On Fri, Jun 26, 2026, at 12:47, David Benjamin wrote: >> 2. (Decapsulation key type check) If dk is not a byte array of length >> 768𝑘+96 for the value of >> 𝑘 specified by the relevant parameter set, then input checking has failed. > > This is the *length of the private key*. That is (hehe) checking what > you generated. It is *not* what you received from the other side.
I see, thanks for the explanation. I sort of assumed that FIPS 203 wouldn't be THAT silly. Bad assumption on my part. Given that any checking that exists is already implied by an invocation of Encaps/Decaps, would it be acceptable to simply remove the explicit pointer to the checks? I've suggested that on the PR: https://github.com/tlswg/draft-ietf-tls-mlkem/pull/25/changes#r3478889869 _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
