2021.05.04 14:58:41 (1389565140714999811) from Daniel J. Bernstein, replying to "Luca De Feo (@luca_defeo)" (1389525179186008064):
Combining hashed DH with a cipher is an extra source of complexity, certainly, and is another example where a lot of work has gone into improving robustness. For example, zero-padding and then applying a wide-block cipher _doesn't_ have the same fragility as a MAC equality test.
2021.05.03 23:37:01 (1389333197180260358) from "Luca De Feo (@luca_defeo)":
I believe you express 2 controversial opinions here: 1. "Well designed curves are secure without point validation". It is known this leads to subtle failures, e.g.: https://www.getmonero.org/2017/05/17/disclosure-of-a-major-bug-in-cryptonote-based-currencies.html 2. "Hashed DH doesn't need a [CCA proof]". Do I have to explain why this is controversial?
2021.05.04 06:56:37 (1389443827006545922) from Daniel J. Bernstein, replying to "Luca De Feo (@luca_defeo)" (1389333197180260358):
The crazy leap from "DH is secure" to "every protocol is secure" certainly causes real-world failures. This doesn't mean there's anything controversial about the security of DH. It also doesn't at all support the claim of SIKE's extra complications being easy/cheap to protect.
2021.05.04 07:06:27 (1389446302136635395) from Daniel J. Bernstein:
As for proofs, https://eprint.iacr.org/1999/007 proves (pre-quantum) DH CCA security under a standard-model assumption that has resisted extensive cryptanalysis for typical curves and hash functions. Saying the assumption follows from DDH in the ROM is wildly understating how solid it is.
2021.05.04 12:19:53 (1389525179186008064) from "Luca De Feo (@luca_defeo)":
This is a proof of CCA security of hybrid encryption: way more complicated (and prone to side channels, following your arguments) than your hashed DH KEM. To reject invalid ciphertexts you need to verify a MAC: contradicts your claim of no invalid input checks in ECC.