On 7/6/26 16:06, Sophie Schmieg wrote:
> yes, this approach works, and was more or less what I originally suggested
> in Kemmy Schmidt [1] (I technically suggested using a PRF call to create
> sigma, rho, and z). Currently the second half of the G(d || k) call is used
> for rho, which becomes part of the public key, so it obviously cannot be
> reused for z, but by inserting a second SHA3-512 call or by using SHAKE to
> derive 3 32 byte values you could reduce the seed to a single one.
This could be quite useful for smart cards due to their very limited
storage capacity. For non-exportable keys, there is no way to know
whether this approach was used.
> However,
> back when the discussion surfaced this problem, NIST had already all but
> finalized the spec and this rewrite would force a bunch of rework of the
> function definitions as they exist in FIPS 203, so it was decided that it
> wasn't worth the trouble given that it is unclear whether this is an actual
> problem in practice.
Purely a curiosity question: why was the rework a problem, given that
the result would definitely be no less secure?
> If deriving ML-KEM keys is following FIPS (I'm unclear on the status of
> that, it's required for a bunch of use cases like MLS, but it requires a
> rework of the key derivation SP), then there is a FIPS compliant way of
> making this work, by using some FIPS compliant key derivation function and
> deriving the seeds for ML-KEM from another seed, storing only this meta
> seed as the private key.
>
> [1]
https://eprint.iacr.org/2024/523
Should this be standardized in the IETF or a future version of FIPS 203?
It would be best to not have multiple non-interoperable techniques in use.