You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The current spec cherry-picks a KEM from HPKE, which may lead to domain separation problems. Also the key derivation may be simplified by using hash_to_curve like for BL.
Some other standards apply HPKE by applying Context.Export directly after SetupBase, accepting the overhead of hashing an extra time.
NIST has just published SP800-227: Recommendations for Key-Encapsulation Mechanisms.
Possibly we need to reconsider and/or add a rationale to the spec.
The text was updated successfully, but these errors were encountered:
The current spec cherry-picks a KEM from HPKE, which may lead to domain separation problems. Also the key derivation may be simplified by using hash_to_curve like for BL.
Some other standards apply HPKE by applying Context.Export directly after SetupBase, accepting the overhead of hashing an extra time.
NIST has just published SP800-227: Recommendations for Key-Encapsulation Mechanisms.
Possibly we need to reconsider and/or add a rationale to the spec.
The text was updated successfully, but these errors were encountered: