On Thu, Jul 09, 2026 at 09:05:59AM +0200, Henrick Hellström wrote:
> On 2026-07-09 08:17, Tanja Lange wrote:
> > their ML-KEM version, true to spec, does not hash the RNG
> > https://github.com/randombit/botan/blob/master/src/lib/pubkey/kyber/
> > ml_kem/ml_kem_impl.cpp
>
> I am not involved in that particular implementation, but this appears to be
> taken out of context. You are NOT supposed to feed a TRNG directly into
> ML-KEM (or any other cryptographic primitive that requires uniform random
> bits), even if you hash the output. Instead, you filter the raw entropy
> through a Deterministic Random Bit Generator, such as CTR DRBG or HMAC DRBG
> from NIST SP 800-90A. The output from an approved DRBG doesn't have to be
> hashed.
>
Totally different context here.
Both use a PRNG, not TRN, as they should.
The question by Benjamin Kaduk was if there are cases where the server hellow
would not leak the state of the PRNG (adding P for clarity^*) and Botan
implements that protection. There are other libraries that have seperate PRNGs
for public and private values.
All the best
Tanja
* The context of these emails is a Dual-EC style weakness, so we're talking
about a PRNG
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]