blipp
commented
3 years ago I am not sure what you mean by Senders ensure that the shared secret is unique for each context by choosing a unique value for input keying material? Is this about the randomness used for each individual invocation of (Auth)Encap()?
Concerning ikm, I suggest we replace your suggestion by something more general:
A value `ikm` MUST NOT be used more than once with `DeriveKeyPair()` and MUST NOT be reused elsewhere,
in particular not for other invocations of `DeriveKeyPair()`, be it for the same or a different KEM.Would this cover your concerns?
(I wonder if we should add text about using keypairs for different modes (Base, PSK, Auth, AuthPSK). It could be good to either be sure that this kind of reuse is cryptographically ok, or prohibit it in the RFC.)
I considered adding this to Section 8.2 instead, but this seems most appropriate.
Closes #202.