Coder Social home page Coder Social logo

Comments (5)

bwesterb avatar bwesterb commented on September 27, 2024

These hybrids were added for use in TLS 1.3, where simple concatenation is sufficient for IND-CCA2 robustness of the combined protocol (because the transcript hash mixes in the ciphertexts.)

Outside of TLS 1.3, such as with HPKE, the situation still isn't clear cut: it depends on which KEMs are combined. Both the current version of Kyber and DHKEM hash in the ciphertext, so the simple concatenation in hpke/hybridkem is still IND-CCA2 robust. (This is not the case for those in kem/hybrid when used on their own.)

Kyber will probably stop hashing in the ciphertext in the final version.

We should properly document this in the code.

What do you need for your application?

from circl.

david415 avatar david415 commented on September 27, 2024

The Katzenpost mix network project thus far has two uses for KEMs:

  1. PQNoise https://github.com/katzenpost/katzenpost/blob/main/core/wire/session.go
  2. KEM Sphinx https://github.com/katzenpost/katzenpost/blob/main/core/sphinx/kemsphinx.go

I'd guess that the Noise hash object might get us IND-CCA2 security like you mentioned with TLS. However for the Sphinx nested encrypted packet, it would require the KEM to be IND-CCA2.

Also... I recently wrote a NIKE to KEM adapter:

https://github.com/katzenpost/katzenpost/blob/use_new_ctidh_types/core/crypto/kem/adapter/kem.go

it could probably use some code review, if you like:

katzenpost/katzenpost#253

from circl.

david415 avatar david415 commented on September 27, 2024

And here's how I add the split PRF KEM combiner:
katzenpost/katzenpost@9088d6b

...which has not be code reviewed... but the unit tests pass ;-)

I guess I could make a pull request for circl to have this code if other developers were interested in using hybrid KEMs that are IND-CCA2 secure... which probably means that they would use these KEMs for a use case that does not include TLS or Noise.

from circl.

bwesterb avatar bwesterb commented on September 27, 2024

...which has not be code reviewed

I don't think that's implemented correctly: it doesn't mix in the ciphertexts at all. Also, AES is not a PRF — it's a PRP.

I would simply go for H(ss1 || ss2 || ct1 || ct2), given all of them are fixed length, which is IND-CCA2 robust in QROM.

from circl.

david415 avatar david415 commented on September 27, 2024

Thanks for the correction!

from circl.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.