New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments on KEM traits #1508
Comments
FWIW we do use We do use I would probably suggest using |
Thanks for the detailed comments! I agree it was weird to hinge everything on |
FWIW, I think you could do something similar for the Auth- versions, something like:
|
I think Auth- even goes away if you're willing to put the identity keys in |
As part of the work to add an ML-KEM implementation, I took a look at the KEM traits in this repo (in the
kem
directory). Given that crates.io shows only a few dependents, I thought some comments might still be acceptable. Mostly fairly minor things.The core point in this API is
EncappedKey
, in the sense that that's the type that knows about all of the types involved in this KEM. That seems odd to me.Signer<S>
andVerifier<S>
, where the things the two sides need to agree on are in the generic parameters.Encapsulator<EK, SS>
andDecapsulator<EK, SS>
, since the encapsulation key and shared secret are the two things that the sender and receiver need to agree on.EK
andSS
, but these are just byte arrays.Encapsulator::try_encap
method is incorrect to take a public key argument.self
should be represent the encapsulation key, just as inDecapsulator::try_decap
,self
represents the decapsulation key.I would drop the
AuthDecapsulator
trait for now. It's inappropriate to have that without a correspondingAuthEncapsulator
trait. And AFAIK the only known implementation of these operations is DHKEM, so it doesn't seem worth generalizing right now.In
Encapsulator::try_encap
, you don't need to be generic over the RNG type, you can just take&mut impl CryptoRngCore
, as inRandomizedDigestSigner
.Unless you're going to provide an infallible version like
Signer
does (try_sign
vs.sign
), I would remove thetry_
from the encap/decap methods.I note that there are no
as_bytes
/from_bytes
methods on the traits for encapsulation / decapsulation keys. That seems consistent with other traits in this repo, but just wanted to check it was intended, since at least for encapsulation keys, one will want to ship them around.My sense is that there is a general trend toward using more functional names for keys, so for example, "verifying key" or "encapsulation key" instead of "public key" / "signing key" or "decapsulation key" instead of "private key". That seems like a pattern we should follow here, e.g., in the decapsulation key argument to
Encapsulator::try_encaps
.I would generally avoid shortening "encapsulate" and "decapsulate" for clarity. So for example
EncapsulatedKey
instead ofEncappedKey
andtry_decapsulate
instead oftry_decap
.While I'm not sure there's a really standard spelling here, the "-or" ending to
Encapsulator
andDecapsulator
looks odd to me, and inconsistent with other crates in this repo, which use "-er".Encapsulate
/Decapsulate
, in parallel withCopy
,Clone
, etc.Signer
,Verifier
,PasswordHasher
. On the other hand,Aead
,KeyInit
,Digest
,Mac
.The
kem
traits are not linked from thecrypto
façade, but this seems to not be unique.In summary, I would probably simplify this interface down to two traits:
The text was updated successfully, but these errors were encountered: