-
Notifications
You must be signed in to change notification settings - Fork 146
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kem: Use case for deterministic encapsulation #198
Comments
If there is no use case, I strongly suggest we remove it. |
The Go TLS tests require the code to be deterministic. In the case of the normal TLS code, they pass around a |
One way to hack on this is passing a random source to |
Yes, by passing a random source or optional seed to both GenerateKey and Encapsulate. I considered that, but I prefer the common interface to be as simple as possible. The user shouldn't have to think whether to pass nil or |
I really don't think exporting functions for internal tests is a good reason to impact the API. I suggest we investigate the alternative -- passing |
I'm pretty sure deterministic key generation is useful in some protocols. For instance when you're implicitly authenticating with a KEM key pair derived from a password.
It certainly is idiomatic, but I think it's bad design.
|
It's not my call, but I want to throw my support behind doing away with the While I agree with @bwesterb's point that this API is not misuse-resistant, the fact that To the point about the KEMs in CIRCL having a fixed-length seed as input: this is true of the current set of KEMs, but there are lots of reasons why KEMs might use, potentially, an unbounded number of coins. Another point in favor of using |
In that case I'm pretty sure that the designers will use SHAKE or another PRNG to derive the randomness from a single seed, as happens, for instance, in Dilithium during signing. |
That may be true, but I doubt it will be true for all KEMs that get standardized going forward. I think it's better to be general. |
@armfazh how do we want to proceed here? Can we remove the deterministic APIs? |
I propose to split the current type Scheme interface {
Name() string
GenerateKeyPair(rand io.Reader) (PublicKey, PrivateKey, error)
Encapsulate(rand io.Reader, pk PublicKey) (ct, ss []byte, err error)
Decapsulate(sk PrivateKey, ct []byte) ([]byte, error)
UnmarshalBinaryPublicKey([]byte) (PublicKey, error)
UnmarshalBinaryPrivateKey([]byte) (PrivateKey, error)
CiphertextSize() int
SharedKeySize() int
PrivateKeySize() int
PublicKeySize() int
} and type SchemeWithSeed interface {
SeedSize() int
DeriveKeyPair(seed []byte) (PublicKey, PrivateKey)
EncapsulationSeedSize() int
EncapsulateDeterministically(pk PublicKey, seed []byte) ( ct, ss []byte, err error)
} Also, it seems to me that the type seededReader struct{ seed []byte}
func (s seededReader) Read(p []byte) (n int, err error) { /* use seed os shake on seed */ } thoughts? |
I like the proposed change to |
Using a seed instead of an |
The kem interface requires deterministic encapsulation, is there a use case for this functionality?
cc: @chris-wood @bwesterb
The text was updated successfully, but these errors were encountered: