"D. J. Bernstein" <d...@cr.yp.to> wrote: > Peter Schwabe writes:
Dear Dan, dear all, > > we would like to have an answer to the question "What KEM should > > I use" that is as simple as > > "Use X-Wing." > > Having an easy-to-use, prepackaged answer is great! Glad to hear that we agree! > What I'm saying is that the easy-to-use, prepackaged answer should > _internally_ use a combiner that includes the full ciphertext and > public key in the hash: > > H = SHA3-256, > hybridpk = (receiverpkECDH,receiverpkKEM), > hybridct = (senderpkECDH,senderctKEM), > hybridss = H(ssECDH,ssKEM,H(hybridct),H(hybridpk),context) > > This reduces load on security reviewers: everyone can see that the full > ct is included in the hash, without having to worry about KEM details. Here I disagree: the security analysis needs to be done *once* (and has been done, but of course still needs review; ideally also computer-verification). Once this review has been done, the savings in cycle counts come for free. The idea that hashes come for free is simply no longer true in a PQ world and if we manage to eliminate a significant (albeit not huge) amount of cycles through a careful security analysis that needs to be done once, I expect this to be helpful for adoption. > It also reduces risks for people who rip out the KEM (for example, > because of patent concerns) and swap in another KEM. This is why it's very important to standardize (and communicate) X-Wing as a KEM, not as a combiner. This is also why I wouldn't want QSF or the very specific combiner to be added to any other standard as a standalone "combiner primitive". > [ regarding TLS ] > > I would trust that careful > > evaluations of the pros and cons lead to the decision to *not* use a > > generic combiner to build a hybrid KEM from Kyber768 and X25519. > > When and where would this comparison of combiners have happened? > Citation needed, especially if the previous evaluation is supposed to > serve as a substitute for current evaluation. I was not involved in the decision-making process of the current TLS deployment, so I will have to let people answer who did make those design decisions. All the best, Peter _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
