You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix: derive mkem AES key via HKDF-SHA256 instead of raw truncation
The mkem layer derived its AES-128-GCM key by truncating the KEM shared
secret (`&kek.0[..KEY_SIZE]`) rather than applying a KDF. Replace this
with an HKDF-SHA256 expansion using a domain-separation label
(`ibe-mkem-aes128gcm`) at both the encapsulation and decapsulation
sites, via a shared `derive_aead` helper.
Adds `hkdf` and `sha2` as optional dependencies gated behind the `mkem`
feature. Includes unit tests covering determinism, divergence from raw
truncation, and dependence on the full shared secret.
Refs GHSA-236p-m8qr-cmjg, closes#44
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
0 commit comments