Why not RSA?

[JonathanWilbur]

Forgive my ignorance. I am not a cryptographer by trade. But I believe RSA could be used as a KEM in the abstract. I noticed that RFC 9180 does not list it as a registered KEM. I thought this was weird, since RSA is by far the most common public key type in X.509 PKI. Just wondering if this could be implemented at all.

[tarcieri]

Speaking as a maintainer of the rsa crate, it's very, very difficult to implement RSA in constant-time. See the recent Marvin Attack (which the rsa crate is still vulnerable to, see RustCrypto/RSA#19).

Elliptic curves, especially with modern complete formulas, are significantly easier to implement in constant-time.

[rozbb]

Totally valid question. Indeed, RSA would be a perfectly fine key encapsulation mechanism for HPKE (barring some of the implementation difficulties Tony brings up). The reason it's not implemented here is simply because nobody (to my knowledge) has drafted a proposal for a protocol extension.

If someone did, we could reasonably implement it and keep it in an unstable branch (like the current k256 and xyber branches) until it's finalized. Does that answer the question?

[JonathanWilbur]

Yes it does. Thank you! Closing.