PQCypher in action, share files over internet safe against quantum computers (and current ones)

1. Roles: who does what?

Kyber / ML-KEM-1024 → key encapsulation mechanism (KEM)
Used to establish a shared symmetric key between sender and receiver over an insecure channel. Its security is based on the Module Learning With Errors (MLWE) lattice problem and is believed secure even against quantum computers.
Dilithium / ML-DSA → digital signature scheme
Used to sign metadata and/or ciphertext, giving authentication + integrity + non-repudiation. Its security is based on MLWE and Module-SIS (short-integer-solution) problems in lattices.
PQCypher then uses the Kyber-derived shared key with a symmetric cipher (typically AES-GCM-256) to actually encrypt the data.

So, roughly:

Kyber = “we agree on a secret key safely”
Dilithium = “I prove this ciphertext really came from me and was not modified”
AES-GCM = “we lock the bytes with that key”

2. Inside Kyber / ML-KEM-1024 (how the key is shared)

Goal: sender and receiver end up with the same 256-bit secret key, even if an attacker is eavesdropping and has a quantum computer.

Key generation (done once per identity)

Receiver (say Bob) samples small random lattice vectors and noise and builds a public matrix A over a ring modulo $q$ .
He computes
$\cdot s + e \pmod q$
where $s$ and $e$ are small secret vectors.
Public key: $(A, t)$ .
Secret key: $s$ plus some extra hashes and seeds (per the ML-KEM spec).

The hardness of going from $(A, t)$ back to $s$ is exactly the Module-LWE problem, for which no efficient classical or quantum attacks are known.

Encapsulation in PQCypher (sender side)

When PQCypher (on Alice’s machine) wants to send something to Bob:

It takes Bob’s Kyber public key.
It samples a random 32-byte value $m$ , hashes it, and uses it to create:
- a ciphertext $c$ (a structured lattice vector pair), and
- a shared secret $K$ (typically 32 bytes), via a KDF over $m$ , the public key hash and $c$ .
PQCypher then derives from $K$ a symmetric key $KencK_{\text{enc}}$ (and optionally $KmacK_{\text{mac}}$ ) to feed AES-GCM-256.

Alice sends to Bob:

the KEM ciphertext $c$
the encrypted data (AES-GCM ciphertext + tag)
and later we’ll add the Dilithium signature.

Decapsulation in PQCypher (receiver side)

When Bob receives the bundle:

PQCypher uses Bob’s Kyber secret key $s$ and the ciphertext $c$ to recover $m'$ and recompute $K'$ .
If the ciphertext is malformed or tampered, the Fujisaki–Okamoto transform and “implicit rejection” inside ML-KEM make decapsulation output a random key, which means AES-GCM decryption will fail.
If AES-GCM tag verifies, Bob knows:
- he got the same $K$ as Alice, and
- the ciphertext was not modified in transit.

Security level:
ML-KEM-1024 is NIST’s highest Kyber level and targets ~AES-256-equivalent security, even against quantum adversaries.

3. Inside Dilithium / ML-DSA (how the message is authenticated)

Goal: prove who created the ciphertext and that it wasn’t altered, in a way that’s quantum-resistant.

Key generation

The signer (say, Alice) samples secret short vectors $s_1, s_2$ and builds a public matrix $A$ .
She computes:
$\cdot s_1 + s_2$
Public key: a compressed version of $t$ (and params).
Secret key: $s_1, s_2$ plus some hashes.

Security reduces to finding short vectors in certain lattices (Module-SIS / MLWE), which is believed hard for quantum computers as well.

Signing in PQCypher

When PQCypher signs:

It hashes the message to be bound – typically:
- hash of the plaintext or
- hash of (KEM ciphertext $c$ || AES-GCM ciphertext || metadata).
Using the Dilithium secret key, it runs a Fiat–Shamir with aborts protocol:
- samples a random vector $y$
- computes a commitment $\cdot y$
- gets a challenge from a hash of $w$ and the message
- builds a response vector $z$ and a hint $h$ that prove consistency while keeping secrets short.
Signature = $(z, h)$ plus the challenge hash.

Verification in PQCypher

Bob (or anyone) who has Alice’s Dilithium public key:

Recomputes the commitment from $z$ and $h$ .
Hashes it together with the received message hash.
Checks if the result matches the challenge in the signature and that norms are within bounds.

If it verifies, he knows:

the signature was produced with Alice’s secret key,
the signed data (including the KEM ciphertext and AES-GCM ciphertext) wasn’t altered.

Dilithium/ML-DSA is designed to be EUF-CMA secure (existentially unforgeable under chosen-message attack) in the classical and quantum random-oracle models.

4. Putting it together: PQCypher secure-exchange flow

A typical PQCypher + Kyber-1024 + Dilithium flow looks like this:

Setup
- Each party generates:
  - a Kyber-1024 keypair (for key exchange)
  - a Dilithium keypair (for signatures)
- Public keys are exchanged out-of-band or via a trust anchor (can even have the Kyber public key signed with Dilithium to bind them).
Sending encrypted data
- Sender uses receiver’s Kyber public key to encapsulate → shared secret $K$ .
- PQCypher derives AES-GCM-256 key(s) from $K$ .
- Plaintext file/data is compressed (LZMA etc., if you enabled that) and encrypted with AES-GCM.
- PQCypher then signs a hash of:
  - KEM ciphertext $c$ ,
  - AES-GCM ciphertext,
  - optional metadata (filenames, versions, etc.)
    using the sender’s Dilithium secret key.
- Output package ≈ [header + Kyber c + AES-GCM ciphertext + GCM tag + Dilithium signature].
Receiving
- Receiver uses Kyber secret key to decapsulate $c$ and recover $K$ .
- Derives the same AES-GCM key and decrypts; if GCM tag fails → reject.
- Verifies the Dilithium signature with the sender’s public key; if invalid → reject.
- Only if both checks pass, PQCypher delivers the plaintext.

5. Security properties you actually get

Post-quantum confidentiality:
Breaking the session key means solving MLWE at Kyber-1024 parameters (~AES-256 equivalent) + defeating AES-256, which is infeasible even with large quantum computers (Grover only gives a square-root speed-up, so you still face ~2¹²⁸ work).
Authentication & integrity:
Dilithium/ML-DSA ensures that only someone holding the Dilithium secret key can produce a valid signature, even under massive chosen-message attacks and with a quantum adversary.
Resistance to active attacks (IND-CCA2):
Kyber/ML-KEM’s FO transform and implicit rejection prevent an attacker from learning anything useful by sending malformed ciphertexts and observing decapsulation behavior.
Record-now-decrypt-later protection:
An adversary recording PQCypher traffic today cannot decrypt it later, even if they build a large-scale quantum computer, because both the key exchange and signatures are post-quantum.