Open falko-strenzke opened 2 months ago
@wussler @TJ-91 This will also affect the main draft. It means anything beyond the shared secrets has to be placed in the fixedInfo according to NIST.SP.800-56Cr2.
This LAMPS issue is addressing the same problem: https://github.com/lamps-wg/draft-composite-kem/issues/26
As pointed out by Quynh: For SHA3-(512/256), the only requirement is that the input to the hash function must be: counter|| ECC shared secret output || ML-KEM shared secret output || anything else. So, Z is the ECC shared secret output || ML-KEM shared secret output.
See also https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf#page=22