Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Test vectors for Kyber and ML-KEM. #110

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

sophieschmieg
Copy link

Specifically, for round 3 and for the NIST Draft standard, as well as the discussed potential modification of the draft standard that does silently reduce instead of failing on unreduced vectors:

  • The vectors of the round 3 submission package
  • Vectors where public or private keys are not reduced mod q
  • Vectors where the various parts of Kyber are too short or too long
  • Edge cases where the secret and/or the error are zero
  • Vectors where the ciphertext is random bytes
  • Bit flips in ciphertext
  • message all zero/all 0xff
  • Values of rho where SHAKE expands more than usual and read up to 591 bytes.
  • Values of rho where the matrix has relatively large values (maximizing the sum of all entries)
  • Values of rho where the matrix contains an unusual amount of zeroes in NTT form (I found a seed with 3 zeroes mod prime factor of (3329), and a number of seeds with 2 zeroes)
  • Values of rho for which the matrix fails to be invertible mod (3329), which is otherwise a property that a random matrix is expected to have with high probability.

Specifically, for round 3 and for the NIST Draft standard, as well as the discussed potential modification of the draft standard that does silently reduce instead of failing on unreduced vectors:
* The vectors of the round 3 submission package
* Vectors where public or private keys are not reduced mod q
* Vectors where the various parts of Kyber are too short or too long
* Edge cases where the secret and/or the error are zero
* Vectors where the ciphertext is random bytes
* Bit flips in ciphertext
* message all zero/all 0xff
* Values of rho where SHAKE expands more than usual and read up to 591 bytes.
* Values of rho where the matrix has relatively large values (maximizing the sum of all entries)
* Values of rho where the matrix contains an unusual amount of zeroes in NTT form (I found a seed with 3 zeroes mod prime factor of (3329), and a number of seeds with 2 zeroes)
* Values of rho for which the matrix fails to be invertible mod (3329), which is otherwise a property that a random matrix is expected to have with high probability.
@rben-dev
Copy link

Hi,

Thanks a lot for sharing these useful ML-KEM edge cases test vectors!

Are there any updates planned for the finalized FIPS203 ML-KEM release from August 2024 which slightly differs from the previous NIST draft? (namely the addition of domain separation for K-PKE.KeyGen and the swapped indices for the matrix access).

Thanks in advance,
Regards,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants