Ultra-Secure File Embedding with Kyber1024 + AES-256-GCM

This guide explains how to embed, protect, and extract hidden encrypted payloads using PQEmbeddFileInto, a tool that blends post-quantum cryptography with steganography.
The client will understand exactly what to do — sender, receiver, and workflow.

🚀 1. Overview

PQEmbeddFileInto securely hides an encrypted file inside an image or document (PNG, BMP, TIFF, PDF).
Security stack:

• Kyber1024 KEM → key encapsulation / shared secret

• AES-256-GCM → payload encryption

• CRC32-validated PNG chunks OR append-mode metadata stego

No passwords. No human error. Everything cryptographically enforced.

🔐 2. Key Files

The system uses a public/private keypair:

• Public Key (pubkey) → can be shared

• Private Key (privkey) → keep secret, used only for extraction

The keys are used to derive a 256-bit symmetric AES key via Kyber decapsulation.

🧩 3. Command Summary

📨 4. Sender Workflow (Embedding)

The sender hides an encrypted file inside an image/document.

Step 1 — Generate a Keypair (Only Once)

What this does:

• Creates a Kyber1024 public/private keypair

• server.pub → share with receiver

• server.prv → KEEP SECRET (recipient only)

Step 2 — Choose What to Hide

Example:
secret.pdf, contract.zip, wallet.json, keys.txt, etc.

This file will be encrypted AND embedded.

Step 3 — Choose the Carrier File

Supported carriers:

• PNG (with custom pqKy chunk)

• BMP

• TIFF / TIF

• PDF
  (others may work via append-mode if binary-safe)

Example carrier:
photo.png, report.pdf, scan.tiff

Step 4 — Embed (Encrypt + Stego)

🧠 Internally, this performs:

1. Kyber1024 encapsulation → a shared secret

2. SHA-256 → AES-256 key derivation

3. AES-256-GCM encryption

4. For PNG → payload inserted as a custom chunk (pqKy)

5. For other formats → payload appended with a trailer marker (PQEMBEDv1)

If successful:
→ stego.png contains invisible encrypted payload.

Send this file normally — email, messenger, cloud, whatever.

📥 5. Recipient Workflow (Extraction)

The recipient must have the private key corresponding to the public key used by the sender.

Step 1 — Receive the Stego File

Example:
stego.png

This file contains the hidden encrypted payload.

Step 2 — Extract and Decrypt

Under the hood:

1. Locate the stego trailer or PNG custom chunk

2. Parse envelope

3. Kyber1024 decapsulation → derive AES-256-GCM key

4. Decrypt and validate GCM tag

5. Write decrypted file

When finished:
→ recovered.pdf is the original file.

🛡️ 6. Security Properties

✔ Post-quantum security (Kyber1024)

Resistant to quantum computers.

✔ AEAD Authentication (AES-256-GCM)

Protects confidentiality + verifies integrity.

✔ Zero configuration

No passwords, no key derivation errors.

✔ Steganographic cover

Payload is invisible and survives most binary-safe transfers.

🧭 7. Best Practices for Clients

🔐 Recipient must protect the private key:

• Store it offline if possible

• Do not send by email

• Do not place in public cloud folders

🔑 Sender must always use the recipient’s public key.

Private key is NEVER needed for embedding.

♻ Rotate keys if required by policy.

📁 Keep carrier files realistic

Use natural-looking, non-repetitive images/documents to avoid suspicion.

📝 8. Quick Example Summary

Sender

Send:

• stego.png

Recipient

🎯 9. Final Notes for Customers

• The embedded payload is encrypted before being hidden.

• Even if extracted by an attacker, it cannot be decrypted without the private key.

• The stego output preserves full carrier integrity and visual fidelity.

• The tool does not modify EXIF or metadata beyond the minimal required change.