From 41b1c39c2e13826117c26dca825f5e9901ff0526 Mon Sep 17 00:00:00 2001 From: Aritra Banerjee Date: Thu, 25 Jan 2024 11:16:07 +0100 Subject: [PATCH] Add files via upload --- draft-ietf-pquip-pqc-engineers.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-pquip-pqc-engineers.md b/draft-ietf-pquip-pqc-engineers.md index ca63d90..21d675e 100644 --- a/draft-ietf-pquip-pqc-engineers.md +++ b/draft-ietf-pquip-pqc-engineers.md @@ -619,7 +619,7 @@ Post-quantum algorithms selected for standardization are relatively new and they ## Caution: Ciphertext commitment in KEM vs DH -The ciphertext generated by a KEM is not necessarily inherently linked to the shared secret it produces. In contrast, in some other cryptographic schemes like Diffie-Hellman, a change in the public key results in a change in the derived shared secret. The reader is expected not to assume any properties of cryptographic primitives that they are not targeting, if you are trying to hybridize KEMs with DH, or migrating directly to KEMs from DH, be sure to explicitly commit to ciphertexts (and probably public keys too) as part of your protocol, as KEMs inherently will not do this for you. +The ciphertext generated by a KEM is not necessarily inherently linked to the shared secret it produces. In contrast, in some other cryptographic schemes like Diffie-Hellman, a change in the public key results in a change in the derived shared secret. The reader is expected not to assume any properties of cryptographic primitives that they are not targeting, if you are trying to hybridize KEMs with DH, or migrating directly to KEMs from DH, be sure to explicitly commit to ciphertexts (and probably public keys too) as part of the protocol, as KEMs inherently will not do this. # Further Reading & Resources