You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Informally, X-Wing is secure if SHA3 is secure, and either
X25519 is secure, or ML-KEM-768 is secure.
Informally, X-Wing is secure if SHA3 is secure, and either X25519 is secure, or ML-KEM-768 is secure.
More precisely, if SHA3-256 and SHAKE256 may be modelled as a random oracle,
then the IND-CCA2 security of X-Wing
is bounded by the IND-CCA2 security of ML-KEM-768,
and the gap-CDH security of Curve25519, see TODO.
More precisely, if SHA3-256 and SHAKE256 may be modelled as a random oracle, then the IND-CCA2 security of X-Wing is bounded by the IND-CCA2 security of ML-KEM-768, and the gap-CDH security of Curve25519, see TODO.
X-Wing relies on the internal contruction of its cryptographic components, and assumes:
- ML-KEM commits to the public key when computing the shared secret
- ML-KEM is IND-CCA2 secure
- X25519 is gap-CDH secure
- MK-KEM is collision-resistant (link to proof sketch later)
- SHAKE/SHA3 is used as the combiner which allows us to not need an HMAC construction
Because of these properties, unlike a generic hybrid KEM combiner of IND-CCA KEM components, X-Wing does not need to to commit to the ML-KEM ciphertext to achieve IND-CCA security, and as long as X25519 OR ML-KEM768 remains secure, X-Wing remains IND-CCA2 secure.
