Ultra-Secure File Embedding with Kyber1024 + AES-256-GCM
This guide explains how to embed, protect, and extract hidden encrypted payloads using PQEmbeddFileInto, a tool that blends post-quantum cryptography with steganography.
The client will understand exactly what to do — sender, receiver, and workflow.
🚀 1. Overview
PQEmbeddFileInto securely hides an encrypted file inside an image or document (PNG, BMP, TIFF, PDF).
Security stack:
-
Kyber1024 KEM → key encapsulation / shared secret
-
AES-256-GCM → payload encryption
-
CRC32-validated PNG chunks OR append-mode metadata stego
No passwords. No human error. Everything cryptographically enforced.
🔐 2. Key Files
The system uses a public/private keypair:
-
Public Key (pubkey) → can be shared
-
Private Key (privkey) → keep secret, used only for extraction
The keys are used to derive a 256-bit symmetric AES key via Kyber decapsulation.
🧩 3. Command Summary
📨 4. Sender Workflow (Embedding)
The sender hides an encrypted file inside an image/document.
Step 1 — Generate a Keypair (Only Once)
What this does:
-
Creates a Kyber1024 public/private keypair
-
server.pub→ share with receiver -
server.prv→ KEEP SECRET (recipient only)
Step 2 — Choose What to Hide
Example:secret.pdf, contract.zip, wallet.json, keys.txt, etc.
This file will be encrypted AND embedded.
Step 3 — Choose the Carrier File
Supported carriers:
-
PNG (with custom pqKy chunk)
-
BMP
-
TIFF / TIF
-
PDF
(others may work via append-mode if binary-safe)
Example carrier:photo.png, report.pdf, scan.tiff
Step 4 — Embed (Encrypt + Stego)
🧠 Internally, this performs:
-
Kyber1024 encapsulation → a shared secret
-
SHA-256 → AES-256 key derivation
-
AES-256-GCM encryption
-
For PNG → payload inserted as a custom chunk (
pqKy) -
For other formats → payload appended with a trailer marker (
PQEMBEDv1)
If successful:
→ stego.png contains invisible encrypted payload.
Send this file normally — email, messenger, cloud, whatever.
📥 5. Recipient Workflow (Extraction)
The recipient must have the private key corresponding to the public key used by the sender.
Step 1 — Receive the Stego File
Example:stego.png
This file contains the hidden encrypted payload.
Step 2 — Extract and Decrypt
Under the hood:
-
Locate the stego trailer or PNG custom chunk
-
Parse envelope
-
Kyber1024 decapsulation → derive AES-256-GCM key
-
Decrypt and validate GCM tag
-
Write decrypted file
When finished:
→ recovered.pdf is the original file.
🛡️ 6. Security Properties
✔ Post-quantum security (Kyber1024)
Resistant to quantum computers.
✔ AEAD Authentication (AES-256-GCM)
Protects confidentiality + verifies integrity.
✔ Zero configuration
No passwords, no key derivation errors.
✔ Steganographic cover
Payload is invisible and survives most binary-safe transfers.
🧭 7. Best Practices for Clients
🔐 Recipient must protect the private key:
-
Store it offline if possible
-
Do not send by email
-
Do not place in public cloud folders
🔑 Sender must always use the recipient’s public key.
Private key is NEVER needed for embedding.
♻ Rotate keys if required by policy.
📁 Keep carrier files realistic
Use natural-looking, non-repetitive images/documents to avoid suspicion.
📝 8. Quick Example Summary
Sender
Send:
-
stego.png
Recipient
🎯 9. Final Notes for Customers
-
The embedded payload is encrypted before being hidden.
-
Even if extracted by an attacker, it cannot be decrypted without the private key.
-
The stego output preserves full carrier integrity and visual fidelity.
-
The tool does not modify EXIF or metadata beyond the minimal required change.
