Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Why is encapsulation routine not performing "Modulus check" ? #80

Closed
itzmeanjan opened this issue Jun 20, 2024 · 1 comment
Closed

Why is encapsulation routine not performing "Modulus check" ? #80

itzmeanjan opened this issue Jun 20, 2024 · 1 comment

Comments

@itzmeanjan
Copy link

👋

I was looking at the standard branch's crypto_kem_enc_derand function

kyber/ref/kem.c

Lines 59 to 96 in d1321ce

/*************************************************
* Name: crypto_kem_enc_derand
*
* Description: Generates cipher text and shared
* secret for given public key
*
* Arguments: - uint8_t *ct: pointer to output cipher text
* (an already allocated array of KYBER_CIPHERTEXTBYTES bytes)
* - uint8_t *ss: pointer to output shared secret
* (an already allocated array of KYBER_SSBYTES bytes)
* - const uint8_t *pk: pointer to input public key
* (an already allocated array of KYBER_PUBLICKEYBYTES bytes)
* - const uint8_t *coins: pointer to input randomness
* (an already allocated array filled with KYBER_SYMBYTES random bytes)
**
* Returns 0 (success)
**************************************************/
int crypto_kem_enc_derand(uint8_t *ct,
uint8_t *ss,
const uint8_t *pk,
const uint8_t *coins)
{
uint8_t buf[2*KYBER_SYMBYTES];
/* Will contain key, coins */
uint8_t kr[2*KYBER_SYMBYTES];
memcpy(buf, coins, KYBER_SYMBYTES);
/* Multitarget countermeasure for coins + contributory KEM */
hash_h(buf+KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
hash_g(kr, buf, 2*KYBER_SYMBYTES);
/* coins are in kr+KYBER_SYMBYTES */
indcpa_enc(ct, buf, pk, kr+KYBER_SYMBYTES);
memcpy(ss,kr,KYBER_SYMBYTES);
return 0;
}

and I wonder why doesn't it conform to NIST draft standard FIPS 203, specifically line 984-985 in https://doi.org/10.6028/NIST.FIPS.203.ipd ?

I'd expect it to fail, if any coefficient of polynomial vector is not reduced modulo prime 3329.
@cryptojedi
Copy link
Contributor

At the time, we did not implement the modulus check, because it was still heavily discussed.
Now, in the final FIPS 203 standard, the modulus check is not part of Encaps, but whoever uses Encaps has to ensure that the public key has passed validation.
We do not currently implement any of the input-validation checks, but may add them later; potentially together with an API update.
For now I'll close the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cryptojedi @itzmeanjan