Include encapsulation randomness in test vectors

FiloSottile · FiloSottile · commit 19adaeb89cca · 2025-08-18T15:52:21.000+02:00
It wasn't obvious what to use for EncapDerand of DHKEM. RFC 9180 uses rejection sampling for DeriveKeyPair, but includes a scalar in the test vectors (which is not really an EncapDerand input). draft-irtf-cfrg-hybrid-kems defines the EncapsDerand of a nominal group to be reduction based. Since DHKEM already has a DeriveKeyPair, I went for that. Fixes #29
diff --git a/reference-implementation/src/kem.rs b/reference-implementation/src/kem.rs
@@ -9,6 +9,7 @@ pub trait Kem {
     const N_PK: usize;
     const N_SK: usize;
     const N_SEED: usize;
+    const N_RANDOM: usize;
 
     type EncapsulationKey;
     type DecapsulationKey;
@@ -23,21 +24,23 @@ pub trait Kem {
     fn deserialize_private_key(skXm: &[u8]) -> Self::DecapsulationKey;
 
     fn encap(rng: &mut impl rand::CryptoRng, pkR: &Self::EncapsulationKey) -> (Vec<u8>, Vec<u8>);
+    fn encap_derand(pkR: &Self::EncapsulationKey, randomness: &[u8]) -> (Vec<u8>, Vec<u8>);
     fn decap(enc: &[u8], skR: &Self::DecapsulationKey) -> Vec<u8>;
 }
 
 pub struct KemWithId<K, const ID: u16>(core::marker::PhantomData<K>);
 
 impl<K, const ID: u16> Kem for KemWithId<K, ID>
 where
-    K: concrete_hybrid_kem::Kem,
+    K: concrete_hybrid_kem::Kem + concrete_hybrid_kem::EncapsDerand,
 {
     const ID: [u8; 2] = ID.to_be_bytes();
     const N_SECRET: usize = K::SHARED_SECRET_LENGTH;
     const N_ENC: usize = K::CIPHERTEXT_LENGTH;
     const N_PK: usize = K::ENCAPSULATION_KEY_LENGTH;
     const N_SK: usize = K::DECAPSULATION_KEY_LENGTH;
     const N_SEED: usize = K::SEED_LENGTH;
+    const N_RANDOM: usize = K::RANDOMNESS_LENGTH;
 
     type EncapsulationKey = <K as concrete_hybrid_kem::Kem>::EncapsulationKey;
     type DecapsulationKey = <K as concrete_hybrid_kem::Kem>::DecapsulationKey;
@@ -78,6 +81,12 @@ where
         (ss.as_bytes().to_vec(), ct.as_bytes().to_vec())
     }
 
+    fn encap_derand(pkR: &Self::EncapsulationKey, randomness: &[u8]) -> (Vec<u8>, Vec<u8>) {
+        use concrete_hybrid_kem::AsBytes;
+        let (ct, ss) = <K as concrete_hybrid_kem::EncapsDerand>::encaps_derand(pkR, randomness).unwrap();
+        (ss.as_bytes().to_vec(), ct.as_bytes().to_vec())
+    }
+
     fn decap(enc: &[u8], skR: &Self::DecapsulationKey) -> Vec<u8> {
         use concrete_hybrid_kem::AsBytes;
         let enc = K::Ciphertext::from(enc);
@@ -92,14 +101,15 @@ pub struct MlKemWithId<K, const ID: u16>(core::marker::PhantomData<K>);
 
 impl<K, const ID: u16> Kem for MlKemWithId<K, ID>
 where
-    K: concrete_hybrid_kem::Kem,
+    K: concrete_hybrid_kem::Kem + concrete_hybrid_kem::EncapsDerand,
 {
     const ID: [u8; 2] = ID.to_be_bytes();
     const N_SECRET: usize = K::SHARED_SECRET_LENGTH;
     const N_ENC: usize = K::CIPHERTEXT_LENGTH;
     const N_PK: usize = K::ENCAPSULATION_KEY_LENGTH;
     const N_SK: usize = K::SEED_LENGTH; // Use seed length for ML-KEM per spec
     const N_SEED: usize = K::SEED_LENGTH;
+    const N_RANDOM: usize = K::RANDOMNESS_LENGTH;
 
     type EncapsulationKey = <K as concrete_hybrid_kem::Kem>::EncapsulationKey;
     type DecapsulationKey = <K as concrete_hybrid_kem::Kem>::DecapsulationKey;
@@ -140,6 +150,12 @@ where
         (ss.as_bytes().to_vec(), ct.as_bytes().to_vec())
     }
 
+    fn encap_derand(pkR: &Self::EncapsulationKey, randomness: &[u8]) -> (Vec<u8>, Vec<u8>) {
+        use concrete_hybrid_kem::AsBytes;
+        let (ct, ss) = <K as concrete_hybrid_kem::EncapsDerand>::encaps_derand(pkR, randomness).unwrap();
+        (ss.as_bytes().to_vec(), ct.as_bytes().to_vec())
+    }
+
     fn decap(enc: &[u8], skR: &Self::DecapsulationKey) -> Vec<u8> {
         use concrete_hybrid_kem::AsBytes;
         let enc = K::Ciphertext::from(enc);
@@ -513,6 +529,7 @@ where
     const N_PK: usize = C::POINT_SIZE;
     const N_SK: usize = C::SCALAR_SIZE;
     const N_SEED: usize = C::SCALAR_SIZE;
+    const N_RANDOM: usize = C::SCALAR_SIZE;
 
     type EncapsulationKey = C::Point;
     type DecapsulationKey = C::Scalar;
@@ -557,6 +574,20 @@ where
         (shared_secret, enc)
     }
 
+    fn encap_derand(pkR: &Self::EncapsulationKey, randomness: &[u8]) -> (Vec<u8>, Vec<u8>) {
+        use crate::concat;
+
+        let (skE, pkE) = Self::derive_key_pair(randomness);
+        let dh = C::dh(&skE, pkR);
+        let enc = Self::serialize_public_key(&pkE);
+
+        let pkRm = Self::serialize_public_key(pkR);
+        let kem_context = concat(&[&enc, &pkRm]);
+
+        let shared_secret = K::extract_and_expand(C::SUITE_ID, &dh, &kem_context, Self::N_SECRET);
+        (shared_secret, enc)
+    }
+
     fn decap(enc: &[u8], skR: &Self::DecapsulationKey) -> Vec<u8> {
         use crate::concat;
 
diff --git a/reference-implementation/src/test_vectors.rs b/reference-implementation/src/test_vectors.rs
@@ -35,6 +35,8 @@ pub struct TestVector {
     pub aead_id: u16,
     #[serde(with = "hex::serde")]
     pub info: Vec<u8>,
+    #[serde(with = "hex::serde")]
+    pub encap_rand: Vec<u8>,
     #[serde(rename = "ikmR", with = "hex::serde")]
     pub ikm_r: Vec<u8>,
     #[serde(rename = "skRm", with = "hex::serde")]
@@ -46,6 +48,8 @@ pub struct TestVector {
     #[serde(with = "hex::serde")]
     pub shared_secret: Vec<u8>,
     #[serde(with = "hex::serde")]
+    pub suite_id: Vec<u8>,
+    #[serde(with = "hex::serde")]
     pub key: Vec<u8>,
     #[serde(with = "hex::serde")]
     pub base_nonce: Vec<u8>,
@@ -211,6 +215,8 @@ impl TestVector {
         H: Kdf,
         A: Aead,
     {
+        use rand::RngCore;
+
         // Fixed test values
         let info = b"4f6465206f6e2061204772656369616e2055726e";
         let pt = b"4265617574792069732074727574682c20747275746820626561757479";
@@ -220,7 +226,6 @@ impl TestVector {
         // Generate random seed for recipient key pair
         let mut rng = rand::rng();
         let ikm_r = {
-            use rand::RngCore;
             // Use the KEM's seed size
             let mut seed = vec![0u8; K::N_SEED];
             rng.fill_bytes(&mut seed);
@@ -231,7 +236,9 @@ impl TestVector {
         let (sk_r, pk_r) = K::derive_key_pair(&ikm_r);
 
         // Perform encapsulation
-        let (shared_secret, enc) = K::encap(&mut rng, &pk_r);
+        let mut encap_rand = vec![0u8; K::N_RANDOM];
+        rng.fill_bytes(&mut encap_rand);
+        let (shared_secret, enc) = K::encap_derand(&pk_r, &encap_rand);
 
         // Create context
         let suite_id = Instance::<K, H, A>::suite_id();
@@ -278,11 +285,13 @@ impl TestVector {
             kdf_id: u16::from_be_bytes(H::ID),
             aead_id: u16::from_be_bytes(A::ID),
             info: info.to_vec(),
+            encap_rand,
             ikm_r: ikm_r.clone(),
             sk_rm: K::serialize_private_key(&sk_r),
             pk_rm: K::serialize_public_key(&pk_r),
             enc,
             shared_secret,
+            suite_id: suite_id.to_vec(),
             key,
             base_nonce,
             exporter_secret,
