commit f9a40457abd8d29dc7cf55149c3ce046455e599c parent afdb4e94f857633ff12ec503ef2c1ab4da955c94 Author: Martin Schanzenbach <schanzen@gnunet.org> Date: Fri, 19 Jul 2024 17:12:07 +0200 update Diffstat:
| M | draft-schanzen-hpke-elligator-kem.xml | | | 12 | ++++++++++++ |
1 file changed, 12 insertions(+), 0 deletions(-)
diff --git a/draft-schanzen-hpke-elligator-kem.xml b/draft-schanzen-hpke-elligator-kem.xml @@ -297,6 +297,18 @@ both bits. These bits will be ignored by the target peer after reception. </t> </section> + <section anchor="security_aead" numbered="true" toc="default"> + <name>Combination with AEAD Encryption</name> + <t> + When using the Elligator KEM in combination with AEAD encryption schemes care must be taken that the + ciphertext produced by the AEAD cipher is also indistinguishable from random. + The AEAD schemes listed in <xref target="RFC9180"/> use GCM and Poly1305 authentication tags which + both should result in ciphertexts indistinguishable from random. + However, future AEAD schemes and in particular their authenticators may not exhibit the same + cryptographic properties. + This should be considered when assembling HPKE suites with the Elligator KEM. + </t> + </section> </section> <!-- gana --> <section>