Description
The ML-KEM encapsulation function contains two checks on the public key length and modulus.
bc-java/core/src/main/java/org/bouncycastle/pqc/crypto/mlkem/MLKEMEngine.java
Lines 289 to 300 in 5ce0d4d
It does not follow the NIST recommendations FIPS 203 MODULE-LATTICE-BASED KEY-ENCAPSULATION MECHANISM
ML-KEM.Encaps shall not be run with an encapsulation key that has not been checked as above.
However, checking of the encapsulation key need not be performed by the encapsulating party,
nor with every execution of ML-KEM.Encaps. Instead, assurance that these checks have been
performed can be acquired through other means (see SP 800-227 [1]).
And in SP 800-227:
- If the cryptographic module generated an input internally using an algorithm that
ensures validity and stored that input in a manner that prevents modification, then
the module is not required to check that input. For example, if the module gener-
ated a decapsulation key dk via KeyGen and then stored dk in a manner that prevents
modification, then the module can later invoke Decaps directly on dk without per-
forming any input checking.629- If the cryptographic module checks an input once and stores that input in a man-
ner that prevents modification, then the module is not required to check that input
again. For example, if the module performed input-checking on a given encapsula-
tion key ek and stored it in a manner that prevents modification, then the module
may invoke Encaps directly on ek (even repeatedly) without performing any further
input checking.
My knowledge of the codebase is limited, but as far as I understand, the check could be moved to MLKEMPublicKeyParameters constructor to follow the standard.
Célian Glénaz (Quarkslab)