tireddy2
commented
7 months ago It looks specific to HPKE KEM because "ek" is not required with PQC KEM (e.g., Kyber).
Closed OR13 closed 3 months ago
tireddy2
commented
7 months ago It looks specific to HPKE KEM because "ek" is not required with PQC KEM (e.g., Kyber).
OR13
commented
7 months ago I'd feel much better about after seeing examples of Kyber / RSA Kem, that are not using this draft.
tireddy2
commented
7 months ago PQC KEM Encaps only outputs ciphertext and shared secret (see https://www.ietf.org/archive/id/draft-ietf-pquip-pqc-engineers-02.html#section-10.1). The sender has to only send ciphertext to the recipient unlike HPKE Seal (but equivalent to HPKE Encap). It looks like we will need a separate draft to explain how JWE works with Kyber.
OR13
commented
7 months ago I wonder if the proposal to concat enc and ct is worth revisiting in light of this.
Should this kty say "ek" is only "enc" as produced from an HPKE Kem, or should it say "ek" is any "encapsulated key" from "any kem" ?