enabled domain separation to mlkem keygen

royb · royb · commit f33ab6e1ef13 · 2024-08-15T14:14:43.000-04:00
disabled old KAT test, added acvp sample vector
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/crystals/kyber/KyberEngine.java b/core/src/main/java/org/bouncycastle/pqc/crypto/crystals/kyber/KyberEngine.java
@@ -209,7 +209,6 @@ public byte[][] generateKemKeyPairInternal(byte[] d, byte[] z)
 
         symmetric.hash_h(hashedPublicKey, indCpaKeyPair[0], 0);
 
-
         byte[] outputPublicKey = new byte[KyberIndCpaPublicKeyBytes];
         System.arraycopy(indCpaKeyPair[0], 0, outputPublicKey, 0, KyberIndCpaPublicKeyBytes);
         return new byte[][]{ Arrays.copyOfRange(outputPublicKey, 0, outputPublicKey.length - 32), Arrays.copyOfRange(outputPublicKey, outputPublicKey.length - 32, outputPublicKey.length), s, hashedPublicKey, z };
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/crystals/kyber/KyberIndCpa.java b/core/src/main/java/org/bouncycastle/pqc/crypto/crystals/kyber/KyberIndCpa.java
@@ -55,11 +55,9 @@ byte[][] generateKeyPair(byte[] d)
         // (p, sigma) <- G(d || k)
 
         byte[] buf = new byte[64];
-        //TODO: specs specifies K to be concatenated to with d but acvp tests says otherwise
-        symmetric.hash_g(buf, d);
-//        byte[] k = new byte[1];
-//        k[0] = (byte)kyberK;
-//        symmetric.hash_g(buf, Arrays.concatenate(d, k));
+        byte[] k = new byte[1];
+        k[0] = (byte)kyberK;
+        symmetric.hash_g(buf, Arrays.concatenate(d, k));
 
         byte[] publicSeed = new byte[32]; // p in docs
         byte[] noiseSeed = new byte[32]; // sigma in docs
diff --git a/core/src/test/java/org/bouncycastle/pqc/crypto/test/CrystalsKyberTest.java b/core/src/test/java/org/bouncycastle/pqc/crypto/test/CrystalsKyberTest.java
