Incorrect seeding value in ML KEM intermediate files.

[Ant1-Provot]

Hello !

The seeding values (𝜌, 𝜎) are incorrect. Based on the FIPS 203 - Algo 13 - Line 1, they are supposed to be the concatenation of d and k (resulting in 33 bytes ), then hashed through SHA3-512.

The current (𝜌, 𝜎) are the result of only the hashing of d, without any concatenation with k.

[Aurum-Vale]

Hi, the current main branch is still based on the FIPS-203 draft, hence the differences you observed.
The encaps and decaps test vectors should still be correct, but the intermediate, unlucky and monte carlo tests are now incorrect.

In particular, the unlucky test vectors needs to be bruteforced again, but it will take three times as long: domain separation influences the shake stream, which is where the bruteforce happens. I am currently trying to bruteforce those myself to at least get the test vectors.

I will submit a PR if I manage to get them, although it would then need additional review so it doesn't only count on my own ML-KEM implementation to verify the new test vectors.

[Aurum-Vale]

Edited my previous post with the most important word missing from the first sentence.

I've regenerated monte carlo vectors and I found an unlucky sample for k = 4, I'm still bruteforcing for the others but it shouldn't take long. I'll also look into regenerating the intermediate vectors.

[Ant1-Provot]

Okay thanks then !
I'll also test your vectors against my implem if you submit a new PR.
Have a good day.

[Aurum-Vale]

Hey, I submitted a PR with the vectors I found if you want to test them, I didn't include the "intermediate" vectors however. #13