crypto/mlkem: swap order of return values of Encapsulate

alecbakholdin · gopherbot · commit cce75da30b6a · 2024-12-26T12:33:05.000-08:00
Per FIPS 203 (https://csrc.nist.gov/pubs/fips/203/final), the order of return values should be sharedKey, ciphertext. This commit simply swaps those return values and updates any consumers of the Encapsulate() method to respect the new order. Fixes #70950 Change-Id: I2a0d605e3baf7fe69510d60d3d35bbac18f883c9 Reviewed-on: https://go-review.googlesource.com/c/go/+/638376 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Austin Clements <austin@google.com> Auto-Submit: Ian Lance Taylor <iant@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org> Reviewed-by: Cherry Mui <cherryyz@google.com>
diff --git a/src/crypto/internal/fips140/mlkem/cast.go b/src/crypto/internal/fips140/mlkem/cast.go
@@ -40,7 +40,7 @@ func init() {
 		dk := &DecapsulationKey768{}
 		kemKeyGen(dk, d, z)
 		ek := dk.EncapsulationKey()
-		c, Ke := ek.EncapsulateInternal(m)
+		Ke, c := ek.EncapsulateInternal(m)
 		Kd, err := dk.Decapsulate(c)
 		if err != nil {
 			return err
diff --git a/src/crypto/internal/fips140/mlkem/mlkem1024.go b/src/crypto/internal/fips140/mlkem/mlkem1024.go
diff --git a/src/crypto/internal/fips140/mlkem/mlkem768.go b/src/crypto/internal/fips140/mlkem/mlkem768.go
@@ -246,7 +246,7 @@ func kemKeyGen(dk *DecapsulationKey768, d, z *[32]byte) {
 // the first operational use (if not exported before the first use)."
 func kemPCT(dk *DecapsulationKey768) error {
 	ek := dk.EncapsulationKey()
-	c, K := ek.Encapsulate()
+	K, c := ek.Encapsulate()
 	K1, err := dk.Decapsulate(c)
 	if err != nil {
 		return err
@@ -261,13 +261,13 @@ func kemPCT(dk *DecapsulationKey768) error {
 // encapsulation key, drawing random bytes from a DRBG.
 //
 // The shared key must be kept secret.
-func (ek *EncapsulationKey768) Encapsulate() (ciphertext, sharedKey []byte) {
+func (ek *EncapsulationKey768) Encapsulate() (sharedKey, ciphertext []byte) {
 	// The actual logic is in a separate function to outline this allocation.
 	var cc [CiphertextSize768]byte
 	return ek.encapsulate(&cc)
 }
 
-func (ek *EncapsulationKey768) encapsulate(cc *[CiphertextSize768]byte) (ciphertext, sharedKey []byte) {
+func (ek *EncapsulationKey768) encapsulate(cc *[CiphertextSize768]byte) (sharedKey, ciphertext []byte) {
 	var m [messageSize]byte
 	drbg.Read(m[:])
 	// Note that the modulus check (step 2 of the encapsulation key check from
@@ -278,22 +278,22 @@ func (ek *EncapsulationKey768) encapsulate(cc *[CiphertextSize768]byte) (ciphert
 
 // EncapsulateInternal is a derandomized version of Encapsulate, exclusively for
 // use in tests.
-func (ek *EncapsulationKey768) EncapsulateInternal(m *[32]byte) (ciphertext, sharedKey []byte) {
+func (ek *EncapsulationKey768) EncapsulateInternal(m *[32]byte) (sharedKey, ciphertext []byte) {
 	cc := &[CiphertextSize768]byte{}
 	return kemEncaps(cc, ek, m)
 }
 
 // kemEncaps generates a shared key and an associated ciphertext.
 //
 // It implements ML-KEM.Encaps_internal according to FIPS 203, Algorithm 17.
-func kemEncaps(cc *[CiphertextSize768]byte, ek *EncapsulationKey768, m *[messageSize]byte) (c, K []byte) {
+func kemEncaps(cc *[CiphertextSize768]byte, ek *EncapsulationKey768, m *[messageSize]byte) (K, c []byte) {
 	g := sha3.New512()
 	g.Write(m[:])
 	g.Write(ek.h[:])
 	G := g.Sum(nil)
 	K, r := G[:SharedKeySize], G[SharedKeySize:]
 	c = pkeEncrypt(cc, &ek.encryptionKey, m, r)
-	return c, K
+	return K, c
 }
 
 // NewEncapsulationKey768 parses an encapsulation key from its encoded form.
diff --git a/src/crypto/mlkem/mlkem1024.go b/src/crypto/mlkem/mlkem1024.go
@@ -91,6 +91,6 @@ func (ek *EncapsulationKey1024) Bytes() []byte {
 // encapsulation key, drawing random bytes from crypto/rand.
 //
 // The shared key must be kept secret.
-func (ek *EncapsulationKey1024) Encapsulate() (ciphertext, sharedKey []byte) {
+func (ek *EncapsulationKey1024) Encapsulate() (sharedKey, ciphertext []byte) {
 	return ek.key.Encapsulate()
 }
diff --git a/src/crypto/mlkem/mlkem768.go b/src/crypto/mlkem/mlkem768.go
@@ -101,6 +101,6 @@ func (ek *EncapsulationKey768) Bytes() []byte {
 // encapsulation key, drawing random bytes from crypto/rand.
 //
 // The shared key must be kept secret.
-func (ek *EncapsulationKey768) Encapsulate() (ciphertext, sharedKey []byte) {
+func (ek *EncapsulationKey768) Encapsulate() (sharedKey, ciphertext []byte) {
 	return ek.key.Encapsulate()
 }
diff --git a/src/crypto/mlkem/mlkem_test.go b/src/crypto/mlkem/mlkem_test.go
@@ -43,7 +43,7 @@ func testRoundTrip[E encapsulationKey, D decapsulationKey[E]](
 		t.Fatal(err)
 	}
 	ek := dk.EncapsulationKey()
-	c, Ke := ek.Encapsulate()
+	Ke, c := ek.Encapsulate()
 	Kd, err := dk.Decapsulate(c)
 	if err != nil {
 		t.Fatal(err)
@@ -66,7 +66,7 @@ func testRoundTrip[E encapsulationKey, D decapsulationKey[E]](
 	if !bytes.Equal(dk.Bytes(), dk1.Bytes()) {
 		t.Fail()
 	}
-	c1, Ke1 := ek1.Encapsulate()
+	Ke1, c1 := ek1.Encapsulate()
 	Kd1, err := dk1.Decapsulate(c1)
 	if err != nil {
 		t.Fatal(err)
@@ -86,7 +86,7 @@ func testRoundTrip[E encapsulationKey, D decapsulationKey[E]](
 		t.Fail()
 	}
 
-	c2, Ke2 := dk.EncapsulationKey().Encapsulate()
+	Ke2, c2 := dk.EncapsulationKey().Encapsulate()
 	if bytes.Equal(c, c2) {
 		t.Fail()
 	}
@@ -115,7 +115,7 @@ func testBadLengths[E encapsulationKey, D decapsulationKey[E]](
 	}
 	ek := dk.EncapsulationKey()
 	ekBytes := dk.EncapsulationKey().Bytes()
-	c, _ := ek.Encapsulate()
+	_, c := ek.Encapsulate()
 
 	for i := 0; i < len(dkBytes)-1; i++ {
 		if _, err := newDecapsulationKey(dkBytes[:i]); err == nil {
@@ -189,7 +189,7 @@ func TestAccumulated(t *testing.T) {
 		o.Write(ek.Bytes())
 
 		s.Read(msg[:])
-		ct, k := ek.key.EncapsulateInternal(&msg)
+		k, ct := ek.key.EncapsulateInternal(&msg)
 		o.Write(ct)
 		o.Write(k)
 
@@ -244,7 +244,7 @@ func BenchmarkEncaps(b *testing.B) {
 		if err != nil {
 			b.Fatal(err)
 		}
-		c, K := ek.key.EncapsulateInternal(&m)
+		K, c := ek.key.EncapsulateInternal(&m)
 		sink ^= c[0] ^ K[0]
 	}
 }
@@ -255,7 +255,7 @@ func BenchmarkDecaps(b *testing.B) {
 		b.Fatal(err)
 	}
 	ek := dk.EncapsulationKey()
-	c, _ := ek.Encapsulate()
+	_, c := ek.Encapsulate()
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
 		K, _ := dk.Decapsulate(c)
@@ -270,7 +270,7 @@ func BenchmarkRoundTrip(b *testing.B) {
 	}
 	ek := dk.EncapsulationKey()
 	ekBytes := ek.Bytes()
-	c, _ := ek.Encapsulate()
+	_, c := ek.Encapsulate()
 	if err != nil {
 		b.Fatal(err)
 	}
@@ -296,7 +296,7 @@ func BenchmarkRoundTrip(b *testing.B) {
 			if err != nil {
 				b.Fatal(err)
 			}
-			cS, Ks := ek.Encapsulate()
+			Ks, cS := ek.Encapsulate()
 			if err != nil {
 				b.Fatal(err)
 			}
diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go
@@ -280,7 +280,7 @@ func (hs *serverHandshakeStateTLS13) processClientHello() error {
 			c.sendAlert(alertIllegalParameter)
 			return errors.New("tls: invalid X25519MLKEM768 client key share")
 		}
-		ciphertext, mlkemSharedSecret := k.Encapsulate()
+		mlkemSharedSecret, ciphertext := k.Encapsulate()
 		// draft-kwiatkowski-tls-ecdhe-mlkem-02, Section 3.1.3: "For
 		// X25519MLKEM768, the shared secret is the concatenation of the ML-KEM
 		// shared secret and the X25519 shared secret. The shared secret is 64

Original file line number	Diff line number	Diff line change
`@@ -91,6 +91,6 @@ func (ek *EncapsulationKey1024) Bytes() []byte {`
`91`	`91`	`// encapsulation key, drawing random bytes from crypto/rand.`
`92`	`92`	`//`
`93`	`93`	`// The shared key must be kept secret.`
`94`		`-func (ek *EncapsulationKey1024) Encapsulate() (ciphertext, sharedKey []byte) {`
	`94`	`+func (ek *EncapsulationKey1024) Encapsulate() (sharedKey, ciphertext []byte) {`
`95`	`95`	`return ek.key.Encapsulate()`
`96`	`96`	`}`
Original file line number	Diff line number	Diff line change
`@@ -101,6 +101,6 @@ func (ek *EncapsulationKey768) Bytes() []byte {`
`101`	`101`	`// encapsulation key, drawing random bytes from crypto/rand.`
`102`	`102`	`//`
`103`	`103`	`// The shared key must be kept secret.`
`104`		`-func (ek *EncapsulationKey768) Encapsulate() (ciphertext, sharedKey []byte) {`
	`104`	`+func (ek *EncapsulationKey768) Encapsulate() (sharedKey, ciphertext []byte) {`
`105`	`105`	`return ek.key.Encapsulate()`
`106`	`106`	`}`
Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,7 @@ func testRoundTrip[E encapsulationKey, D decapsulationKey[E]](`
`43`	`43`	`t.Fatal(err)`
`44`	`44`	`}`
`45`	`45`	`ek := dk.EncapsulationKey()`
`46`		`- c, Ke := ek.Encapsulate()`
	`46`	`+ Ke, c := ek.Encapsulate()`
`47`	`47`	`Kd, err := dk.Decapsulate(c)`
`48`	`48`	`if err != nil {`
`49`	`49`	`t.Fatal(err)`
`@@ -66,7 +66,7 @@ func testRoundTrip[E encapsulationKey, D decapsulationKey[E]](`
`66`	`66`	`if !bytes.Equal(dk.Bytes(), dk1.Bytes()) {`
`67`	`67`	`t.Fail()`
`68`	`68`	`}`
`69`		`- c1, Ke1 := ek1.Encapsulate()`
	`69`	`+ Ke1, c1 := ek1.Encapsulate()`
`70`	`70`	`Kd1, err := dk1.Decapsulate(c1)`
`71`	`71`	`if err != nil {`
`72`	`72`	`t.Fatal(err)`
`@@ -86,7 +86,7 @@ func testRoundTrip[E encapsulationKey, D decapsulationKey[E]](`
`86`	`86`	`t.Fail()`
`87`	`87`	`}`
`88`	`88`
`89`		`- c2, Ke2 := dk.EncapsulationKey().Encapsulate()`
	`89`	`+ Ke2, c2 := dk.EncapsulationKey().Encapsulate()`
`90`	`90`	`if bytes.Equal(c, c2) {`
`91`	`91`	`t.Fail()`
`92`	`92`	`}`
`@@ -115,7 +115,7 @@ func testBadLengths[E encapsulationKey, D decapsulationKey[E]](`
`115`	`115`	`}`
`116`	`116`	`ek := dk.EncapsulationKey()`
`117`	`117`	`ekBytes := dk.EncapsulationKey().Bytes()`
`118`		`- c, _ := ek.Encapsulate()`
	`118`	`+ _, c := ek.Encapsulate()`
`119`	`119`
`120`	`120`	`for i := 0; i < len(dkBytes)-1; i++ {`
`121`	`121`	`if _, err := newDecapsulationKey(dkBytes[:i]); err == nil {`
`@@ -189,7 +189,7 @@ func TestAccumulated(t *testing.T) {`
`189`	`189`	`o.Write(ek.Bytes())`
`190`	`190`
`191`	`191`	`s.Read(msg[:])`
`192`		`- ct, k := ek.key.EncapsulateInternal(&msg)`
	`192`	`+ k, ct := ek.key.EncapsulateInternal(&msg)`
`193`	`193`	`o.Write(ct)`
`194`	`194`	`o.Write(k)`
`195`	`195`
`@@ -244,7 +244,7 @@ func BenchmarkEncaps(b *testing.B) {`
`244`	`244`	`if err != nil {`
`245`	`245`	`b.Fatal(err)`
`246`	`246`	`}`
`247`		`- c, K := ek.key.EncapsulateInternal(&m)`
	`247`	`+ K, c := ek.key.EncapsulateInternal(&m)`
`248`	`248`	`sink ^= c[0] ^ K[0]`
`249`	`249`	`}`
`250`	`250`	`}`
`@@ -255,7 +255,7 @@ func BenchmarkDecaps(b *testing.B) {`
`255`	`255`	`b.Fatal(err)`
`256`	`256`	`}`
`257`	`257`	`ek := dk.EncapsulationKey()`
`258`		`- c, _ := ek.Encapsulate()`
	`258`	`+ _, c := ek.Encapsulate()`
`259`	`259`	`b.ResetTimer()`
`260`	`260`	`for i := 0; i < b.N; i++ {`
`261`	`261`	`K, _ := dk.Decapsulate(c)`
`@@ -270,7 +270,7 @@ func BenchmarkRoundTrip(b *testing.B) {`
`270`	`270`	`}`
`271`	`271`	`ek := dk.EncapsulationKey()`
`272`	`272`	`ekBytes := ek.Bytes()`
`273`		`- c, _ := ek.Encapsulate()`
	`273`	`+ _, c := ek.Encapsulate()`
`274`	`274`	`if err != nil {`
`275`	`275`	`b.Fatal(err)`
`276`	`276`	`}`
`@@ -296,7 +296,7 @@ func BenchmarkRoundTrip(b *testing.B) {`
`296`	`296`	`if err != nil {`
`297`	`297`	`b.Fatal(err)`
`298`	`298`	`}`
`299`		`- cS, Ks := ek.Encapsulate()`
	`299`	`+ Ks, cS := ek.Encapsulate()`
`300`	`300`	`if err != nil {`
`301`	`301`	`b.Fatal(err)`
`302`	`302`	`}`
Original file line number	Diff line number	Diff line change
`@@ -280,7 +280,7 @@ func (hs *serverHandshakeStateTLS13) processClientHello() error {`
`280`	`280`	`c.sendAlert(alertIllegalParameter)`
`281`	`281`	`return errors.New("tls: invalid X25519MLKEM768 client key share")`
`282`	`282`	`}`
`283`		`- ciphertext, mlkemSharedSecret := k.Encapsulate()`
	`283`	`+ mlkemSharedSecret, ciphertext := k.Encapsulate()`
`284`	`284`	`// draft-kwiatkowski-tls-ecdhe-mlkem-02, Section 3.1.3: "For`
`285`	`285`	`// X25519MLKEM768, the shared secret is the concatenation of the ML-KEM`
`286`	`286`	`// shared secret and the X25519 shared secret. The shared secret is 64`