The question I would have is the following: Considering section 3.3 the RBG
security strength is 128/192/256 bits for ML-KEM 512/768/1024, can the
aforementioned generation of 64 bytes of data from an RBG be replaced with
generating the security strength size data from the RBG and using an approved
KDF (SP800-108 / SP800-56C) to enlarge the data to the requested size of 64
bytes?
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/2098567.mTc0TySc1m%40tauon.atsec.com.
On Sep 6, 2024, at 16:51, Deirdre Connolly <durumcr...@gmail.com> wrote:
This Message Is From an External SenderThis message came from outside the Laboratory.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/CAFR824yj9Tc3-8TbTTqmxVqeK7jYNPKkSHJNGEbU9KAKcFWFmg%40mail.gmail.com.
I would also really like this to be a supported/compliant way to store seeds and expand the keys from them.
One of the SHAKEs is probably good
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/CAFR824xp0friNgn4LM%3D0Ef8T3ciQ2WAp%2BL-Gwa4XEFj%3DSA6F2w%40mail.gmail.com.
HKDF with sha256?Is there some known attack when d / z are expanded from each other?Is that what's being discussed here?
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/058b1499-9fef-449e-8cde-ee2184beecd2n%40list.nist.gov.
But my concern is slightly different, considering
that FIPS 203 explicitly says the seed must come from an RBG and not from a
plain KDF which provides seed data for different ML-KEM keys.
My concern is more along the lines what FIPS 203 says: a fresh random number
is to be generated from an RBG each time a new key pair is created. However,
instead of wanting to store the key pair or the private key, storing the seed
is allowed. All I am asking is whether instead of storing 64 bytes from an
RBG, I can store 32 bytes from an RBG and expand the 32 bytes to 64 bytes
using a KDF to regenerate the one given key pair the seed applies to.
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/CAHOTMV%2B%3DPuuj%3DH4FV_Z6dSSU%2Bs6Uews7z8ZbAi1cywjEnEhhoQ%40mail.gmail.com.
Using only a 32-byte seed for ML-KEM is not allowed by FIPS 203, and we have no plans to allow it. It’s true that having such an option might be advantageous for some applications. However, we do not see this as a sufficient reason to change FIPS 203, either directly or indirectly. Making a change at this stage is no small task, and could have unintended consequences. – Gorjan (for NIST PQC team).
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/CAMm%2BLwgh%2Bq9%3DtvvL8h3De25D0NTA%2B2Tqcj5benLZ_B%3D5ykR%3D4Q%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/DM6PR09MB4726A89BA10428F937C4EF169A622%40DM6PR09MB4726.namprd09.prod.outlook.com.
Can you clarify if that's a general prohibition to use SP 800-108 KDFs to derive seeds [...]
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/6f6676bd-6971-42d0-8acb-a07995d25c80%40app.fastmail.com.
ZjQcmQRYFpfptBannerEnd
Using only a 32-byte seed for ML-KEM is not allowed by FIPS 203, and we have no plans to allow it.
I suggest the NIST PQC team reconsiders.
It’s true that having such an option might be advantageous for some applications. However, we do not see this as a sufficient reason to change FIPS 203, either directly or indirectly.
We differ here.
Making a change at this stage is no small task, and could have unintended consequences. – Gorjan (for NIST PQC team).
Would you mind sharing your concerns? Being specific would be preferred.
Thanks
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/DM6PR09MB4726A89BA10428F937C4EF169A622%40DM6PR09MB4726.namprd09.prod.outlook.com.
Using only a 32-byte seed for ML-KEM is not allowed by FIPS 203, and we have no plans to allow it.
Process:
1. Obtain a string of b bits from an approved DRBG (as specified in SP 800-90A [16]) with a security strength of requested_security_strength or more. The private key d is this string of b bits.
2. Compute the hash of the private key d, H(d) = (h0, h1, ..., h2b-1) using SHA-512 for Ed25519 and SHAKE256 for Ed448 (H(d)= SHAKE256(d, 912)). H(d) may be precomputed. Note H(d) is also used in the EdDSA signature generation; see Section 7.6. FIPS 186-5 DIGITAL SIGNATURE STANDARD (DSS) 47
3. The first half of H(d), (i.e. hdigest1 = (ℎ0, ℎ1, … , ℎ𝑏𝑏−1)) is used to generate the public key.