Skip to content

ML-KEM: Validate expanded decapsulation key hash #207

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tarcieri merged 2 commits into from
Jan 30, 2026
Merged

ML-KEM: Validate expanded decapsulation key hash #207

tarcieri merged 2 commits into from
Jan 30, 2026

Conversation

@MGibson1
Copy link
Contributor

@MGibson1 MGibson1 commented Jan 29, 2026

FIPS 203 section 7.3 Decapsulation input check

  1. (Hash check) Perform the computation

$$\textnormal{test} \longleftarrow H\left(\bar{dk}\left[384k : 768k + 32 \right]\right)$$
If $\textnormal{test} \neq \bar{dk}[768k+32 : 768k + 64]$, then input checking has failed.

where $H$ is sha3-256.

Tests are added of this hash verification and todo comments removed.

@MGibson1 MGibson1 force-pushed the ml-kem/validate-expanded-decapsulation-key-hash branch from 661d9b0 to 0beedc5 Compare January 29, 2026 00:29
@tarcieri
Copy link
Member

tarcieri commented Jan 29, 2026

@MGibson1 can you merge/rebase?

@MGibson1
Zeroize both seed values (z,d) per spec
f3a53fb 
FIPS 203 section 3.3 "Destruction of intermediate values" specifies that
both parts of the seed (z, d) should be treated in the same manner at
the decapsulation key itself, which is to zeroize.
@MGibson1 MGibson1 force-pushed the ml-kem/validate-expanded-decapsulation-key-hash branch from 0beedc5 to c6c2cd9 Compare January 29, 2026 04:26
@MGibson1
Validate expanded decapsulation key hash
30faa18 
FIPS 203 section 7.2 requires verifying the provided encapsulation key
hash against the encapsulation key included in the serialized format.
@MGibson1 MGibson1 force-pushed the ml-kem/validate-expanded-decapsulation-key-hash branch from c6c2cd9 to 30faa18 Compare January 29, 2026 04:29
@MGibson1
Copy link
Contributor Author

MGibson1 commented Jan 29, 2026
edited
Loading

Done. Sorry about that, I thought I'd isolated those two PRs but it looks like I mistakenly included both changes in this one.

@tarcieri tarcieri merged commit d8943df into RustCrypto:master Jan 30, 2026
23 checks passed
tarcieri added a commit that referenced this pull request Jan 30, 2026
@tarcieri
ml-kem: fix Wycheproof
825d608 
After merging #207 we need to handle errors from invalid hashes
@tarcieri tarcieri mentioned this pull request Jan 30, 2026
Merged
tarcieri added a commit that referenced this pull request Jan 30, 2026
@tarcieri
ml-kem: fix Wycheproof (#224)
8f6cb8d 
After merging #207 we need to handle errors from invalid hashes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tarcieri tarcieri tarcieri approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MGibson1 @tarcieri