RFR: 8325448: Hybrid Public Key Encryption [v20]

Weijun Wang weijun at openjdk.org
Thu Aug 28 11:57:53 UTC 2025


On Wed, 27 Aug 2025 20:00:54 GMT, Sean Mullan <mullan at openjdk.org> wrote:

> > Hi Sebastian, the API you suggested is only the KEM step, and it should be made internal inside HPKE.
> > At the end of the day, HPKE is still a cipher. I understand the key encapsulation message (aka, KEM ciphertext) is different from a traditional IV, but they share some key characteristics: 1) generated by the sender after initialization, 2) cryptographically random, 3) then made public, 4) has critical impact on encryption result.
> 
> To avoid some of this potential confusion, I think it could help to expand on the description of `Cipher.getIV()` to describe this new use case for IV, something like changing this sentence:
> 
> "This is useful in the case where a random IV was created, or in the context of password-based encryption or decryption, where the IV is derived from a user-supplied password."
> 
> to:
> 
> "This is useful in the case where a random IV was created, or in the context of password-based encryption or decryption, where the IV is derived from a user-supplied password, or in the case of HPKE (Hybrid Public Key Encryption) where IV contains the encapsulation of the KEM shared secret."

Good idea. Somehow I hesitate to update the base spec directly. Shall we put the whole paragraph into an `@apiNote`? A similar paragraph also appears in `CipherSpi::engineGetIV`.

-------------

PR Comment: https://git.openjdk.org/jdk/pull/18411#issuecomment-3233196620


More information about the security-dev mailing list