@djm Then its probably fine-ish in practice. The point remains that the combiner you are building is not IND-CCA secure. The reason for this is a subtle quirk of the IND-CCA security game that requires ciphertext collision resistance on the ciphertext. x25519 does not provide that because there are multiple representations of the same EC curve point.
In X-Wing, we also took care to use just one sha3 block, so the performance impact from mixing the PKs should be minimal.
=> More informations about this toot | View the thread | More toots from kora@chaos.social
=> View djm@cybervillains.com profile
text/geminiThis content has been proxied by September (ba2dc).