Can we remove the stupid counter?

[ounsworth]

From Falko:

Actually it seems the counter can be omitted if there is only one hash function invocation in the KDF: see Quynh's comment here: https://github.com/openpgp-pqc/draft-ehlen-openpgp-nist-bp-comp/issues/10#issuecomment-2220090284

[ounsworth]

Make sure to update the FIPS Compliance section, especially to reference the secondary NIST documents that make this ok. -- basically we want someone to be able to hand this section to their FIPS lab, and the argument is all laid out for them.

From Quynh on the above openpgp thread:

The counter is allowed to be skipped when the hash function is executed only once as specified on page 159 here: https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf When X is a pseudorandom key, not a raw shared secret, KMAC-KDF in SP 800-108 (on page 11 here: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1-upd1.pdf ) is an approved KDF where the Key Derivation Key (K) is a concatenation of multiple pseudorandom keys as specified in Section 6.3 pages 21 & 22 here : https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf