9. Security Considerations

9. Security Considerations

9.1 Security Properties

• 9.1.1 Key-Compromise Impersonation
• 9.1.2 Computational Analysis
• 9.1.3 Post-Quantum Security

9.2 Security Requirements on a KEM Used within HPKE

• 9.2.1 Encap/Decap Interface
• 9.2.2 AuthEncap/AuthDecap Interface
• 9.2.3 KEM Key Reuse

9.3 Security Requirements on a KDF

9.4 Security Requirements on an AEAD

9.5 Pre-Shared Key Recommendations

9.6 Domain Separation

9.7 Application Embedding and Non-Goals

• 9.7.1 Message Order and Message Loss
• 9.7.2 Downgrade Prevention
• 9.7.3 Replay Protection
• 9.7.4 Forward Secrecy
• 9.7.5 Bad Ephemeral Randomness
• 9.7.6 Hiding Plaintext Length

9.8 Bidirectional Encryption

9.9 Metadata Protection