You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
KDF(message) represents a key derivation function suitable to the
chosen KEMs according to {tab-kem-combiners}. All KDFs (…)
KDF(message) represents a key derivation function suitable to the
chosen KEMs according to Table 2. All KDFs (…)
Section 3.3
Each registered Composite ML-KEM algorithm specifies the choice of
KDF andDomain to be used in Section 7 and Section 7.2 below.
Each registered Composite ML-KEM algorithm specifies the choice of
KDF and Domain to be used in Section 7 and Section 7.2 below.
Section 4.1
Generate componint keys.
Generate component keys.
Section 4.2
Composite public key conisting of encryption public keys for each component.
Composite public key consisting of encryption public keys for each component.
Section 4.2
Trad A placeholder for the specific ML-KEM algorithm and
parameter set to use, for example "RSA-OAEP"
or "X25519".
Trad A placeholder for the specific traditional algorithm and
parameter set to use, for example "RSA-OAEP"
or "X25519".
Section 5
For timing-invariance reasons, it is RECOMMENDED to perform both decapsulation operations and check for errors afterwards to to prevent an attacker from using a timing channel to tell which component failed decapsulation.
For timing-invariance reasons, it is RECOMMENDED to perform both decapsulation operations and check for errors afterwards to prevent an attacker from using a timing channel to tell which component failed decapsulation.
Section 5
ie
i.e.
Note: also Section 7.1, 7.3 (2 times) and 11.3.
Section 5.1
For use with this document, ML-KEM keys MUST be be the raw BIT STRING (…)
For use with this document, ML-KEM keys MUST be the raw BIT STRING (…).
Section 5.2
For more details on the security considerations around key reuse, see section Section 11.2.
For more details on the security considerations around key reuse, see Section 11.2
Section 7.2
The KEM combiner defined in section Section 3.3 requires a domain
separator Domain input.
The KEM combiner defined in Section 3.3 requires a domain
separator Domain input.
Section 7.3
(…) however SHA2 is not us must be wrapped in the HKDF construction.
(…) however SHA2 is not so must be wrapped in the HKDF construction.
Section 7.4
The RSA component keys MUST be generated at the 2048-bit and 3072-bit
security levels respectively.
The RSA component keys MUST be generated at the 2048-bit, 3072-bit and 4096-bit security levels respectively.
Section 8.1.1
IKM: input keying material. In this document this is the shared
secret outputted from the Encapsulate() or Decapsulate() functions.
IKM: input keying material. In this document this is the shared
secret outputted from the Encaps() or Decaps() functions.
Rationale: Consistency with other parts of the standard, e.g. Section 3.
Section 8.1.2
K: the input key-derivation key. In this document this is the
shared secret outputted from the Encapsulate() or Decapsulate()
functions.
K: the input key-derivation key. In this document this is the
shared secret outputted from the Encaps() or Decaps()
functions.
Section 8.2
wrap identifies a key-encryption algorithm used to encrypt the
content-encryption key.
wrap identifies a key-encryption algorithm used to encrypt the
content-encryption key.
encryptedKey is the result of encrypting the CEK with the KEK.
Rationale: To be consistent with RFC 9629 a description of the encryptedKey field should be added.
Section 11.1.1
(…) and therefore secure so, long as one of the component KEMs is.
(…) and therefore secure so long as one of the component KEMs is.
Appendix B
Component Signature Algorithm
Component Encryption Algorithm
Proposals (mainly clarifying)
Section 7.2
to use it, the value should be HEX-decoded and used in binary form.
to use it, the value MUST be HEX-decoded and used in binary form.
Rationale: For interoperability purposes this type of encoding should be clearly indicated.
Section 7.3
Pair equivalent levels.
Pair equivalent levels (except for RSA, especially RSA2048, which were included due to their massive use).
Rationale: security strength of RSA2048 is 112 bits and RSA3072/4096 128 bits.
Section 8.1.1
salt: optional salt value (a non-secret random value). In this
document this parameter is unused, that is it is the zero-length
string "".
salt: optional salt value (a non-secret random value). In this
document this parameter is unused, that is it is the string of
HashLen zeros.
Rationale: Section 2.2 RFC 5869:
salt optional salt value (a non-secret random value);
if not provided, it is set to a string of HashLen zeros.
Section 8.2
kdf identifies the key-derivation algorithm. Note that the Key
Derivation Function (KDF) used for CMS RecipientInfo process MAY
be different than the KDF used within the Composite ML-KEM
algorithm or one of its components.
kdf identifies the key-derivation algorithm. Note that the Key
Derivation Function (KDF) used for CMS RecipientInfo process (to calculate the KEK key) MAY be different than the KDF used within the Composite ML-KEM algorithm (to calculate the shared secret ss).
Rationale: The removal of the phrase “or one of its components” results from the fact that the traditional component uses RSA-OAEP (and not RSA-KEM as in the previous versions of the document) or uses a simplified version of DHKEM - see Section 3.2. Otherwise, these KDF functions would have to be defined in this document.
Regards
The text was updated successfully, but these errors were encountered:
Editorial changes
chosen KEMs according to Table 2. All KDFs (…)
Each registered Composite ML-KEM algorithm specifies the choice of
KDF and Domain to be used in Section 7 and Section 7.2 below.
Generate component keys.
Section 4.2
Composite public key consisting of encryption public keys for each component.
Trad A placeholder for the specific traditional algorithm and
parameter set to use, for example "RSA-OAEP"
or "X25519".
For timing-invariance reasons, it is RECOMMENDED to perform both decapsulation operations and check for errors afterwards to prevent an attacker from using a timing channel to tell which component failed decapsulation.
i.e.
Note: also Section 7.1, 7.3 (2 times) and 11.3.
For use with this document, ML-KEM keys MUST be the raw BIT STRING (…).
For more details on the security considerations around key reuse, see Section 11.2
The KEM combiner defined in Section 3.3 requires a domain
separator Domain input.
(…) however SHA2 is not so must be wrapped in the HKDF construction.
The RSA component keys MUST be generated at the 2048-bit, 3072-bit and 4096-bit security levels respectively.
IKM: input keying material. In this document this is the shared
secret outputted from the Encaps() or Decaps() functions.
Rationale: Consistency with other parts of the standard, e.g. Section 3.
K: the input key-derivation key. In this document this is the
shared secret outputted from the Encaps() or Decaps()
functions.
wrap identifies a key-encryption algorithm used to encrypt the
content-encryption key.
encryptedKey is the result of encrypting the CEK with the KEK.
Rationale: To be consistent with RFC 9629 a description of the encryptedKey field should be added.
(…) and therefore secure so long as one of the component KEMs is.
Component Encryption Algorithm
Proposals (mainly clarifying)
to use it, the value MUST be HEX-decoded and used in binary form.
Rationale: For interoperability purposes this type of encoding should be clearly indicated.
Rationale: security strength of RSA2048 is 112 bits and RSA3072/4096 128 bits.
salt: optional salt value (a non-secret random value). In this
document this parameter is unused, that is it is the string of
HashLen zeros.
Rationale: Section 2.2 RFC 5869:
salt optional salt value (a non-secret random value);
if not provided, it is set to a string of HashLen zeros.
kdf identifies the key-derivation algorithm. Note that the Key
Derivation Function (KDF) used for CMS RecipientInfo process (to calculate the KEK key) MAY be different than the KDF used within the Composite ML-KEM algorithm (to calculate the shared secret ss).
Rationale: The removal of the phrase “or one of its components” results from the fact that the traditional component uses RSA-OAEP (and not RSA-KEM as in the previous versions of the document) or uses a simplified version of DHKEM - see Section 3.2. Otherwise, these KDF functions would have to be defined in this document.
Regards
The text was updated successfully, but these errors were encountered: