Comments (13)
Hello.
With all due respect, it does work. It's even been reviewed by the authors of the algorithm itself.
I'm not sure how you are using it, but the tests give you good examples on its proper usage.
from crystals-kyber-ts.
Explain then why the key pair is empty and generateKyberKeys is not used anywhere?
from crystals-kyber-ts.
from crystals-kyber-ts.
https://github.com/fisherstevenk/crystals-kyber-ts/tree/main/tests
from crystals-kyber-ts.
In your implementation, only KyberHandshake
is publicly available, which does not have a key generation method, and does not call this generation internally. What you wrote in your tests cannot be repeated without importing KyberService
. And in the example in readme.md
, you only mention KyberHandshake
, as if implying that it will generate the keys itself.
from crystals-kyber-ts.
import { Kyber1024Handshake } from "crystals-kyber-ts";
const bobHandshake = new Kyber1024Handshake();
const aliceHandshake = new Kyber1024Handshake();
const bobPublicKey: number[] = bobHandshake.publicKey;
//Prints 0 0 because key pair is not generated
console.log(bobPublicKey.length, bobHandshake.privateKey.length);
const aliceCipherText: number[] = aliceHandshake.generateCipherTextAndSharedSecret(bobPublicKey);
const bobSharedSecret: number[] = bobHandshake.generateRemoteSharedSecret(aliceCipherText);
from crystals-kyber-ts.
You can also assume that when you call generateCipherTextAndSharedSecret
, a key pair will be generated, but no, you just run an empty key through SHA3
and get the hash a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a
which corresponds to an empty string.
kyber-handshake.ts:
kyber.service.ts:
Debugging the code from the previous comment:
SHA3-256 online:
from crystals-kyber-ts.
import { Kyber1024Handshake } from "crystals-kyber-ts";
const bobHandshake = new Kyber1024Handshake();
const aliceHandshake = new Kyber1024Handshake();
const chuckHandshake = new Kyber1024Handshake();
const bobPublicKey: number[] = bobHandshake.publicKey;
const aliceCipherText: number[] = aliceHandshake.generateCipherTextAndSharedSecret(bobPublicKey);
const bobSharedSecret: number[] = bobHandshake.generateRemoteSharedSecret(aliceCipherText);
const chuckSharedSecret: number[] = chuckHandshake.generateRemoteSharedSecret(aliceCipherText);
//Vulnerability! Chuck, having only the public aliceCipherText in his hands, can read all the correspondence!
console.log(Buffer.from(bobSharedSecret).equals(Buffer.from(chuckSharedSecret))); //prints true because keys is empty
from crystals-kyber-ts.
You should have the keys generated inside KyberHandshake
automatically. It is also worth adding a key length check to KyberService
.
from crystals-kyber-ts.
I'm sorry. I understand what you're saying now.
I will have an update for this soon, plus a working example repo.
Thank you.
from crystals-kyber-ts.
v1.0.3 will automatically create the public and private keys when you create a new KyberHandshake.
https://www.npmjs.com/package/crystals-kyber-ts
from crystals-kyber-ts.
That's better. Thanks for the quick fix!
from crystals-kyber-ts.
Thank you for your persistence and patience.
from crystals-kyber-ts.
Related Issues (5)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from crystals-kyber-ts.