On Mon, Sep 05, 2022 at 05:15:25AM +0900, AJITOMI Daisuke wrote: > Let me point out one thing. > > > > Even if HPKE does not explicitly say so, for each kem_id, there is one > > kdf_id that should be used with it. Currently (kem -> kdf): > > > > 16 -> 1 > > 17 -> 2 > > 18 -> 3 > > 32 -> 1 > > 33 -> 3 > > > > KEM, KDF and AEAD in HPKE are independent of each other and can be used in > any combination. > Even in the representative test vectors picked up in RFC, there is 16 - >3 > combination. > https://www.rfc-editor.org/rfc/rfc9180.html#name-dhkemp-256-hkdf-sha256-hkdf-
Yes, the KEM and KDF can be in any combination. However, combinations like 16 -> 3 lead to implementation needing both SHA-256 and SHA-512, which is not exactly desirable for constrained implementations (and the C in COSE ultimately expands to "constrained"). For unconstrained implementations, supporting all combinations of algorithms is easy (tho there is edge case involving KDF and AEAD, but nothing currently can trigger that). And I hope that when defining KEM based on Kyber, HPKE also defines some KDF based on SHA-3, since Kyber uses SHA-3 internally, but HPKE currently can only use SHA-2 functions for KDF. -Ilari _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
