Hi Quynh, > The Decaps key holder can write another program to output c' and check if c = > c' or not to know if Decryption failure happens when c is a ciphertext > generated correctly by Encap. (*)
Just for the record: Doing so could be dangerous for the same reason that constant time implementations of the FO transform hide whether c != c'. It can potentially leak exactly the information the implicit rejection is designed to hide (and security arguments of many schemes rely on this). -- TBB _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
