Re: [CFRG] compact representation and HPKE
John Mattsson <john.mattsson@ericsson.com> Wed, 10 February 2021 11:59 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1F9F3A0E04 for <cfrg@ietfa.amsl.com>; Wed, 10 Feb 2021 03:59:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.25
X-Spam-Level:
X-Spam-Status: No, score=-2.25 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9AsGfEbGwJQk for <cfrg@ietfa.amsl.com>; Wed, 10 Feb 2021 03:59:46 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2076.outbound.protection.outlook.com [40.107.22.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7977F3A0E07 for <cfrg@irtf.org>; Wed, 10 Feb 2021 03:59:45 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AYTK7/2AcClL7YKzgT4dn6AIaPRk0Rqobs1wCLdMEQUPpyyB+b2X81e7xRLS7YJUxvWkPNvlvpWZnC4IWJX5reCli/zTpTcRL+W1JHtisvRJxBAHJYlMHpRUsgKyMxAwK+HeO86kUlrAVoaRfEdc3AMPoiiJ9oUrTITJCfWIvwmeEuXmnwT/vWgtj/AzhOfRCIH0STamprsrumVvfYcHbGMhWkfYObogPrSQUggfBOVhWlz9jJwLndPvLuBx17diqf/ekjrOIwmDflPSPBuNH7c1inNyNZGgamtgD5yBF8CFCLAgSAzzTvjN3cSZQ93wLRpZCbR0zTX7sfcbEI773A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=N8D9ndnT5uIUxqv08eYcnfr8+M3Bg6MGu4VqUIw7mxU=; b=OUej8qN0XRMwzh1GQ8FX4yD5lvNeh5jL0Y1ZZdL335alT1oGasTJTmEGi5vbxCTObswfxO3DfxeZDrR0Zk0fuRZ+F+3q7ymHcSBK4h4fxovd/meYqyL3oL7VXunSimVWLVrrqmasZ3e+64Tk+qRGrhA4I3y0iAFRXGglFj6Xq0YmkObLFnbNGpiTnenpD6RKp5FwyvwamJtEt9GXTEd5viDUgucrH+eZGf8VoBK6Q81a6vzsK67qwDhNK6zv6ruyC9b2ONLsmAIt+ceeL9+DP1z/nsfT3811kXKxr/ruas9x71EXgeZIudket/kGNV8iijq4VmUwSNVQ/LvrvKOCRg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=N8D9ndnT5uIUxqv08eYcnfr8+M3Bg6MGu4VqUIw7mxU=; b=ViIHYzLoKAulU8CVA0ph7jvzmSNmjJLQBOdmRrxzxuLhFqwZY4dl3FeY9K9HdbTtXB0RE/km+351RBGLhOq/+rS587oSHZd12DIhDY4my3PToLzvFBcrQmqwcanqqWyNxyWn7t8LjmVLDAbGt3XZwMHC23fCoc9MqF5PeEXj4J4=
Received: from (2603:10a6:3:4b::8) by HE1PR07MB3083.eurprd07.prod.outlook.com (2603:10a6:7:2f::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3805.15; Wed, 10 Feb 2021 11:59:41 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::c555:6e47:970c:1268]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::c555:6e47:970c:1268%11]) with mapi id 15.20.3846.027; Wed, 10 Feb 2021 11:59:41 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Dan Harkins <dharkins@lounge.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [CFRG] compact representation and HPKE
Thread-Index: AQHWtHd/qk8nkHIbjU6W/w1XmEnRGqm7tdKA///3AYCAABDDgIAAF8eAgJOZBwCAAoHdgA==
Date: Wed, 10 Feb 2021 11:59:41 +0000
Message-ID: <7A10C0C6-CEBB-496C-9264-63D7153DC3A7@ericsson.com>
References: <0fcfb0ed-249b-7cd3-09ba-ed1c73122383@lounge.org> <4C4DE4EC-1A5B-48F5-871E-B7D323EF63D5@ericsson.com> <CAL02cgQFGcWjpFV1nFVg2T3aCat6U-uuzUQ_YsUYLHvQq+ZuiQ@mail.gmail.com> <5C12F8B7-99E2-40DA-8A3C-8930E652C77F@shiftleft.org> <99c28b97-332d-af67-0895-a1bd251153bb@lounge.org> <934cbf19-1e16-24cd-7442-85fb8d41fcb1@lounge.org>
In-Reply-To: <934cbf19-1e16-24cd-7442-85fb8d41fcb1@lounge.org>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.45.21011103
authentication-results: lounge.org; dkim=none (message not signed) header.d=none;lounge.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0e8f08ca-8e98-455b-ef61-08d8cdbb598f
x-ms-traffictypediagnostic: HE1PR07MB3083:
x-microsoft-antispam-prvs: <HE1PR07MB30831ACE1274FD9E13C95EE5898D9@HE1PR07MB3083.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 3qhO1XW6zDnj20DGz1CbMA6yWJVeYOf/AoRpqlRQWzK5TIgejn9CmOnUcXcU0bNQRnZSXLki/RDh14NY1BnzUvrS85nh6w8ZYb4YO8pUbFjcn5nnkHoJSHUiE/xuPplOM+kvjhTOdtOe55ZJlh5CJkVW/DA+YkbkK9Mu0MII+imY08NioGarHiwR8OlhTqqlCxa8pt3i/jHKY5q8QkCjXSfODtJLfH02PsCtDDUCKc+ZuiI3DXjvXLn9Rkgyno/PaxiC9Xq0bepITitth0f4tQF2WKV4ONcyU2miDtFTRIqRsSdwE83MaWafl4HeTcZxamPzk/a14W7h+l4t0KdPZ0wyR91S9IqaKFSwrBq0LHlRY1Y77NpkORT6GF7wMrsn9YAYMVt6uf9Domy/Gob94qshJrafh5dQMzlCGIjuy4zZ+SPdp7sK650mqA7cFD4wtjAQY8HpwHSt+E+6fwqWt6dzc6iaAUvI9seL7mbIawqDdM9oSM7hoFBWifmCBPiGwg1fn/G8IRG29u5QnjsK7Jipr8BP55GapQvqzpiHYMGLhZLicrx/G/Ox8Bt8lSDKKmjOPiGJ6l8razG80otSsFoT3wOBNN5Oh/Gi9S29tQRnkDgThIQauu2lbVmOKAVanfvxUE+WuJ6klto3oswtxyZTXlKsYTrfn+bsAGD58M8=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(396003)(376002)(39860400002)(136003)(366004)(166002)(66476007)(66946007)(2906002)(5660300002)(66446008)(6506007)(36756003)(76116006)(83380400001)(316002)(6486002)(71200400001)(8676002)(110136005)(66556008)(44832011)(86362001)(8936002)(478600001)(186003)(64756008)(53546011)(966005)(6512007)(33656002)(2616005)(26005)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: Xz2HSTnJT8D4+lJEwJi2zYD8aeGbwxKiH/46WxiZMhlAc//DcplucKxj9Ox04fymRDTP1M1J/4WgPriSs2Ab4nqDDzTLufohTyxaKTxlmyFyoSrQ9ktRGXs/HnS+ld/SDzZ12yHj/8xDKRtUC57jJN1g+8Z4pOCPMtjoCI3CnqzQ/SizFNrZ36fu21YXNdSK7HA79fVrT0lMep7kaueHqpkB3/ecks0S0rDi+Xk9qy3tuqTq2mrnsegzHdqfBKaBq+nlAAyWWhwJEfwWRLaGehu2/5H28SY0dimwUzLagsiAs8Yvn5xOcK53cSy8uh7hzVWI5tsBpjM3ZA1XNSF7Ee0LySD4DT3QMK/+9zJFPQngiZ1pxsALq1SwmkvSzMzcAsrIzZzXcfgASP4EWuCpkGsSJ14bZfA1NzNMGF1pEpDU6rP0j8AvkZLOwWdQglbwfDH0MfSh6FLiACtH6Td2z9ITFmTT8gPOYxOHx8b9ESFI/zpf17QQxda0IGoWJhQtIdj1Zn5eldGLMnwcr+WNKlki4nmvs/tSBNg+zgESp+JEayF8SSH3Gz0K/mbcgWEWdAblBQ29RsAAnIMlPPcR9LsIW8pv6W4jJYYToZ1/Xo2+wKBmNJ1PfcMnTbPtrW5FwCbRDhmbcdTobWis6+O1roq9jCcm2w/Cjxpl9uTUs/HXeSXgoPW1a2qwf3PDWt9VaYSMiUkK0SK7lr9tWT2euxKjGPYaiWWRgzRQtQUnTSDcYklqCMzd6jPyR8xKtKEjyv9ZvrnDLdrX0YPAvl79STiqiE68CYLPLa4HS+RKpWECS/011f8xNPntyYVoC1RBRzSPrWVKSMeG+ofPeaPD5G1Lf+7zs8iR1TyH501hV0b/xPWpcGBvAizJx4bIOazEeZW86y4STP3yK2FN/IShfczPeGgN8jOe3flKv191LinCvZK/0yzFxWlY8BSht7T9cDli4O1CS9O/+0gN13fMi9XVYVy5rO6QVbo1xAd90WHMvmde5UHQwjbZwSc79UFRulc0Ra1nekotfHqmbtt/mb372rcex28zBb2tdH+FJ9fnV8YvT8cP+TnXaOrJaLGV/oHKGh4RGQzn/Um9pcRoDo7P0m2sbCeZbFTsqi7WBKx3XsE4VVRiKpnEAAPAcTEMhvXcHaPyY3t0VQgN41irpeuA8/SsC+S9mfnDtUMy5nDp1eoVmK05B05j7n1RHrrUkEr4Ge8LhJtwr6+brxNV8FbW+Q/tikBD/g+IMfCu8BKL7zUTKpeFwNohDiT53UZL57iXdSVdguy13KKo5jtXGwMyaj1dWKNJZvBcyaotoKJ9hEXdWu5fH28w6JTJQwvK
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_7A10C0C6CEBB496C926463D7153DC3A7ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0e8f08ca-8e98-455b-ef61-08d8cdbb598f
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Feb 2021 11:59:41.7289 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Vma8WteyckMVOb4U0N6BdjyWc1wXVvuQ/+l/Xojx3eNpgW3aa0NdLx5jbeupF6ocUM7Ehdo4gtHnuQszvZk8la742KzDU1Nb0SQSZ9tu4yo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3083
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/zj4UoJwoDJ3r5NdIwRRwhMNAd4Y>
Subject: Re: [CFRG] compact representation and HPKE
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Feb 2021 11:59:51 -0000
Great work Dan. I strongly think this is the way to go. Forcing implementations to calculate a not needed y-coordinate would be strange. Cheers, John From: CFRG <cfrg-bounces@irtf.org> on behalf of Dan Harkins <dharkins@lounge.org> Date: Monday, 8 February 2021 at 23:42 To: "cfrg@irtf.org" <cfrg@irtf.org> Subject: Re: [CFRG] compact representation and HPKE Hello again, I'd like to resurrect this before it becomes "it's too late to make changes that affect the wire". I created a pull request on github some time ago but it's been ignored so let me try again here (we still technically do our work on mailing lists). When I brought it up initially there was a +1 and, as Mike notes, the y-coordinate is not needed. This 04 || x || y format for a key is just some ancient Certicom proposal and there's really no reason to perpetuate that. The y-coordinate is extraneous. Getting rid of it for the NIST curves will make the API much cleaner and consistent. This will reduce the size of the serialized public key by more than 50% and for apps that care about such things this would be a tremendous improvement. Richard noted that one can lop off the 04 and the y-coordinate after serialization and pass x alone as part of the app using HPKE and then have the other size reconstruct it (with either y since the sign doesn't matter) before passing it on to be deserialized. While technically true, that completely defeats the whole point of formalizing this process. In my pull request I noted that it does change the test vectors and that I would be happy to generate them. Well, I did it. I have new test vectors (based on -07) and will happily contribute them if asked. If the test vectors get changed again (with a new version string) I can reproduce new ones minus the y-coordinate in a matter of minutes. Please consider this request. There is no downside to it. regards, Dan. On 11/6/20 4:44 PM, Dan Harkins wrote: Yes, this is exactly right. The y-coordinate is not needed for these KEMs as the sign is unimportant. The spec will be simpler and the interface more uniform if you do this. The whole point of HPKE is to make a callable API out of this process that had been done ad hoc. Requiring a app that is taking advantage of this API to take the output of the API and parse through it, throwing away one half of one of the output strings and lopping off the first octet, is defeating the whole purpose and is expecting a lot. The more this is a black box the better. regards, Dan. On 11/6/20 3:19 PM, Mike Hamburg wrote: Hello Richard, I haven’t paid much attention to HPKE, so it’s likely I’m missing something here, but why not use the x-only Montgomery ladder on NIST curves? That’s the fastest and simplest approach, and it can operate with or without the y-coordinates. Also, some implementations do not compute both the x- and y-coordinates, and it would be more convenient not to compute or send even a sign bit if you’re intending to use an x-only ladder. Cheers, — Mike On Nov 6, 2020, at 10:19 PM, Richard Barnes <rlb@ipv.sx<mailto:rlb@ipv.sx>> wrote: Nothing about this says that you have to *send* the keys uncompressed. You can use whatever representation you want on the wire. You just have to decompress them before you put them into the key schedule. Which you're probably doing anyway, because you need both coordinates to do point multiplication with these curves. So I am inclined not to make this change. --Richard On Fri, Nov 6, 2020 at 4:52 PM John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org<mailto:40ericsson.com@dmarc.ietf.org>> wrote: +1 Sending the keys uncompressed makes HPKE unsuitable for constrained IoT. -----Original Message----- From: CFRG <cfrg-bounces@irtf.org<mailto:cfrg-bounces@irtf.org>> on behalf of Dan Harkins <dharkins@lounge.org<mailto:dharkins@lounge.org>> Date: Friday, 6 November 2020 at 21:00 To: CFRG <cfrg@irtf.org<mailto:cfrg@irtf.org>> Subject: [CFRG] compact representation and HPKE Hello, When doing a DH-based KEM with the NIST curves, HPKE specifies that SerializePublicKey and DeserializePublicKey use the uncompressed format from SECG. This ends up using 2*Ndh+1 octets to represent the serial form of the public key. Since compact output is being used in DH-based KEMs-- that is, the secret result of DH() is the x-coordinate of the resulting EC point-- it would also be possible to use compact representation (per RFC 6090) and have SerializePublicKey merely do integer-to-octet string conversions of the x-coordinate. DeserializePublicKey would then do octet string-to-integer conversion for the x-coordinate and use the equation of the curve to choose the y-coordinate. The sign isn't important because we're doing compact output. This would make the interface for the NIST curves and the Bernstein curves be uniform-- Serialize would produce an octet string of Ndh and Deserialize would consume an octet string of Ndh-- at the cost of some CPU inside DeserializePublicKey. Please consider this suggestion. regards, Dan. -- "The object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane." -- Marcus Aurelius _______________________________________________ CFRG mailing list CFRG@irtf.org<mailto:CFRG@irtf.org> https://protect2.fireeye.com/v1/url?k=513cd874-0ea7e231-513c98ef-867b36d1634c-ce26b08a2499b9a3&q=1&e=4f2b4ce0-8d52-4a80-b41e-0f7537355d35&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg _______________________________________________ CFRG mailing list CFRG@irtf.org<mailto:CFRG@irtf.org> https://www.irtf.org/mailman/listinfo/cfrg<https://protect2.fireeye.com/v1/url?k=8e4205de-d1d93cdc-8e424545-869a14f4b08c-465b9e5abce36ec9&q=1&e=a61452db-e5d8-46d2-b87b-d0f281c2fac8&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg> _______________________________________________ CFRG mailing list CFRG@irtf.org<mailto:CFRG@irtf.org> https://www.irtf.org/mailman/listinfo/cfrg<https://protect2.fireeye.com/v1/url?k=7a0c280b-25971109-7a0c6890-869a14f4b08c-9306a6e8c390632d&q=1&e=a61452db-e5d8-46d2-b87b-d0f281c2fac8&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg> _______________________________________________ CFRG mailing list CFRG@irtf.org<mailto:CFRG@irtf.org> https://www.irtf.org/mailman/listinfo/cfrg<https://protect2.fireeye.com/v1/url?k=66576edf-39cc57dd-66572e44-869a14f4b08c-8204a953b7ece8f9&q=1&e=a61452db-e5d8-46d2-b87b-d0f281c2fac8&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg> -- "The object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane." -- Marcus Aurelius _______________________________________________ CFRG mailing list CFRG@irtf.org<mailto:CFRG@irtf.org> https://www.irtf.org/mailman/listinfo/cfrg<https://protect2.fireeye.com/v1/url?k=9c603329-c3fb0a2b-9c6073b2-869a14f4b08c-2a44603a4c6091cb&q=1&e=a61452db-e5d8-46d2-b87b-d0f281c2fac8&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg> -- "The object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane." -- Marcus Aurelius
- [CFRG] compact representation and HPKE Dan Harkins
- Re: [CFRG] compact representation and HPKE John Mattsson
- Re: [CFRG] compact representation and HPKE Richard Barnes
- Re: [CFRG] compact representation and HPKE Mike Hamburg
- Re: [CFRG] compact representation and HPKE Dan Harkins
- Re: [CFRG] compact representation and HPKE Dan Harkins
- Re: [CFRG] compact representation and HPKE John Mattsson
- Re: [CFRG] compact representation and HPKE Michael Scott
- Re: [CFRG] compact representation and HPKE Michael Scott
- Re: [CFRG] compact representation and HPKE Dan Harkins
- Re: [CFRG] compact representation and HPKE Benjamin Beurdouche
- Re: [CFRG] compact representation and HPKE Dan Harkins
- Re: [CFRG] compact representation and HPKE Loup Vaillant-David
- Re: [CFRG] compact representation and HPKE Eric Rescorla
- Re: [CFRG] compact representation and HPKE Christopher Wood
- Re: [CFRG] compact representation and HPKE Paul Hoffman
- Re: [CFRG] compact representation and HPKE Dan Harkins
- Re: [CFRG] compact representation and HPKE Stephen Farrell
- Re: [CFRG] compact representation and HPKE Eric Rescorla
- Re: [CFRG] compact representation and HPKE Stephen Farrell
- Re: [CFRG] compact representation and HPKE Andrey Jivsov
- Re: [CFRG] compact representation and HPKE Mike Hamburg
- Re: [CFRG] compact representation and HPKE Mike Hamburg
- Re: [CFRG] compact representation and HPKE Loup Vaillant-David
- Re: [CFRG] compact representation and HPKE Salz, Rich
- Re: [CFRG] compact representation and HPKE Mike Hamburg
- Re: [CFRG] compact representation and HPKE Stephen Farrell
- Re: [CFRG] compact representation and HPKE Peter Gutmann
- Re: [CFRG] compact representation and HPKE John Mattsson
- Re: [CFRG] compact representation and HPKE Benjamin Lipp
- Re: [CFRG] compact representation and HPKE John Mattsson
- Re: [CFRG] compact representation and HPKE Mike Hamburg
- Re: [CFRG] compact representation and HPKE Salz, Rich
- Re: [CFRG] compact representation and HPKE Dan Harkins
- Re: [CFRG] compact representation and HPKE Karthik Bhargavan
- Re: [CFRG] compact representation and HPKE Richard Barnes
- Re: [CFRG] compact representation and HPKE Eric Rescorla
- Re: [CFRG] compact representation and HPKE Benjamin Beurdouche
- Re: [CFRG] compact representation and HPKE Dan Harkins
- Re: [CFRG] compact representation and HPKE Billy Brumley
- Re: [CFRG] compact representation and HPKE Stanislav V. Smyshlyaev
- Re: [CFRG] compact representation and HPKE Dan Harkins
- Re: [CFRG] compact representation and HPKE Stanislav V. Smyshlyaev
- Re: [CFRG] compact representation and HPKE John Mattsson
- Re: [CFRG] compact representation and HPKE denis bider