Hi all, Posting as an individual, with chair hat off.
Firstly, thank you Filip and Brian for doing this work and I agree with this as a path forward following the previous discussions. I did have a question on the algorithm combination choices. At the moment, the security levels between KEM, KDF and AEAD are not consistent in some of the algorithms. In draft-ietf-jose-hpke-encrypt we match P-256/x25519 with AES-128-GCM as they provide the desired security level, but that's not the case here at the moment. I understand the choice of ML-KEM-768 over ML-KEM-512 as per discussions around draft-ietf-hpke-pq and this is documented well in the security considerations. However, could you outline the reasoning for the choice of AES-256-GCM over AES-128-GCM? For example, in algorithm HPKE-8, we use P256 in our KEM to give 128 bits of traditional security for those who want to use a hybrid approach, and so AES-256-GCM provides no additional security over AES-128-GCM in this algorithm. If it's motivated by discussions of Grover's algorithm, then there has been separate analysis from both ETSI and the University of Waterloo to show that security impact on symmetric algorithms of quantum computing is in-fact limited. Similarly, worth discussing the motivation for the choice of SHAKE256 throughout. Thanks again for your work on this, Michael
_______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
