Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8347938

Switch to latest ML-KEM private key encoding

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: P2 P2
    • 25
    • 25
    • security-libs
    • None

      In the implementation of [JEP-496](https://openjdk.org/jeps/496), the PKCS #8 encoding of an ML-KEM private key includes the complete private key material as defined in FIPS 203: `dk_PKE ‖ ek ‖ H(ek) ‖ z`. We also noted that "The encoding used by the ML-KEM KeyFactory is defined in [a draft IETF RFC](https://datatracker.ietf.org/doc/draft-ietf-lamps-kyber-certificates/). We will track changes in this draft until it is published."

      In November 2024, the 5th version of this draft clarified that "an ML-KEM private key is encoded by storing its 64-octet seed in the privateKey field", which is different from our current encoding format.

      Later on, there have been more proposals on the encoding. See the mails at https://mailarchive.ietf.org/arch/msg/spasm/6iUmCadOg3PfGja7j26-MUXTUVk/ and https://mailarchive.ietf.org/arch/msg/spasm/50v8oLi5XObC7AIL4DH337_Anos/.

            weijun Weijun Wang
            weijun Weijun Wang
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: