Michael Rosenberg

These are fair points. Some thoughts: 1. It's entirely unclear to me how to make any iteration of this hard to misuse for an end user. Forcing small message sizes...

Also, st4d pointed me to a specification draft for this construction: https://github.com/C2SP/C2SP/pull/3

I agree ml-kem probably shouldn't be defining its own traits. I guess I'm not sure what functionality is needed by users. The primary addition I see in `SimpleKEM` is the...

I see what you mean. Though I might be missing the point on the example API and impl for X3DH you give. If you defined a function that generically created...

Ok, to sketch out at bit: we have as a starting point ```rust pub trait signature::Keypair { type VerifyingKey: Clone; fn verifying_key(&self) -> Self::VerifyingKey; } ``` Replacing everything with the...

I see. So iteration 2: ```rust pub trait kem::Keypair { type EncapsulationKey: Encapsulation; type DecapsulationKey: Decapsulation; fn encapsulation_key(&self) -> Self::EncapsulationKey; fn decapsulation_key(&self) -> Self::DecapsulationKey; } ``` Actually, by this logic,...

Thank you! It will take a bit for me to take a look at this (trying to make some paper deadlines). Re the IETF standard, hasn't that officially been standardized...

Hi, thank you for this! I played around with this and had some notes: 1. It seems like I can't get the Elligator2 tests to fail, even when they definitely...

I'm gonna spend some time this week going thru this. I really appreciate this PR @jmwample. It's been tough co-maintaining this while having a full time job. I don't know...

fwiw it's not a prime curve but we already wave this away in https://github.com/dalek-cryptography/curve25519-dalek/pull/473 by restricting to the prime order subgroup. @ycscaly thank you for the HPKE issues. I'm currently...