cryptojedi
commented
1 year ago The "rejection key" on ciphertext mismatch should be KDF(z + ct) instead of KDF(z + H(ct)).
Closed bwesterb closed 1 year ago
cryptojedi
commented
1 year ago The "rejection key" on ciphertext mismatch should be KDF(z + ct) instead of KDF(z + H(ct)).
bwesterb
commented
1 year ago The "rejection key" on ciphertext mismatch should be KDF(z + ct) instead of KDF(z + H(ct)).
Fixed.
This change is expected to be included in NIST's standard. See
https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/WFRDl8DqYQ4/m/54var7dfAQAJ