Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Composite KEM does not fully protect against implementation errors in ML-KEM #91

Open
ounsworth opened this issue Nov 9, 2024 · 1 comment · May be fixed by #101
Open

Composite KEM does not fully protect against implementation errors in ML-KEM #91

ounsworth opened this issue Nov 9, 2024 · 1 comment · May be fixed by #101

Comments

@ounsworth
Copy link
Contributor

See comment from Peter C:

https://mailarchive.ietf.org/arch/msg/spasm/Fq06ghviNMejesJNR4XzP5x0ecI/
@ounsworth
Copy link
Contributor Author

ounsworth commented Jan 5, 2025
edited
Loading

The referenced document is BSI TR-2012-1, which chains to the CatKDF defined in ETSI TS 103 744, which is:

Input:
psk - a secret key. It may be present. If not present this value shall be the empty octet string, ∅.
(k 1, k 2, …, k n) - n-tuple of octet strings containing shared secrets k i, exchanged through a hybrid key exchange, see
Figure 4.
MA, MB - octet string of a pair of exchanged messages in establishment of the shared secrets k i.
context - octet string context set by the instance of the key exchange transaction - this may include a transcript of
additional exchanged messages.
label - an octet string that specifies a separation of use for the application or instance of the key-exchange. Any labels
used in the key exchange should not be provided as an argument to the same hash function for another purpose in the
application.
length - the length in octets of the derived key material key_material.
Process:
1) Form secret = psk || k1 || k 2 || … || k n.
2) Set f_context = f(context, MA, MB), where f is a context formatting function.
3) key_material = KDF(secret, label, f_context, length).
4) Return key_material.
Output:
key_material - derived key material.

CatKDF does not include the public keys, but it does include both ciphertexts.

Peter C also makes a good point about the intro text. I'll adjust that. And I'll add a note about BSI / ETSI CatKEM.

ounsworth added a commit that referenced this issue Jan 6, 2025
@ounsworth
Added appdx comparing with X-Wing and ETSI CatKDF. Closes #91
d2714f5
@ounsworth ounsworth linked a pull request Jan 6, 2025 that will close this issue
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Added appdx comparing with X-Wing and ETSI CatKDF. lamps-wg/draft-composite-kem
1 participant
@ounsworth