Bas Westerbaan writes: > X-Wing is a KEM - not a combiner. Sure, but there's a combiner present inside it---and even advertised: see "X-Wing uses the combiner" etc. at the beginning of this thread.
If people are motivated by things like http://tinyurl.com/5cu2j5hf to use the same combiner with a different KEM, would they be deterred by a presentation purely as a unified package? Or by enough warnings? Maybe, but a little more hashing has negligible cost and will reduce the risk. > Insisting that X-Wing use that generic combiner, is not dissimilar to > insisting that every KEM that uses an FO transform, should use the > same generic FO transform. The title and introduction of https://cr.yp.to/papers.html#tightkem recommend unifying FO transforms. This would have avoided various subsequent breaks of NIST submissions. To be clear, I think other concerns such as efficiency _can_ outweigh the advantages of unification, but this has to be quantified. When I see a complaint about "hashing the typically large PQ ciphertexts", I ask how this compares quantitatively to communicating the ciphertexts, and end up with a cost increment around 1%, which is negligible even in the extreme case that the KEM is the main thing the application is doing. ---D. J. Bernstein _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls