Open thomwiggers opened 11 months ago
Agreed but authenticated HPKE mode is not used by OHAI, ESNI and DNS over Oblivious HTTP. Do we have to discuss about the optional authenticated HPKE modes ?
HPKE phrases everything internally already in terms of KEM, not NIKE (even though this is mildly incorrect for the authenticated modes). The current text in this document suggests that HPKE heavily relies on the NIKE nature of DH and that special consideration was needed for the integration of Xyber.
Yes, my understanding is integration for Kyber requires two full KEM exchanges for the authentication variant in HPKE (as discussed in https://www.ietf.org/archive/id/draft-ietf-pquip-pqc-engineers-02.html#section-10.1.1 (figure 4)).
The unauthenticated HPKE modes have been defined using KEM primitives, and it's very easy to slot post-quantum KEM into them. The authenticated modes require AKEM or NIKE primitives, for which we don't really have good solutions right now.