Hi, 2.3. Recipient Tests states that:
"Receiving and handling of malformed ML-KEM public keys or ciphertexts SHOULD follow the input validation described in the Module-Lattice-Based KEM standard [FIPS203]." "Receiving and handling of malformed ML-KEM public keys or ciphertexts SHOULD follow the input validation described in the Module-Lattice-Based KEM standard [FIPS203]." "Responders SHOULD perform the checks specified in section 7.2 of the Module-Lattice-Based KEM standard [FIPS203] before the Encaps(pk) operation." This seems like a violation of FIPS 203 which states that: "ML-KEM.Encaps shall not be run with an encapsulation key that has not been checked as above" "ML-KEM.Decaps shall not be run with a decapsulation key or a ciphertext unless both have been checked." "Ciphertext checking shall be performed with every execution of ML-KEM.Decaps" It does not matter if skipping these tests is secure or not, it you skip any mandatory parts of FIPS 203 it is no longer ML-KEM. ML-KEM-1024 is around 500 times faster than MODP 4096, it does not need further optimizations. I suggest draft-ietf-ipsecme-ikev2-mlkem-02 is changed to state that all requirements in FIPS 203 SHALL be followed. I am against IETF publishing anything claiming to be ML-KEM but then violating FIPS 203. Cheers, John
_______________________________________________ IPsec mailing list -- [email protected] To unsubscribe send an email to [email protected]
