation would use classical DH (X25519 or P-256), which is vulnerable to Shor's algorithm on a sufficiently large fault-tolerant quantum computer.
ADR-107 noted this as out-of-scope:
Current DH key exchange becomes vulnerable to quantum computers. Recommended substitution: Kyber KEM (NIST PQC selected). Mechanical replacement of DH primitives; no protocol change. Future ADR-108 (or amendment to ADR-107).
This ADR is that future work.
Adopt Kyber-768 as the post-quantum key encapsulation mechanism (KEM) replacing Diffie-Hellman in ADR-107's Layer 4 secure aggregation, with an explicit migration timeline tied to NIST CNSA 2.0 guidance and an interim hybrid mode (Kyber + X25519) for forward-secrecy belt-and-braces during the migration window.
NIST standardised three Kyber security levels in FIPS 203 (2024):
| Variant | NIST level | Public key | Ciphertext | Secret | Security |
|---|---|---|---|---|---|
| Kyber-512 | Level 1 | 800 B | 768 B | 32 B | ~AES-128 |
| Kyber-768 | Level 3 | 1184 B | 1088 B | 32 B | ~AES-192 |
| Kyber-1024 | Level 5 | 1568 B | 1568 B | 32 B | ~AES-256 |
Kyber-768 matches AES-192 equivalent security and is the NIST CNSA 2.0 recommended default for general-purpose protocols. Used by Cloudflare, Google, AWS in their 2024-2026 PQC rollouts.
Kyber-512 is sufficient against classical attackers and small quantum computers but doesn't carry CNSA 2.0 sign-off. Kyber-1024 doubles bandwidth without proportional security benefit for our threat model.
During the migration (2026-2030 estimated), all key exchanges run both Kyber-768 AND X25519 in parallel and XOR the shared secrets:
shared_secret = SHA-256(kyber_ss || x25519_ss || transcript)
This belt-and-braces approach protects against:
Cost: ~2× key-exchange computation, ~2× public-key size. For RuView's per-round overhead this adds ~3 kB / round / installation — negligible.
After CNSA 2.0 fully retires classical primitives (estimated 2030+), the hybrid layer is removed and pure Kyber-768 is used.
| Phase | Timeline | What ships |
|---|---|---|
| Phase 0 (NOW) | 2026 | ADR-107 ships with classical X25519 |
| Phase 1 | 2026-Q4 → 2027 | Library upgrade adds Kyber-768; opt-in via --enable-pqc flag |
| Phase 2 | 2027-Q2 → 2028 | Hybrid mode (X25519 + Kyber-768) becomes default |
| Phase 3 | 2030+ | Pure Kyber-768 (classical removed) |
Phase 1 is the first feature ship. By the time the migration is complete, the post-quantum threat model is approximately the only one that matters.
| Component | LOC | Notes |
|---|---|---|
Kyber-768 KEM wrapper (over pqcrypto-kyber crate) | 80 | Pure Rust, no unsafe |
| Hybrid mode (XOR + SHA-256 KDF) | 50 | Composes existing primitives |
| Protocol version negotiation | 60 | Backward compat with Phase 0 nodes |
| Public-key cache extension (size grows from 32 B to 1184 B per peer) | 30 | AgentDB schema update |
| Migration documentation | — | This ADR |
| End-to-end test (multi-node PQC handshake) | — | Real-installation test |
Total ~220 LOC additional. Combined federation budget across ADR-105+106+107+108: ~1,550 LOC.
Status: rejected for Phase 1-2. Hybrid provides defense-in-depth at minimal cost; pure-Kyber is fine for Phase 3 once Kyber has had more cryptographic scrutiny.
Status: rejected. Kyber has clearer standardisation status (FIPS 203). NTRU Prime is fine cryptographically but doesn't have CNSA 2.0 sign-off.
Status: rejected. Frodo has larger key sizes (~10 kB) and slower operations. Trade-off doesn't justify the security margin given our threat model.
Status: rejected. Classic McEliece public keys are ~261 kB — unworkable for embedded ESP32-S3 nodes.
Status: rejected. Adversaries can record-now-decrypt-later — federated model updates today could be decrypted in 5-10 years when quantum capabilities arrive. ADR-107's privacy guarantees would silently expire without proactive migration.
| Threat | Layer that mitigates |
|---|---|
| Shor's algorithm breaks classical DH | Kyber-768 KEM |
| Future quantum attack on Kyber (unlikely) | Hybrid mode — X25519 still provides classical security |
| Implementation bug in Kyber library | Hybrid mode — X25519 backup |
| Implementation bug in X25519 library | Hybrid mode — Kyber backup |
| Record-now-decrypt-later (adversary stores ciphertexts) | Forward secrecy from Kyber-768 (each round has fresh ephemeral keys) |
| Downgrade attack (force classical-only handshake) | Protocol version negotiation — explicit reject of classical-only post-Phase-2 |
| Side-channel attack on Kyber implementation | Use constant-time pqcrypto-kyber Rust crate; further hardening in future |
| Public-key spoofing (Sybil) | Pre-shared trust anchors via cognitum-v0 PKI (ADR-107) |
pqcrypto-kyber Rust crate's existing claims.ruview_fed_pqc_status surfaces hybrid-vs-pure mode and migration phase.pqcrypto-kyber crate stability + adoption maturity. Plausible alternatives include liboqs C-binding or boring-pq (Cloudflare's pre-standardisation work, now superseded).This is the last ADR in the privacy + federation chain the research loop has produced:
The chain has formal guarantees at every layer and quantum-resistance built in by 2028. No remaining unspecified privacy gap at any threat horizon.
| Phase | What ships | LOC |
|---|---|---|
| Phase 1 (2026-Q4) | Kyber-768 wrapper + --enable-pqc opt-in | ~140 |
| Phase 2 (2027-Q2) | Hybrid mode default | ~80 |
| Phase 3 (2030+) | Pure Kyber-768 (remove classical) | -50 (removal) |
Phase 1 is the first ship.
cog-store distribution (sign-and-verify chain).pqcrypto-kyber Rust crate stability and ESP32-S3 benchmarking before Phase 1).pqcrypto-kyber crate maturity; alternatives exist if it stagnates.