On Sun, Mar 01, 2026 at 04:38:55PM -0500, Deirdre Connolly wrote:
> > if you used the same encapsulation randomness to encapsulate to two
> > different public keys (from the same parameter set), then it is fairly easy
> > to recover both shared secrets (assuming access to both ciphertexts and
> > public keys). Hence, the MUST NOT reuse encapsulation randomness statement
> > is there for an extremely good reason.
>
> Can you explain how this works for ML-KEM? Or have a reference?
On Sun, Mar 01, 2026 at 04:42:21PM -0500, Deirdre Connolly wrote:
> Waitโ if you _have_ the encaps randomness, you have everything the Encaps()
> side does, and _must_ have the shared secret(s), otherwise the KEM scheme
> is incorrect
What Scott appears to be saying is that an **unknown** but reused random
`m` in Algorithm 14 of FIPS 203,
19: ๐ฎ โ NTT^{-1}(NTT(๐) โ ๐ฒ) + ๐_๐
20: ๐ โ Decompress_1(ByteDecode_1(๐))
21: ๐ฃ โ NTT^{โ1}(NTT(๐ญ) โ ๐ฒ) + ๐_2 + ๐ โท encode plaintext ๐ into polynomial
๐ฃ
22: ๐_1 โ ByteEncode_{๐_๐ข}(Compress_{๐_๐ข} (๐ฎ)) โท run ByteEncode_{๐_๐ข} and
Compress_{๐_๐ข} ๐ times
23: ๐_2 โ ByteEncode_{๐_๐ฃ}(Compress_{๐_๐ฃ} (๐ฃ))
24: return ๐ โ (๐_1 โ ๐_2)
when used for two different public keys compromises both shared secrets.
Behind the scenes we also have from algorithm 13 (KeyGen) that (ignoring
the NTT isomorphism):
18: ๐ญ โ ๐ โ ๐ฌ + ๐
where ๐ฌ is the secret decapsulation private key.
The way that `m` enters the ciphertext is essentially linear, the claim
is then that it can be recovered given two instances of the above data
with different unknown triples (๐ฒ, ๐_๐, ๐_2).
The attacker has access to two sets of:
* Public data ๐ and ๐ญ
* Rounded encodings ๐_1 of vector ๐ฎ and ๐_2 of scalar ๐ฃ
and in this scenario knowledge that the scalar ๐ is a high-order bit
encoding of the bits of the desired common unknown ๐.
Anyone care to post the details or a reference?
--
Viktor. ๐บ๐ฆ ะกะปะฐะฒะฐ ะฃะบัะฐัะฝั!
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
