Am Montag, 19. Juni 2023, 15:56:57 CEST schrieb Scott Fluhrer (sfluhrer): Hi Scott,
> I do not believe that Müller is correct - we do not intend use the Kyber CPA > public key encryption interface, but instead the Kyber CCA KEM interface. > And, with that interface, the server does contribute to the shared secret: > > The shared secret that Kyber KEM (round 3) generates on success is: > > KDF( G( m || H(pk)) || H(c) ) > > where: > - m is the hash of a value that the server selects > - pk is the public key selected by the client > - c is the server's keyshare > - H is SHA3-256, G is SHA3-512, KDF - SHAKE-256 > Note that this formula includes a value (pk) that is selected solely by the > client; hence we cannot say that this value contains only values selected > by the server. (reference: algorithms 8, 9 of the round 3 Kyber submission) My concern is that the security strength cannot depend on the pk, because the PK is sent in clear over the wire. Thus it cannot contain entropy. Thus, entropy only comes from the message m in your listing which is a random number that is generated by the server. Further, c depends on m and thus does not add any entropy either. Ciao Stephan _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
