Problems with encrypt_with_label in crypto basics test vectors using certain cipher suites

[RonPeters]

I've been able to get everything working in my own implementation of crypto basics, except DecryptWithLabel using the encrypt_with_label test vectors using certain KEMs.

I can round-trip just fine with EncryptWithLabel to generate my own kem_output_candidate and ciphertext_candidate, and then feed them to DecryptWithLabel. But I can't decrypt using the raw kem_output in the test vector.

The specific error from my crypto library is "The computed authentication tag did not match the input authentication tag" when decrypting.

Please note I only have this problem with KEM IDs 0x0010, 0x0011, and 0x0012 (DHKEMP256, DHKEMP384, DHKEMP521) in cipher suites 2, 5, and 7. It's fine with X25519 (cipher suites 1 and 3). I do not yet have an X448 implementation.

I've tried everything, so I suspect the test vectors may be wrong.

[Aurvandill]

Hello, I think it migh be a problem in the cryptography library you are using. In my python mls implementation it works fine using pyhpke

If I'm allowed to ask what library are you using?

with best regards Aurvandill

[RonPeters]

I developed my own HPKE library in C#. It passes all the test vectors in RFC 9180, including the errata: https://www.rfc-editor.org/rfc/rfc9180.html

I wonder if it's a cross-platform serialization issue (Linux vs Windows). Let me come up with a very narrow test case and see what I find.

[Aurvandill]

@RonPeters have you come up with some narrow test case?

[RonPeters]

Not yet. I've been heads down implementing the TreeKEM test case. It's difficult for me to extract a simple repro for this because I had to roll my own HPKE library (which passes all the HPKE test vectors).

I do plan on submitting a repro once I wrap up the other test vectors.

[RonPeters]

I have successfully implemented all the test vectors except for the ones that experienced this error for the AES GCM-based cipher suites. The Crypto Basics, TreeKEM, Passive Client Handling Commit, and Passive Client Handling Welcome tests all experience this error for the cipher suites listed above. So I finally took the time to swap out the encryption library for AES GCM and still got the error.

To summarize, on .NET 8 both the Microsoft implementation of AES GCM and Bouncy Castle v2.2.1, AEAD Open operations fail with the provided test vectors. I am on Windows, but the code is cross platform, so I will try on my Mac in the morning.

At this time, I do not consider this an urgent issue, since cipher suite 0x0001 is the only one required and I have it working perfectly. But for interoperability, it would be nice to figure this out.

• Bouncy Castle exception: Org.BouncyCastle.Crypto.InvalidCipherTextException : mac check in GCM failed
• Microsoft exception: System.Security.Cryptography.AuthenticationTagMismatchException : The computed authentication tag did not match the input authentication tag.