Specification for Kyber in GnuPG
Simon Josefsson
simon at josefsson.org
Mon May 6 17:24:06 CEST 2024
Werner Koch <wk at gnupg.org> writes:
> On Mon, 6 May 2024 17:06, Simon Josefsson said:
>
>> Thank you! As far as I can tell this doesn't strongly bind eccPublicKey
>> and mlkemPublicKey to the KEK which may complicate a security proof.
>
> Can you give a reason for this? The fingerprint binds the two public
> keys and it is an input to the key combiner.
I haven't chaised the entire chain -- does it bind to the master key
fingerprint only, or to the Ecc+Kyber subkey too?
Including the public key in the KEK binding has been discussed before,
some references:
https://mailarchive.ietf.org/arch/msg/cfrg/84TUdtD0w12qFSNPpdV5ArS4-IE/
I'm not saying it is critical for security for the entire ECC+Kyber in
LibrePGP (I can't fit all of it in my head), but it makes it easier to
reason about security properties of the combiner on its own.
/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 255 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20240506/5c099588/attachment.sig>
More information about the Gnupg-devel
mailing list