On Tue, Jan 16, 2024 at 8:24 AM D. J. Bernstein <d...@cr.yp.to> wrote:
> Bas Westerbaan writes: > > X-Wing is a KEM - not a combiner. > > Sure, but there's a combiner present inside it---and even advertised: > see "X-Wing uses the combiner" etc. at the beginning of this thread. > > If people are motivated by things like http://tinyurl.com/5cu2j5hf to > use the same combiner with a different KEM, would they be deterred by a > presentation purely as a unified package? Or by enough warnings? Maybe, > but a little more hashing has negligible cost and will reduce the risk. > > > Insisting that X-Wing use that generic combiner, is not dissimilar to > > insisting that every KEM that uses an FO transform, should use the > > same generic FO transform. > > The title and introduction of https://cr.yp.to/papers.html#tightkem > recommend unifying FO transforms. This would have avoided various > subsequent breaks of NIST submissions. > > To be clear, I think other concerns such as efficiency _can_ outweigh > the advantages of unification, but this has to be quantified. When I see > a complaint about "hashing the typically large PQ ciphertexts", I ask > how this compares quantitatively to communicating the ciphertexts, and > end up with a cost increment around 1%, which is negligible even in the > extreme case that the KEM is the main thing the application is doing. > Responding to Dan but really this is a question to the draft authors. Do you agree with Dan on the approximate overhead here? -Ekr
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls