Peter Schwabe writes: > we would like to have an answer to the question "What KEM should > I use" that is as simple as > "Use X-Wing."
Having an easy-to-use, prepackaged answer is great! What I'm saying is that the easy-to-use, prepackaged answer should _internally_ use a combiner that includes the full ciphertext and public key in the hash: H = SHA3-256, hybridpk = (receiverpkECDH,receiverpkKEM), hybridct = (senderpkECDH,senderctKEM), hybridss = H(ssECDH,ssKEM,H(hybridct),H(hybridpk),context) This reduces load on security reviewers: everyone can see that the full ct is included in the hash, without having to worry about KEM details. It also reduces risks for people who rip out the KEM (for example, because of patent concerns) and swap in another KEM. [ regarding TLS ] > I would trust that careful > evaluations of the pros and cons lead to the decision to *not* use a > generic combiner to build a hybrid KEM from Kyber768 and X25519. When and where would this comparison of combiners have happened? Citation needed, especially if the previous evaluation is supposed to serve as a substitute for current evaluation. ---D. J. Bernstein _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
