paulmillr
Upgrade to final FIPS
- Need to understand diffs between final version and implemented one
- Need to actually code the changes / test vectors
Differences are listed here in Appendix C on page 47.
Happily, there are not many significant differences. A Summary what FIPS 203 requires:
- length of the shared secret key is fixed to 256 bits.
- different variant of Fujisaki-Okamoto transform (no ciphertext hash in ML-KEM.Encaps / Decaps in derivation of shared secret).
- no more hashing of randomness between lines 1 and 2 in Algorithm 20 (because this standard requires the use of NIST-approved randomness generation).
- some explicit input checking steps (eg: ML-KEM.Encaps requires that the byte array containing the encapsulation key correctly decodes to an array of integers modulo 𝑞 without any modular reductions).
There are also differences between the final published FIPS 203 spec, and its initial publish draft (IPD). Summary:
- domain separation was added to K-PKE.KeyGen (prevents changing security level with seed keys).
- the indices of matrix 𝐀̂ in K-PKE.KeyGen and K-PKE.Encrypt were fixed to match CRYSTALS-Kyber (swapped by mistake in the IPD).
P.S. I think this is a noble project. Wish I had money or time to contribute.
Hi, are both the pure and hashed variants of ML-DSA or SLH-DSA considered for implementation?
Thanks a lot for the speedy implementation Paul; small question about the lib versioning: are you holding off the v1 release until an audit is done? I'd just like to understand if the lib in the current state is otherwise considered fit for production. Cheers
Yes, the goal is to make v1 after the audit (which is not planned in the nearest months).
The library is kinda okay. I mean, all test vectors are passing. The amount of tests is not too large, compared to ciphers and hashes - but only because pq is not adopted. If you know other good vectors, we can add them.
No side channel protections, but even hardware versions of Kyber don't have it.