MLA icon indicating copy to clipboard operation
MLA copied to clipboard
verified publisher icon ANSSI-FR

Use HPKE

Open commial opened this issue 1 year ago • 0 comments

Fix #211

This PR:

  • Wrap the DHKEM implementation from https://github.com/rozbb/rust-hpke
  • Add vector tests from RFC9180 to ensure DHKEM is working as expected
  • Use DHKEM instead of the current ECIES computation in Hybrid KEM. As a result, each recipient uses an different ephemeral key, ie. the optimization of using the same ephemeral key for each recipient has been removed. Indeed, the size gain is no more important regarding the size of the MLKEM encapped key, and the implementation is "more standard" this way
  • Implements the KeyScheduling<Mode Base> from RFC 9180 (instead of wrapping the rust-hpke one, for various reasons described in the code)
  • Add vector tests from RFC 9180 to ensure the KeyScheduling and the nonce computing are working as expected
  • Use compute_nonce from RFC 9180 to compute the nonce for each chunk in the Encrypt layer, replacing the STREAM implementation
  • Use HPKE (Hybrid KEM=0x1020, HKDF-SHA512, AES-256-GCM) to derive the key and nonce for the Encrypt layer
  • Use HPKE (Hybrid KEM-recipient=0x1120, HKDF-SHA512, AES-256-GCM) to derive the per-recipient key and nonce used in the Hybrid KEM

commial avatar Aug 05 '24 15:08 commial