Section 5:
"we include two authenticated variants .": We would also suggest mentioning that these variants also contribute additional keying material to the encryption operation. See also discussion in Section 8.1.
After the sentence, "the constructions described here presume .", mention that the recipient also needs a way to determine which of its public keys was used for the encapsulation operation (if the recipient has more than one public key). Also add a reference to Section 9 which addresses the corresponding issues for message encoding.
chris-wood
commented
4 years ago
From https://mailarchive.ietf.org/arch/msg/cfrg/ZcTCJkilzCDshxsIj7MwKHNlNuM/
Section 5: "we include two authenticated variants .": We would also suggest mentioning that these variants also contribute additional keying material to the encryption operation. See also discussion in Section 8.1.
After the sentence, "the constructions described here presume .", mention that the recipient also needs a way to determine which of its public keys was used for the encapsulation operation (if the recipient has more than one public key). Also add a reference to Section 9 which addresses the corresponding issues for message encoding.