Bytepad

[Rule Uresti]

Howeverif I read the current NIST specifications in NIST SP 800-185 correctly, there is no Keypack function defined. The Keypack function prefixed a key size to the key so that the key and message data are kept separate. Currently the key just seems to be zero-padded up to the next block boundary using the function bytepad(encode_string(K), 168) for KMAC128 and bytepad(encode_string(K), 136) for KMAC256.

This means that the (bit) string encoding canonically encodes the key including the size of the key (len(S)). That means that any key with a different size will be encoded in such a way that the division between key K and message X is clear.

The canonical encoding is still present even though the encode_string has a more generic name compared to earlier KMAC drafts where it was called Keypack(K, l) and took the length as explicit parameter.

3a8082e126