Coder Social home page Coder Social logo

Comments (6)

emersion avatar emersion commented on September 27, 2024

Actually, a >= check wouldn't be enough for MLS: the official test vectors pass a 64-byte seed to KEM_P521_HKDF_SHA512 (which has SeedSize of 66). We'd need to drop the checks entirely.

from circl.

armfazh avatar armfazh commented on September 27, 2024

In Section 7.4, MLS, DeriveKeyPair is called with node_secret, which is the output of DeriveSecret

node_secret[n] = DeriveSecret(path_secret[n], "node")
node_priv[n], node_pub[n] = KEM.DeriveKeyPair(node_secret[n])

Looking at the definition of DeriveSecret in Section 8, MLS, it outputs KDF.Nh bytes.

DeriveSecret(Secret, Label) =
    ExpandWithLabel(Secret, Label, "", KDF.Nh)

There is a mismatch between KDF.Nh and KEM.Nsk only in the following MLS suites:

MLS ID MLS Suite KDF.Nh KEM.Nsk
0x04 MLS_256_DHKEMX448_AES256GCM_SHA512_Ed448 64 56
0x05 MLS_256_DHKEMP521_AES256GCM_SHA512_P521 64 66
0x06 MLS_256_DHKEMX448_CHACHA20POLY1305_SHA512_Ed448 64 56

@emersion , I recommend you to reach the MLS authors to seek guidance, this could be a typo in the spec.

from circl.

emersion avatar emersion commented on September 27, 2024

Good idea. I've sent an email to the mailing list: https://mailarchive.ietf.org/arch/msg/mls/JdrJvjGnVjNHX1xE4kTcsmq_PRc/

from circl.

bwesterb avatar bwesterb commented on September 27, 2024

The kem.Scheme interface isn't meant to match up precisely with HPKE. Its DeriveKeyPair function is meant to match up exactly with the natural key derivation. HPKE's derivation can be built on top of that, eg. as in X-Wing. I think we might want to add a separate interface for HPKE key derivation.

from circl.

bwesterb avatar bwesterb commented on September 27, 2024

Also the

For a given KEM, the ikm parameter given to DeriveKeyPair() SHOULD have length at least Nsk, and SHOULD have at least Nsk bytes of entropy.

requirement is problematic for PQ KEMs, which have large secret keys, and is ignored. This requirement is very much written thinking only of elliptic curves.

from circl.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.