cloudflare · armfazh · Jun 28, 2022 · Jun 27, 2022
diff --git a/kem/hybrid/hybrid.go b/kem/hybrid/hybrid.go
@@ -13,6 +13,21 @@
 // deterministically, we expand a single seed to both using SHAKE256,
 // so that a non-uniform seed (such as a shared secret generated by a hybrid
 // KEM where one of the KEMs is weak) doesn't impact just one of the KEMs.
+//
+// Of our XOF (SHAKE256), we desire two security properties:
+//
+// 1. The internal state of the XOF should be big enough so that we
+// do not loose entropy.
+// 2. From one of the new seeds, we shouldn't be able to derive
+// the other or the original seed.
+//
+// SHAKE256, and all siblings in the SHA3 family, have a 200B internal
+// state, so (1) is fine if our seeds are less than 200B.
+// If SHAKE256 is computationally indistinguishable from a random
+// sponge, then it affords us 256b security against (2) by the
+// flat sponge claim [https://keccak.team/files/SpongeFunctions.pdf].
+// None of the implemented schemes claim more than 256b security
+// and so SHAKE256 will do fine.
 package hybrid
 
 import (
@@ -92,9 +107,6 @@ func (sch *scheme) SeedSize() int {
  if first > second {
  ret = first
  }
- if ret > 32 {
- panic("SeedSize too big for SHAKE256")
- }
  return ret
 }
 
@@ -113,9 +125,6 @@ func (sch *scheme) EncapsulationSeedSize() int {
  if first > second {
  ret = first
  }
- if ret > 32 {
- panic("EncapsulationSeedSize too big for SHAKE256")
- }
  return ret
 }
 

diff --git a/kem/schemes/schemes_test.go b/kem/schemes/schemes_test.go
@@ -62,6 +62,9 @@ func TestApi(t *testing.T) {
  t.Fatal()
  }
 
+ _ = scheme.SeedSize()
+ _ = scheme.EncapsulationSeedSize()
+
  pk, sk, err := scheme.GenerateKeyPair()
  if err != nil {
  t.Fatal()