-
Notifications
You must be signed in to change notification settings - Fork 198
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments on KEM traits #1508
Comments
FWIW we do use We do use I would probably suggest using |
Thanks for the detailed comments! I agree it was weird to hinge everything on |
FWIW, I think you could do something similar for the Auth- versions, something like:
|
I think Auth- even goes away if you're willing to put the identity keys in |
I think it was a mistake in retrospect for Signer to be generic. Are there any examples of any key types that implement signer in more than one way to produce different signature outputs? However, if we are going this route, I personally think the traits should be trait Encapsulator<EK> {
type SS;
} The pair I'd still prefer both of these traits though: trait Signer { type Signature; }
trait Encapsulator { type EncapsulatedKey; type SharedSecret; } This generally just helps with inference and if the types don't match it'll still compile fail. On the topic of object safety, associated types lose you nothing. Instead of dyn Encapsulator<EK, SS> You have dyn Encapsulator<EK, SharedSecret = SS> |
Note: these comments apply primarily to the Yes, it comes up all the time. Check out the There are multiple types/formats for serializing ECDSA signatures including IEEE 1363, ASN.1 DER, and types which are parameterized with an additional OID which identifies the digest algorithm used to compute the signature, not to mention it's used with a 2-tuple as a way to compute an associated RSA is a similar zoo of multitudes of signature formats. I'm not sure these concerns apply to the |
In theory, the SigningKey could be parameterised instead, and perhaps the tuple recovery key result should not even be an implementation of the trait but an inherent method. However, I concede the original point, it does have some usefulness I cannot deny |
That would preclude a (Also, this is all a bit off topic for this thread, except to contrast with KEM use cases) |
As part of the work to add an ML-KEM implementation, I took a look at the KEM traits in this repo (in the
kem
directory). Given that crates.io shows only a few dependents, I thought some comments might still be acceptable. Mostly fairly minor things.The core point in this API is
EncappedKey
, in the sense that that's the type that knows about all of the types involved in this KEM. That seems odd to me.Signer<S>
andVerifier<S>
, where the things the two sides need to agree on are in the generic parameters.Encapsulator<EK, SS>
andDecapsulator<EK, SS>
, since the encapsulation key and shared secret are the two things that the sender and receiver need to agree on.EK
andSS
, but these are just byte arrays.Encapsulator::try_encap
method is incorrect to take a public key argument.self
should be represent the encapsulation key, just as inDecapsulator::try_decap
,self
represents the decapsulation key.I would drop the
AuthDecapsulator
trait for now. It's inappropriate to have that without a correspondingAuthEncapsulator
trait. And AFAIK the only known implementation of these operations is DHKEM, so it doesn't seem worth generalizing right now.In
Encapsulator::try_encap
, you don't need to be generic over the RNG type, you can just take&mut impl CryptoRngCore
, as inRandomizedDigestSigner
.Unless you're going to provide an infallible version like
Signer
does (try_sign
vs.sign
), I would remove thetry_
from the encap/decap methods.I note that there are no
as_bytes
/from_bytes
methods on the traits for encapsulation / decapsulation keys. That seems consistent with other traits in this repo, but just wanted to check it was intended, since at least for encapsulation keys, one will want to ship them around.My sense is that there is a general trend toward using more functional names for keys, so for example, "verifying key" or "encapsulation key" instead of "public key" / "signing key" or "decapsulation key" instead of "private key". That seems like a pattern we should follow here, e.g., in the decapsulation key argument to
Encapsulator::try_encaps
.I would generally avoid shortening "encapsulate" and "decapsulate" for clarity. So for example
EncapsulatedKey
instead ofEncappedKey
andtry_decapsulate
instead oftry_decap
.While I'm not sure there's a really standard spelling here, the "-or" ending to
Encapsulator
andDecapsulator
looks odd to me, and inconsistent with other crates in this repo, which use "-er".Encapsulate
/Decapsulate
, in parallel withCopy
,Clone
, etc.Signer
,Verifier
,PasswordHasher
. On the other hand,Aead
,KeyInit
,Digest
,Mac
.The
kem
traits are not linked from thecrypto
façade, but this seems to not be unique.In summary, I would probably simplify this interface down to two traits:
The text was updated successfully, but these errors were encountered: