Cross KAT Implementation: Seed Field Ignored During Key Generation
543 views
Skip to first unread message
Gefei Li
Jul 11, 2025, 3:45:34 AMJul 11
to pqc-forum
Dear Cross authors,
I would like to raise an observation about the Cross reference implementation, specifically in relation to the generation of KAT vectors.
Issue:
In the current implementation, the seed value provided is not used to deterministically derive key generation inputs. The implementation use its own RNG internally to generate the private key seed, salt, and root seed. While this behavior is acceptable for normal runtime key generation, it causes two issues for deterministic KAT testing:
- The seed field in the KAT request files becomes effectively unused, defeating its intended purpose.
- Test cases cannot be reproduced individually or out of sequence, since the internal RNG state progresses across test cases.
Request:
- Could the authors clarify whether this is the intended behavior for KAT generation?
- Would it be possible for the reference implementation to support deterministic key generation using the provided seed?
- Additionally, could you please publish an official set of KAT files? This would help validate that the locally generated KAT files match the expected results.
Thank you for your efforts on the Cross submission. I look forward to your guidance on this matter.
Best regards,
Gefei Li
Jonas Schupp
Jul 11, 2025, 6:24:47 AMJul 11
to pqc-...@list.nist.gov
Dear Gefei Li,
thanks for pointing this out.
You are indeed correct that the KATs currently published with CROSS are
derived from the initial entropy input during KAT generation but not
from the individual seeds stored with each KAT. As this is not the
behaviour we intended, we will update the implementation, KATs and Spec
on our webpage accordingly and come back to you as soon as we have
fixed the issue.
Thanks again for the interest in our submission!
Best Regards,
the CROSS team
thanks for pointing this out.
You are indeed correct that the KATs currently published with CROSS are
derived from the initial entropy input during KAT generation but not
from the individual seeds stored with each KAT. As this is not the
behaviour we intended, we will update the implementation, KATs and Spec
on our webpage accordingly and come back to you as soon as we have
fixed the issue.
Thanks again for the interest in our submission!
Best Regards,
the CROSS team
Jonas Schupp
Jul 31, 2025, 12:46:25 PMJul 31
to pqc-...@list.nist.gov
Dear Gefei Li,
we've updated the implementation and Spec on our webpage [1] and also
included a new set of KATs which now correctly use the respective
seeds.
Best Regards
the CROSS team
[1]: https://www.cross-crypto.com/nist-submission.html
we've updated the implementation and Spec on our webpage [1] and also
included a new set of KATs which now correctly use the respective
seeds.
Best Regards
the CROSS team
[1]: https://www.cross-crypto.com/nist-submission.html
Gefei Li
Aug 18, 2025, 11:48:40 PMAug 18
to pqc-forum, Jonas Schupp
Dear the CROSS team,
Thanks for addressing the KAT generation issue and publishing the updated implementation, spec, and test files. The deterministic KATs are very helpful for validation — I’ve run them against our Java implementation and all test vectors pass.
We’ve added Java implementations of CROSS and other PQC signature schemes to the Bouncy Castle Crypto APIs:
https://github.com/bcgit/bc-java
Currently included: CROSS, Mirath, Snova, Mayo (with CROSS and Mirath to be available soon).
Coming next month: Hawk
We welcome any feedback from the community to help ensure correctness and performance.
Best regards,
Gefei Li
Reply all
Reply to author
Forward
0 new messages