AES-128-CTR

[samyuktha123sets]

In the mayo_keypair_compact function of the reference implementation, there is a piece of code that makes a call to AES 128 CTR mode PK_PRF((unsigned char *)bitsliced_P, param_P1_bytes + param_P2_bytes, seed_pk, param_pk_seed_bytes);

I would like to confirm that the AES-128-CTR code is invoked with seed_pk as the secret key and encrypts a block of zeros with an initial ctr value of all zeros. What are the plaintext, IV, Counter value used in the AES-128-CTR reference implementation

[mkannwischer]

Apologies for the very late reply. Yes, you are correct, the public P is expanded from seed_pk by using AES-128 in counter mode with seed_pk as key, and an IV of all zeros (and starts with a counter of all zeros as well).

You can read more in Algorithm 5 and Section 2.1.3 of the specification: https://pqmayo.org/assets/specs/mayo.pdf

Does that answer your question?

[bhess]

Closing, feel free to reopen @samyuktha123sets if you want to add to it.