Skip to content

dhkem: should X25519DecapsulationKey impl TryDecapsulate instead of Decapsulate? #268

@rot256

Description

@rot256

In Sec 7.1.4 of RFC9180 it states that:

For X25519 and X448, public keys and Diffie-Hellman outputs MUST be validated as described in [RFC7748]. In particular, recipients MUST check whether the Diffie-Hellman shared secret is the all-zero value and abort if so.

I don't understand the need for this check (for KEM CCA2 security), but the RFC says it's a MUST.

Adding this check would make it a TryDecapsulate for X25519 which is annoying...

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions