Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Test vectors for Kyber and ML-KEM. #110

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Test vectors for Kyber and ML-KEM. #110

wants to merge 1 commit into from

Conversation

sophieschmieg
Copy link

Specifically, for round 3 and for the NIST Draft standard, as well as the discussed potential modification of the draft standard that does silently reduce instead of failing on unreduced vectors:

  • The vectors of the round 3 submission package
  • Vectors where public or private keys are not reduced mod q
  • Vectors where the various parts of Kyber are too short or too long
  • Edge cases where the secret and/or the error are zero
  • Vectors where the ciphertext is random bytes
  • Bit flips in ciphertext
  • message all zero/all 0xff
  • Values of rho where SHAKE expands more than usual and read up to 591 bytes.
  • Values of rho where the matrix has relatively large values (maximizing the sum of all entries)
  • Values of rho where the matrix contains an unusual amount of zeroes in NTT form (I found a seed with 3 zeroes mod prime factor of (3329), and a number of seeds with 2 zeroes)
  • Values of rho for which the matrix fails to be invertible mod (3329), which is otherwise a property that a random matrix is expected to have with high probability.

@sophieschmieg
Test vectors for Kyber and ML-KEM.
acd562c 
Specifically, for round 3 and for the NIST Draft standard, as well as the discussed potential modification of the draft standard that does silently reduce instead of failing on unreduced vectors:
* The vectors of the round 3 submission package
* Vectors where public or private keys are not reduced mod q
* Vectors where the various parts of Kyber are too short or too long
* Edge cases where the secret and/or the error are zero
* Vectors where the ciphertext is random bytes
* Bit flips in ciphertext
* message all zero/all 0xff
* Values of rho where SHAKE expands more than usual and read up to 591 bytes.
* Values of rho where the matrix has relatively large values (maximizing the sum of all entries)
* Values of rho where the matrix contains an unusual amount of zeroes in NTT form (I found a seed with 3 zeroes mod prime factor of (3329), and a number of seeds with 2 zeroes)
* Values of rho for which the matrix fails to be invertible mod (3329), which is otherwise a property that a random matrix is expected to have with high probability.
@franziskuskiefer franziskuskiefer mentioned this pull request Apr 10, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@sophieschmieg