On Tue, Nov 07, 2023 at 08:00:57AM +0100, Thom Wiggers wrote: > Hi Peter, > > The KEM used for authentication indeed needs to be IND-CCA secure, > but so does the KEM for ephemeral key exchange (IND-1CCA, at least). > The TLS key schedule should ensure that this all goes correctly, if > I recall the discussion on the concatenation of the secrets and > is-HKDF-a-dual-PRF discussion.
I thought key exchange only needs absolute minimum to avoid trivial breakage (one-wayness)? Authentication indeed needs IND-CCA. > But AuthKEM currently tries to build on HPKE, and I think the HPKE > draft intends to give IND-CCA security. >From reading HPKE RFC, it seems weird. I thought that HPKE intends to guarantee IND-CCA2, however, I can not find a requirement for KEM part to be IND-CCA2 secure (all the other parts yes). And if the KEM is not IND-CCA2, the whole HPKE will not be either. And there is some text that seems to say that there is no proof that IND-CCA2 security of KEM impiles IND-CCA2 security of HPKE (but one would expect that to hold)? But this might be just me reading the thing wrong. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
