Package hybrid defines several hybrid classical/quantum KEMs.
KEMs are combined by simple concatenation of shared secrets, cipher texts,
public keys, etc, see
https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf
Note that this is only fine if the shared secret is used in its entirety
in a next step, such as being hashed or used as key.
For deriving a KEM keypair deterministically and encapsulating
deterministically, we expand a single seed to both using SHAKE256,
so that a non-uniform seed (such as a shared secret generated by a hybrid
KEM where one of the KEMs is weak) doesn't impact just one of the KEMs.
Of our XOF (SHAKE256), we desire two security properties:
- The internal state of the XOF should be big enough so that we
do not loose entropy.
- From one of the new seeds, we shouldn't be able to derive
the other or the original seed.
SHAKE256, and all siblings in the SHA3 family, have a 200B internal
state, so (1) is fine if our seeds are less than 200B.
If SHAKE256 is computationally indistinguishable from a random
sponge, then it affords us 256b security against (2) by the
flat sponge claim [https://keccak.team/files/SpongeFunctions.pdf].
None of the implemented schemes claim more than 256b security
and so SHAKE256 will do fine.