New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[DNM] Add ML-KEM (FIPS 203). #470
base: main
Are you sure you want to change the base?
Conversation
ML-KEM is not final yet, so this implementation isn't final either. We keep Kyber around (for now) as it's currently widely deployed. Code differences between them are minimal anyway.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lots of nits, the only really "wrong" thing is a documentation comment.
LGTM otherwise!
@@ -143,6 +151,9 @@ func (pk *PublicKey) EncapsulateTo(ct, ss []byte, seed []byte) { | |||
// c = Kyber.CPAPKE.Enc(pk, m, r) | |||
pk.pk.EncryptTo(ct, m[:], kr[32:]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While at it, maybe we can use a name for this constant. This matches the type of K
in the Algorithm 16 from FIPS 203 ("derive shared secret K and randomness r") and is consistent with your other use of kr[:SharedKeySize]
below.
pk.pk.EncryptTo(ct, m[:], kr[32:]) | |
pk.pk.EncryptTo(ct, m[:], kr[SharedKeySize:]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is accidental, and that 32 is not the shared key size.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not following.
My understanding is that the first part of kr
is the shared secret key. So kr[SharedKeySize:]
would skip the shared secret key, and refer to the remaining part, r
.
Output: shared key K ∈ B32
(K, r) ← G(m ∥ H(ek)) ▷ derive shared secret key K and randomness r
c ← K-PKE.Encrypt(ek, m, r) ▷ encrypt m using K-PKE with randomness r
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In Kyber the first 32 bytes does not contain the returned shared secret, but an intermediate key that happens to be 32 bytes as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In that case, what about replacing kr[:SharedKeySize]
by kr[:32]
to avoid that implication?
Thanks. Addressed. |
ML-KEM is not final yet, so this implementation isn't final either.
We keep Kyber around (for now) as it's currently widely deployed. Code differences between them are minimal anyway.