On Mon, Jan 15, 2024 at 11:21 PM D. J. Bernstein <d...@cr.yp.to> wrote:
> If the goal is maximum streamlining for IND-CCA2 then > one shouldn't include the _recipient's_ X25519 public key in the hash, > so why exactly does X-Wing include it? > As the paper states at the top of page 4, X-Wing includes the recipient's X25519 public key "as a measure of security against multi-target attacks, similarly to what is done in the ML-KEM design". Cheers, Jack
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls