From e0192aa7d4c50540f3bb9c8efeb3f3b73770009a Mon Sep 17 00:00:00 2001 From: Jeff Andersen Date: Fri, 7 Mar 2025 12:30:06 -0800 Subject: [PATCH 1/2] Clarify concatenation operations Clarify that SHA3-256 takes one input which is a concatenation of multiple values. --- draft-irtf-cfrg-hybrid-kems.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/draft-irtf-cfrg-hybrid-kems.md b/draft-irtf-cfrg-hybrid-kems.md index ed91753..7243cbc 100644 --- a/draft-irtf-cfrg-hybrid-kems.md +++ b/draft-irtf-cfrg-hybrid-kems.md @@ -573,7 +573,7 @@ def Encaps(pk): ek = P-256.RandomScalar() trad_CT = P-256.SerializeElement(P-256.ScalarBaseMult(ek)) trad_SS = P-256.SerializeElementAsSharedSecret(P-256.ScalarMult(trad_PK, ek)) - ss = SHA3-256(pq_SS, trad_SS, trad_CT, pk[1184:1217], label) + ss = SHA3-256(pq_SS || trad_SS || trad_CT || pk[1184:1217] || label) ct = concat(pq_CT, trad_CT) return (ss, ct) ~~~ @@ -600,7 +600,7 @@ def EncapsDerand(pk, randomness): ek = P-256.ScalarFromBytes(randomness[32:80]) trad_CT = P-256.SerializeElement(P-256.ScalarMultBase(ek)) trad_SS = P-256.SerializeElementAsSharedSecret(P-256.ScalarMult(ek, trad_PK)) - ss = SHA3-256(pq_SS, trad_SS, trad_CT, trad_PK, label) + ss = SHA3-256(pq_SS || trad_SS || trad_CT || trad_PK || label) ct = concat(pq_CT, trad_CT) return (ss, ct) ~~~ @@ -619,7 +619,7 @@ def Decaps(sk, ct): trad_CT = P-256.DeserializeElement(ct[1088:1121]) pq_SS = ML-KEM-768.Decapsulate(pq_SK, pq_CT) trad_SS = P-256.SerializeElementAsSharedSecret(P-256.ScalarMult(trad_SK, trad_CT)) - return SHA3-256(pq_SS, trad_SS, ct[1088:1121], trad_PK, label) + return SHA3-256(pq_SS || trad_SS || ct[1088:1121] || trad_PK || label) ~~~ `ct` is the 1121-byte ciphertext resulting from Encaps() and `sk` is a @@ -910,7 +910,7 @@ def Encaps(pk): ek = P-384.RandomScalar() trad_CT = P-384.SerializeElement(P-384.ScalarBaseMult(ek)) trad_SS = P-384.SerializeElementAsSharedSecret(P-384.ScalarMult(trad_PK, ek)) - ss = SHA3-256(pq_SS, trad_SS, trad_CT, pk[1568:1629], label) + ss = SHA3-256(pq_SS || trad_SS || trad_CT || pk[1568:1629] || label) ct = concat(pq_CT, trad_CT) return (ss, ct) ~~~ @@ -937,7 +937,7 @@ def EncapsDerand(pk, randomness): ek = P-384.ScalarFromBytes(randomness[32:80]) trad_CT = P-384.SerializeElement(P-384.ScalarMultBase(ek)) trad_SS = P-384.SerializeElementAsSharedSecret(P-384.ScalarMult(ek, trad_PK)) - ss = SHA3-256(pq_SS, trad_SS, trad_CT, pk[1568:1629], label) + ss = SHA3-256(pq_SS || trad_SS || trad_CT || pk[1568:1629] || label) ct = concat(pq_CT, trad_CT) return (ss, ct) ~~~ @@ -956,7 +956,7 @@ def Decaps(sk, ct): trad_CT = P-384.DeserializeElement(ct[1568:1629]) pq_SS = ML-KEM-1024.Decapsulate(pq_SK, pq_CT) trad_SS = P-384.SerializeElementAsSharedSecret(P-384.ScalarMult(trad_SK, trad_CT)) - return SHA3-256(pq_SS, trad_SS, ct[1568:1629], trad_PK, label) + return SHA3-256(pq_SS || trad_SS || ct[1568:1629] || trad_PK || label) ~~~ `ct` is the 1629-byte ciphertext resulting from Encaps() and `sk` is a From ec575c84b83fe47edd02460667e9e1eda3cc561b Mon Sep 17 00:00:00 2001 From: Jeff Andersen Date: Fri, 7 Mar 2025 13:00:06 -0800 Subject: [PATCH 2/2] Use concat() operation instead of || syntax. --- draft-irtf-cfrg-hybrid-kems.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/draft-irtf-cfrg-hybrid-kems.md b/draft-irtf-cfrg-hybrid-kems.md index 7243cbc..798a687 100644 --- a/draft-irtf-cfrg-hybrid-kems.md +++ b/draft-irtf-cfrg-hybrid-kems.md @@ -573,7 +573,7 @@ def Encaps(pk): ek = P-256.RandomScalar() trad_CT = P-256.SerializeElement(P-256.ScalarBaseMult(ek)) trad_SS = P-256.SerializeElementAsSharedSecret(P-256.ScalarMult(trad_PK, ek)) - ss = SHA3-256(pq_SS || trad_SS || trad_CT || pk[1184:1217] || label) + ss = SHA3-256(concat(pq_SS, trad_SS, trad_CT, pk[1184:1217], label)) ct = concat(pq_CT, trad_CT) return (ss, ct) ~~~ @@ -600,7 +600,7 @@ def EncapsDerand(pk, randomness): ek = P-256.ScalarFromBytes(randomness[32:80]) trad_CT = P-256.SerializeElement(P-256.ScalarMultBase(ek)) trad_SS = P-256.SerializeElementAsSharedSecret(P-256.ScalarMult(ek, trad_PK)) - ss = SHA3-256(pq_SS || trad_SS || trad_CT || trad_PK || label) + ss = SHA3-256(concat(pq_SS, trad_SS, trad_CT, trad_PK, label)) ct = concat(pq_CT, trad_CT) return (ss, ct) ~~~ @@ -619,7 +619,7 @@ def Decaps(sk, ct): trad_CT = P-256.DeserializeElement(ct[1088:1121]) pq_SS = ML-KEM-768.Decapsulate(pq_SK, pq_CT) trad_SS = P-256.SerializeElementAsSharedSecret(P-256.ScalarMult(trad_SK, trad_CT)) - return SHA3-256(pq_SS || trad_SS || ct[1088:1121] || trad_PK || label) + return SHA3-256(concat(pq_SS, trad_SS, ct[1088:1121], trad_PK, label)) ~~~ `ct` is the 1121-byte ciphertext resulting from Encaps() and `sk` is a @@ -910,7 +910,7 @@ def Encaps(pk): ek = P-384.RandomScalar() trad_CT = P-384.SerializeElement(P-384.ScalarBaseMult(ek)) trad_SS = P-384.SerializeElementAsSharedSecret(P-384.ScalarMult(trad_PK, ek)) - ss = SHA3-256(pq_SS || trad_SS || trad_CT || pk[1568:1629] || label) + ss = SHA3-256(concat(pq_SS, trad_SS, trad_CT, pk[1568:1629], label)) ct = concat(pq_CT, trad_CT) return (ss, ct) ~~~ @@ -937,7 +937,7 @@ def EncapsDerand(pk, randomness): ek = P-384.ScalarFromBytes(randomness[32:80]) trad_CT = P-384.SerializeElement(P-384.ScalarMultBase(ek)) trad_SS = P-384.SerializeElementAsSharedSecret(P-384.ScalarMult(ek, trad_PK)) - ss = SHA3-256(pq_SS || trad_SS || trad_CT || pk[1568:1629] || label) + ss = SHA3-256(concat(pq_SS, trad_SS, trad_CT, pk[1568:1629], label)) ct = concat(pq_CT, trad_CT) return (ss, ct) ~~~ @@ -956,7 +956,7 @@ def Decaps(sk, ct): trad_CT = P-384.DeserializeElement(ct[1568:1629]) pq_SS = ML-KEM-1024.Decapsulate(pq_SK, pq_CT) trad_SS = P-384.SerializeElementAsSharedSecret(P-384.ScalarMult(trad_SK, trad_CT)) - return SHA3-256(pq_SS || trad_SS || ct[1568:1629] || trad_PK || label) + return SHA3-256(concat(pq_SS, trad_SS, ct[1568:1629], trad_PK, label)) ~~~ `ct` is the 1629-byte ciphertext resulting from Encaps() and `sk` is a