fix: add back kyber for old fingerprints

2025-04-03 20:17:36 +03:00 · 2025-03-01 01:48:06 -07:00 · 2025-03-01 01:48:06 -07:00 · 9fada94f7e
commit 9fada94f7e
parent a99feacec2
4 changed files with 66 additions and 9 deletions
--- a/u_key_schedule.go
+++ b/u_key_schedule.go
@ -0,0 +1,30 @@
+package tls
+
+import (
+	"crypto/mlkem"
+
+	"golang.org/x/crypto/sha3"
+)
+
+// kyberDecapsulate implements decapsulation according to Kyber Round 3.
+func kyberDecapsulate(dk *mlkem.DecapsulationKey768, c []byte) ([]byte, error) {
+	K, err := dk.Decapsulate(c)
+	if err != nil {
+		return nil, err
+	}
+	return kyberSharedSecret(c, K), nil
+}
+
+func kyberSharedSecret(c, K []byte) []byte {
+	// Package mlkem implements ML-KEM, which compared to Kyber removed a
+	// final hashing step. Compute SHAKE-256(K || SHA3-256(c), 32) to match Kyber.
+	// See https://words.filippo.io/mlkem768/#bonus-track-using-a-ml-kem-implementation-as-kyber-v3.
+	h := sha3.NewShake256()
+	h.Write(K)
+	ch := sha3.New256()
+	ch.Write(c)
+	h.Write(ch.Sum(nil))
+	out := make([]byte, 32)
+	h.Read(out)
+	return out
+}