You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We aim for IND-CCA2 robustness: that means that if either constituent KEM is not IND-CCA2 secure, but the other is, the combined hybrid remains IND-CCA2 secure.In general [GHP18] [COMBINERS] this requires a combiner that mixes in the cipher texts, such as, assuming fixed-length cipher texts and shared secrets:
HKDF(concat(ss1, ss2, enc1, enc2)).
In the present case, DHKEM(X25519, -) and Kyber768Draft00 already mix in the respective cipher texts into their shared secrets. Thus we can forgo mixing in the cipher texts a second time.Furthermore, in HPKE, the shared secret is never used directly, but passed through HKDF (via KeySchedule), and thus we can forgo the call to HKDF as well.
The text was updated successfully, but these errors were encountered:
https://datatracker.ietf.org/doc/html/draft-westerbaan-cfrg-hpke-xyber768d00-02 has this very similar security consideration.
Does the same apply here?
The text was updated successfully, but these errors were encountered: