Collection of Key Encapsulation Mechanisms written in pure Rust
rustcrypto / kems Goto Github PK
View Code? Open in Web Editor NEWCollection of Key Encapsulation Mechanisms written in pure Rust
Collection of Key Encapsulation Mechanisms written in pure Rust
This is a tracking issue for KEMs we could potentially add to this repo:
Lacking a better place to put this, I'll stick it here, although if someone wants to implement it in earnest it could probably use its own repo since it isn't a proper "KEM":
Schmieg proves here that misbinding properties can occur due to the way private keys are serialized and fixed by using a single seed to generate the private key, and thus ML-KEM-768 (generalized to other variants as well) is not MAL-BIND-K-CT or MAL-BIND-K-PK secure. This conclusion is drawn from this paper which introduces the MAL-BIND security notions which extend beyond IND-CCA.
NIST is now proposing the following modification to the FIPS 203 IPD:
"We propose ML-KEM uses a single 32-byte seed as decapsulation key, from which rho, sigma, and z are expanded.
This is smaller and simpler. Simpler, because we do not need to think about decapsulation key formatting or validation. In particular, it ensures that ML-KEM is MAL-BIND-K-CT and MAL-BIND-K-PK"
The IPD currently specifies that key expansion is unpacked before decapsulation, also precomputing
"packed" unpack ready-to-use keygen
decaps key: --------> decaps key: <--------- 64 byte seed
s, ek, H(ek), z s, ek, H(ek), z, A d, z
NISTs proposal is to simplify this process:
"packed" unpack=keygen ready-to-use
decaps key: --------> decaps key:
g s, ek, H(ek), z, A
With the caveat:
To be clear, we do not propose that FIPS 203 specifies this two-step approach. It merely should not preclude it.
Two possible means of applying the proposed update are suggested:
g <$- B^32
ek, dk = ML-KEM.ExpandPrivate(g)
return (ek, g)
_, dk = ML-KEM.ExpandPrivate(g)
Rename K-PKE.KeyGen to K-PKE.ExpandPrivate; remove lines 1, 2, 20, and 21; add rho and sigma as arguments; and return (^A, ^t, ^s).
Add a new function ML-KEM.UnpackPrivate that takes a 32-byte seed dk as argument, and acts as follows:
SHAKE-256:
^A, ^t, ^s = K-PKE.ExpandPrivate(rho, sigma)
ek = ByteEncode_12(^t) || rho
return (^A, ^t, ^s, ek, H(ek), z)
dk <$- B^32
(^A, ^t, ^s, ek, h, z) = ML-KEM.UnpackPrivate(dk)
ek = ByteEncode_12(^t) || rho
return (ek, dk)
(^A, ^t, ^s, ek, h, z) = ML-KEM.UnpackPrivate(dk)
and pass ^s instead of dk_PKE to K-PKE.Decrypt (line 7); and ^A, ^t instead of ek_PKE to K-PKE.Encrypt (line 8).
What are the feelings around this? Is this update needed currently? This announcement is recent but I thought it would be worth bringing up sooner than later.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.