I have corrected the composites of ECC + ML-KEM/DSA and their corresponding hash functions.
I corrected the Key combiner to make it compliant with 56C. In 56 C, Z must be either the EC shared secret, ML-KEM shared secret or the concatenation of them. Z does not include anything else. So, I moved the ciphertexts to the FixedInfo (called Otherinfo in the previous version of 56C), see page 13 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf for the definition of Z.
(counter || Z || FixedInfo) is the x in H(x) on page 11 and x is the encData.
Including the ciphertexts does not hurt security. That is why I don't object it but it does not mean any endorsement from me.
Hi all,
I have corrected the composites of ECC + ML-KEM/DSA and their corresponding hash functions.
I corrected the Key combiner to make it compliant with 56C. In 56 C, Z must be either the EC shared secret, ML-KEM shared secret or the concatenation of them. Z does not include anything else. So, I moved the ciphertexts to the FixedInfo (called Otherinfo in the previous version of 56C), see page 13 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf for the definition of Z.
(counter || Z || FixedInfo) is the x in H(x) on page 11 and x is the encData.
Including the ciphertexts does not hurt security. That is why I don't object it but it does not mean any endorsement from me.