Skip to content

ML-KEM: Add check for Pubkey hash mismatch on decoding the dk #9470

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Dec 1, 2025
+15 −2
Merged

ML-KEM: Add check for Pubkey hash mismatch on decoding the dk #9470

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f5cb791
ML-KEM: Add check for Pubkey hash mismatch on decoding the dk
lealem47 Nov 24, 2025
eace021
Address review feedback
lealem47 Nov 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions wolfcrypt/src/error.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -656,6 +656,9 @@ const char* wc_GetErrorString(int error)
case INTERRUPTED_E:
return "Process interrupted";

case MLKEM_PUB_HASH_E:
return "ML-KEM priv key's stored hash doesn't match encoded pub key";

case MAX_CODE_E:
case WC_SPAN1_MIN_CODE_E:
case MIN_CODE_E:
Expand Down
11 changes: 11 additions & 0 deletions wolfcrypt/src/wc_mlkem.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1681,6 +1681,9 @@ int wc_MlKemKey_DecodePrivateKey(MlKemKey* key, const unsigned char* in,
}

if (ret == 0) {
byte computedHash[WC_ML_KEM_SYM_SZ];
XMEMSET(computedHash, 0, WC_ML_KEM_SYM_SZ);

/* Decode private key that is vector of polynomials.
* Alg 18 Step 1: dk_PKE <- dk[0 : 384k]
* Alg 15 Step 5: s_hat <- ByteDecode_12(dk_PKE) */
Expand All @@ -1689,16 +1692,24 @@ int wc_MlKemKey_DecodePrivateKey(MlKemKey* key, const unsigned char* in,

/* Decode the public key that is after the private key. */
mlkemkey_decode_public(key->pub, key->pubSeed, p, k);
/* Compute the hash of the public key. */
MLKEM_HASH_H(&key->hash, p, pubLen, computedHash);
p += pubLen;

/* Copy the hash of the encoded public key that is after public key. */
XMEMCPY(key->h, p, sizeof(key->h));
p += WC_ML_KEM_SYM_SZ;

/* Copy the z (randomizer) that is after hash. */
XMEMCPY(key->z, p, sizeof(key->z));

/* Set flags */
key->flags |= MLKEM_FLAG_H_SET | MLKEM_FLAG_BOTH_SET;

/* Compare computed public key hash with stored hash */
if (XMEMCMP(key->h, computedHash, WC_ML_KEM_SYM_SZ) != 0)
ret = MLKEM_PUB_HASH_E;

}

return ret;
Expand Down
6 changes: 4 additions & 2 deletions wolfssl/wolfcrypt/error-crypt.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -307,9 +307,11 @@ enum wolfCrypt_ErrorCodes {
WC_ACCEL_INHIBIT_E = -1002, /* Crypto acceleration is currently inhibited */
BAD_INDEX_E = -1003, /* Bad index */
INTERRUPTED_E = -1004, /* Process interrupted */
MLKEM_PUB_HASH_E = -1005, /* Encoded public key in decapsulation key does
* not match stored hash*/

WC_SPAN2_LAST_E = -1004, /* Update to indicate last used error code */
WC_LAST_E = -1004, /* the last code used either here or in
WC_SPAN2_LAST_E = -1005, /* Update to indicate last used error code */
WC_LAST_E = -1005, /* the last code used either here or in
* error-ssl.h */

WC_SPAN2_MIN_CODE_E = -1999, /* Last usable code in span 2 */
Expand Down