The current spec cherry-picks a KEM from HPKE, which may lead to domain separation problems. Also the key derivation may be simplified by using hash_to_curve like for BL.
Some other standards apply HPKE by applying Context.Export directly after SetupBase, accepting the overhead of hashing an extra time.
NIST has just published SP800-227: Recommendations for Key-Encapsulation Mechanisms.
Possibly we need to reconsider and/or add a rationale to the spec.
The current spec cherry-picks a KEM from HPKE, which may lead to domain separation problems. Also the key derivation may be simplified by using hash_to_curve like for BL.
Some other standards apply HPKE by applying Context.Export directly after SetupBase, accepting the overhead of hashing an extra time.
NIST has just published SP800-227: Recommendations for Key-Encapsulation Mechanisms.
Possibly we need to reconsider and/or add a rationale to the spec.