Skip to content

ML-KEM: Add check for Pubkey hash mismatch on decoding the dk #9470

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

ML-KEM: Add check for Pubkey hash mismatch on decoding the dk #9470

wants to merge 2 commits into from
+15 −2

Conversation

@lealem47
Copy link
Contributor

@lealem47 lealem47 commented Nov 24, 2025

Description

Fix to adhere to FIPS 203 – Algorithm 18 (Decaps_internal)

Re-encode ek_PKE and compute h' = H(ek_PKE)
Reject the decapsulation key if h' ≠ h.

Testing

CAVP vectors with a private key whose embedded public key does not match the hash stored in the key.

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

@lealem47 lealem47 requested a review from SparkiDev November 24, 2025 17:50
@lealem47 lealem47 self-assigned this Nov 24, 2025
@devin-ai-integration
Copy link
Contributor

devin-ai-integration bot commented Nov 24, 2025

🛟 Devin Lifeguard found 2 likely issues in this PR

  • check-all-return-codes snippet: Check the signature of MLKEM_HASH_H; if it returns an int error code, store the result (e.g. ret = MLKEM_HASH_H(...); if (ret != 0) return ret;) before proceeding.
  • prefer-constant-time snippet: Confirm whether XMEMCMP executes in constant time; if not, replace it with a constant-time comparison routine (e.g., wc_MemcmpCT) when comparing cryptographic hashes.

@lealem47
please take a look at the above issues which Devin flagged. Devin will not fix these issues automatically.

@lealem47
Copy link
Contributor Author

lealem47 commented Nov 24, 2025
edited
Loading

Jenkins retest this please

@lealem47 lealem47 assigned wolfSSL-Bot and SparkiDev and unassigned lealem47 Nov 24, 2025
SparkiDev
SparkiDev requested changes Nov 24, 2025
View reviewed changes
wolfcrypt/src/wc_mlkem.c Outdated
/* Decode the public key that is after the private key. */
mlkemkey_decode_public(key->pub, key->pubSeed, p, k);
/* Compute the hash of the public key. */
MLKEM_HASH_H(&key->hash, p, pubLen, computedHash);
Copy link
Contributor

@SparkiDev SparkiDev Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MLKEM_HASH_H may fail.

wolfcrypt/src/wc_mlkem.c Outdated
}

if (ret == 0) {
byte computedHash[WC_ML_KEM_SYM_SZ];
Copy link
Contributor

@SparkiDev SparkiDev Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hash into key->h and compare with the data in the encoded private key.

Don't need computedHash then.

Copy link
Contributor Author

@lealem47 lealem47 Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great point, fixed

@SparkiDev SparkiDev assigned lealem47 and unassigned SparkiDev Nov 24, 2025
@lealem47 lealem47 requested a review from SparkiDev November 25, 2025 00:02
@lealem47 lealem47 removed their assignment Nov 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SparkiDev SparkiDev SparkiDev approved these changes

Assignees

@wolfSSL-Bot wolfSSL-Bot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lealem47 @SparkiDev @wolfSSL-Bot