crypto/mlkem: Encapsulate has wrong order of secret and ciphertext #70950
Labels
Critical
A critical problem that affects the availability or correctness of production systems built using Go
NeedsFix
The path to resolution is known, but the work has not been done.
release-blocker
Milestone
Go version
go1.24rc1
Output of
go env
in your module/workspace:What did you do?
Used the new
crypto/mlkem
package from go1.24 (#70122).What did you see happen?
Noticed that the signature for
Encapsulate
isEncapsulate() (ciphertext, sharedKey []byte)
withciphertext
first andsharedKey
second.What did you expect to see?
As per FIPS 203, the order should be "shared secret key" first and "ciphertext" second:
Because both return types are
[]byte
(so you don't get the type system to help you tell them apart), this seems like a potentially dangerous footgun and unfortunate divergence from the published spec. I also imagine any potentialcrypto.KEM
API is going to want secret first. I think the order should be swapped to match FIPS 203 before go1.24 is released.For reference, RFC 9180 (HPKE) also specifies it's KEMs to return secret first.
Note: It seems like the original pre-NIST Kyber spec (from round 3) did have the ciphertext first, see #70122 (comment).
The text was updated successfully, but these errors were encountered: