Hi Dan, Thanks for your detailed comments.
Bas Westerbaan writes: > > SHA3-256( xwing-label || ss_ML-KEM || ss_X25519 || ct_X25519 || pk_X25519 > > ) > > 1. I'd include the post-quantum ciphertext (or a hash of it). Rationale: > This makes the construction more generic, This construction is not meant to be generic, and we have security proof of the IND-CCA robustness. I would be in favor of having Mike's draft alongside X-Wing, so that people that are not satisfied with X-Wing, have a safe recipe to create their own. > 2. I think it's good that both of the X25519 public keys are included > where some hybrid constructions would include just one (labeled as > ciphertext). Rationale: less chance of confusion regarding which key to > include; better fit with some existing uses of X25519; might marginally > simplify security review; even smaller performance cost than including > the post-quantum ciphertext. > And it is required for the IND-CCA robustness: without it, it's not. > 3. There are papers that recommend also including at least a 32-byte > prefix of the post-quantum pk: ML-KEM already includes the public key in the derivation of the shared secret (line 6 algorithm 17), so we see no need to include it a second time. Again, we do not aim to be a generic construction with X-Wing. > I think the hybrid construction is a good place to put this hash. If > there are many different hybrid constructions then factoring out another > layer might be useful for reviewers, but I'd rather settle on a minimal > number of hybrid constructions. > At the moment the choice of hybrid is left to the application/protocol. This has led to many different proposals for hybrids, which wastes a lot of engineering, standardisation and security review time. I think it's better if hybridisation is done at the level of cryptographic primitive. > 4. I'd put ss_X25519 before the post-quantum session key. This has a > two-part rationale. > All inputs fit within one SHA3-256 block. Because of that, if I understand correctly, the order is inconsequential. Best, Bas
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
