Skip to content

Commit

Permalink
Add files via upload
Browse files Browse the repository at this point in the history
  • Loading branch information
auriee authored Jan 25, 2024
1 parent e41442a commit 33269bb
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion draft-ietf-pquip-pqc-engineers.md
Original file line number Diff line number Diff line change
Expand Up @@ -619,7 +619,7 @@ Post-quantum algorithms selected for standardization are relatively new and they

## Caution: Ciphertext commitment in KEM vs DH

The ciphertext generated by a KEM is not necessarily inherently linked to the shared secret it produces. In contrast, in some other cryptographic schemes like Diffie-Hellman, a change in the public key results in a change in the derived shared secret. Earlier protocols that were designed around earlier drafts of Kyber commit to the ciphertext, vs ML-KEM, which does not. The reader is expected not to assume any properties of cryptographic primitives that they are not targeting, if you are trying to hybridize KEMs with DH, or migrating directly to KEMs from DH, be sure to explicitly commit to ciphertexts (and probably public keys too) as part of your protocol, as KEMs inherently will not do this for you.
The ciphertext generated by a KEM is not necessarily inherently linked to the shared secret it produces. In contrast, in some other cryptographic schemes like Diffie-Hellman, a change in the public key results in a change in the derived shared secret. The reader is expected not to assume any properties of cryptographic primitives that they are not targeting, if you are trying to hybridize KEMs with DH, or migrating directly to KEMs from DH, be sure to explicitly commit to ciphertexts (and probably public keys too) as part of your protocol, as KEMs inherently will not do this for you.

# Further Reading & Resources

Expand Down

0 comments on commit 33269bb

Please sign in to comment.