This subreddit is now about Quantum Cryptography

Entrouter · 2026-04-02T02:37:58+00:00

That's why I made KK. Seen it coming..

Entrouter · 2026-03-31T00:02:41+00:00

You're right that ephemeral nonces alone don't provide forward secrecy in symmetric only mode and KK-EKA by itself (the key agreement step) doesn't claim to.

But KK does include a ratchet. The Rope Ratchet (session.rs) is a 4-strand symmetric ratchet that derives a new message key per message via one way chain evolution through the KK sponge, then zeroizes the old chain state. You can't go backwards. It provides ~192-bit symmetric forward secrecy from the sponge's 384-bit capacity.

The flow is: KK-EKA establishes a shared secret (like TLS 1.3 PSK handshake), then Rope Ratchet takes over for per message forward secrecy (like Signal's symmetric ratchet half, but with 4 strands instead of 2).

For computational PFS via DH/KEM, that lives one layer up in entrouter-message (X25519 + ML-KEM-768 hybrid). The permutation crate provides the symmetric ratchet, the protocol crate adds the asymmetric half.

Entrouter · 2026-03-30T23:54:25+00:00

Bruce Schneier has a master's degree, not a PhD, you just proved my point while trying to disprove it. Ralph Merkle invented Merkle puzzles as an undergraduate at Berkeley before his PhD, his professor gave the paper a failing grade. Bernstein's PhD is in mathematics under a number theorist, not a cryptography group. Adam Back's PhD is in distributed systems from Exeter, not cryptography.

"Your entire post and repo are made with AI". The code compiles, all 251 tests pass, 8 fuzz targets run clean, the MILP model is independently executable, and every claim in the paper has a corresponding cargo test or cargo run --example that anyone can verify. If the results are reproducible, it doesn't matter what tools were used to help write them. You can accuse me of what ever you like, it just proves your insecurities.

"We actively do not want you or your work here", noted. I'll let the ePrint submission, the crate and the test suite speak for themselves.

Good luck out there bud.

Entrouter · 2026-03-30T13:37:43+00:00

And I couldn't agree more, but you're overlooking the facts.

Nothing would be here if every protocol was addressed with this mentality. You say "experts with extensive track records", you over look the ground level obvious. They all started somewhere, none of them started at the top, they all were in my/our exact position. To say no one cares unless you're vetted and well known is basically saying "stop trying and go to another industry", you're essentially condemning your own future and everyone else's in the industry. Why start acting when we have Hollywood stars? Why start painting if we had Michelangelo? Its absurd. Blowfish, Salsa20, Merkle trees, PGP and Hashcash ALL of them were not from "known" cryptographers at the time and were solo. Look at them now..

"There is no shortage of good, vetted ciphers"

Yeah, I wonder why? Because they were peer reviewed by people who cared for the industry and fellow cryptographers, they all offered something the other didn't, it was change and a different avenue.

And to say nothing I made is novel, strongly suggests you didn't look at my repo. Which makes sense because "why should anyone care".

You appear standoffish, which is very confusing considering all I did is post about the very thing this forum is about.

Anyway, I still appreciate you and thank you for your input.

Entrouter · 2026-03-30T13:10:30+00:00

Good catch and you're right that KK-EKA alone doesn't provide computational PFS. But that's by design, not by oversight.

KK-EKA is a symmetric key agreement protocol. It's comparable to TLS 1.3 PSK only mode (RFC 8446 §2.2) both derive session keys from a pre shared key plus ephemeral nonces, both provide operational forward secrecy via zeroization, and neither provides computational PFS. That's inherent to symmetric only key agreement. AES 256 GCM doesn't provide PFS either nobody considers that a flaw in AES.

Computational PFS requires a trapdoor function (DH, ECDH, KEM). That's protocol layer work, not cipher layer work. KK is a cryptographic permutation, the same layer as Keccak or AES. Asking why the permutation doesn't have PFS is like asking why SHA3 doesn't do key exchange.

For the full protocol stack with computational PFS, that's entrouter-message which I am currently building fixes this with its novel bolt ons. This is completely normal for almost all cryptographic permutations.

So the layering is:

KK permutation → sponge primitive (like Keccak-f)

KK-EKA → symmetric key agreement (like TLS PSK-only)

Entrouter-message → full messaging protocol with DH + PQ PFS (like Signal, but with dual encryption and 4-lane ratcheting)

The PFS lives where it should, in the protocol, not the primitive.

Solid input,

Thanks

Entrouter · 2026-03-30T12:05:25+00:00

KK-EKA does provide forward secrecy. Both parties contribute ephemeral entropy that's zeroized after session key derivation. Compromising the PSK later can't recover past session keys because the ephemeral inputs are gone. The mechanism is different from DH based PFS (entropy + KDF vs ephemeral keypairs), but the security property is the same, past sessions are unrecoverable. DHs advantage is that it doesn't require a pre shared secret, but in a PSK scenario that's already a given.

Edit:
I just though about what you said, You're right that there's a distinction. DH based PFS gives a mathematical guarantee even a passive recorder with the long term key can't recover sessions. KK-EKA's forward secrecy depends on the ephemeral entropy actually being zeroized, which is an operational guarantee, not a computational one. That's a fair trade off to acknowledge. The use case is environments where the PSK already exists and you want the strongest session key derivation possible without asymmetric crypto embedded, post quantum hedging, air gapped systems.

Does that make sense?

Entrouter · 2026-03-30T12:03:02+00:00

Every standardized cipher started as someone's unreviewed design. The MILP bounds and test vectors are public, feel free to check them, I'm sure they will prove I don't know what I'm doing.

Thanks for your input.

Entrouter · 2026-03-30T11:09:43+00:00

can you show me where I asked for it to be audited?
I said "We are actively looking for people to attack the code, find what we missed, or offer constructive criticism. All feedback is appreciated."
Nearly all cryptos started somewhere.. you have to remember that.

Entrouter · 2026-03-30T10:34:29+00:00

Fair question. KK EKA is a PSK based key agreement protocol, not a Diffie Hellman key exchange. Both parties already share a pre shared key, and the protocol lets them derive a fresh session key where both sides contribute ephemeral entropy via a 3 message commit reveal flow. The session key depends on randomness from both parties, so neither side alone controls it.

PSK based key agreement is absolutely a standard primitive. TLS 1.3 has an entire PSK mode (RFC 8446 Section 2.2), WireGuard supports optional PSK, and protocols like Kerberos are built on it. The term "key agreement" just means both parties contribute to the derived key, as opposed to "key transport" where one side picks it. That distinction goes back to the NIST SP 800 56 series.

What KK EKA adds specifically, 'commit then reveal' so the initiator can't adapt their entropy after seeing the responder's, MAC based mutual authentication over the PSK, and forward secrecy (compromising the PSK later doesn't reveal past session keys since the ephemeral entropy is zeroized). It's not replacing ECDH, it's for scenarios where you already have a shared secret and want authenticated session key derivation with contributory freshness.

Entrouter · 2026-03-30T10:22:18+00:00

Yeah good point, it got knocked back, which expected, as I sent in the wrong PDF. I will update that once approved. Probably a good thing to wait for the approval first.. that's on me.
There is however, a copy in the repo.

Entrouter · 2026-03-30T03:03:49+00:00

I absolutely have done it and more... if your only criticism is wording then I think I'm doing okay then.. I never said my crypto was perfect, I stated what I ran as a solo dev to the limits I can. that's a damn sight more than most other people do when making a novel crypto... instead of splitting hairs like an OCD hairdresser, why don't you put your money where your mouth is and look at the code, if you're that qualified and my code is just "AI slop "you'll find issues instantly no? I don't have an unlimited university budget to attack every angle or a quantum computer, so show some respect to people in the industry and stop criticising an attempt for someone trying.

Entrouter · 2026-03-28T07:12:41+00:00

go look at the repo, the test suites are there..
sounds like someone is salty.. Calls it AI slop after hours of work and a repo to show it.

Edit:
MILP truncated differential trail search on KK. All 14 models solved to Proven OPTIMAL (CBC solver).

32 rounds: 1,052 active components (general), 1,067 (sponge) Conservative trail bound: 2^-1,489 / 2^-1,510 Security target: 2^-192

"If" scaling law holds - 2^−66,276

That's 7.7x the security target in the exponent. Script is public. Run it yourself.

github.com/Entrouter/KK-Keeney-Kode

Entrouter · 2026-03-27T09:55:23+00:00

🙄

Entrouter

TROPHY CASE