Closed bwesterb closed 2 years ago
bwesterb
commented
2 years ago I thought about adding a ClaimedSecurityt() function to the kem.Scheme interface and checking that those are below 256 when used in the hybrid construction, but I thought that'd be overdoing it.
bwesterb
commented
2 years ago Another solution I thought about is to simply change our schemes to use ≤32 byte seeds, but that might break existing users and would require an extra function to reproduce the test vectors that come with the implementations.
None of the implemented KEMs aim above 256 bits of security and so SHAKE256 (easily) suffices to stretch one seed into two.