Maybe reverse the domain encoding

lamps-wg / draft-composite-kem

IETF draft specifying PQC composite KEM algorithms for use in X.509 and CMS

Other

6 stars 3 forks source link

Maybe reverse the domain encoding #89

Open ilaril opened 2 weeks ago

ilaril commented 2 weeks ago

The KDF input mlkemSS || tradSS || tradCT || tradPK || Domain is not parsable, as a domain may be suffix of another. This means the inputs might collide even between what are supposed to be separate domains.

The simplest way I can come up to make it parsable (and thus prevent inter-domain collisions) is to reverse the domain encoding:

mlkemSS || tradSS || tradCT || tradPK || reverse(Domain)

(Since it is possible to parse in reverse from the end.)

ounsworth commented 2 weeks ago

Ilari, I have no idea what you are trying to say. What do you mean "not parsable"? Can you please explain another way?

ilaril commented 2 weeks ago

The domain separation is not guaranteed: Even if two inputs have different domains, the input to the KDF might still be the same.

While such thing seems to be very unlikely to happen and low impact in practice, cryptography is traditionally conservative and would rather eliminate the possibility altogether.