Script updating gh-pages from 2d680d1. [ci skip]

lamps-wg · Jan 29, 2025 · 6613898 · 6613898
1 parent fc71f98
commit 6613898
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/draft-ietf-lamps-pq-composite-kem.html b/draft-ietf-lamps-pq-composite-kem.html
@@ -3990,7 +3990,7 @@ <h4 id="name-fips-certification-of-combi">
 <p id="appendix-D.1.1-1">TODO: update this to NIST SP 800-227, once it is published.<a href="#appendix-D.1.1-1" class="pilcrow">¶</a></p>
 <p id="appendix-D.1.1-2">One of the primary NIST documents which is relevant for certification of a composite algorithm is NIST SP.800-56Cr2 <span>[<a href="#SP.800-56Cr2" class="cite xref">SP.800-56Cr2</a>]</span> by using the allowed "hybrid" shared secret of the form <code>Z' = Z || T</code>. Compliance is achieved in the following way:<a href="#appendix-D.1.1-2" class="pilcrow">¶</a></p>
 <p id="appendix-D.1.1-3"><span>[<a href="#SP.800-56Cr2" class="cite xref">SP.800-56Cr2</a>]</span> section 4 "One-Step Key Derivation" requires a <code>counter</code> which begins at the 4-byte value 0x00000001. However, the counter is allowed to be omitted when the hash function is executed only once, as specified on page 159 of the FIPS 140-3 Implementation Guidance <span>[<a href="#FIPS-140-3-IG" class="cite xref">FIPS-140-3-IG</a>]</span>.<a href="#appendix-D.1.1-3" class="pilcrow">¶</a></p>
-<p id="appendix-D.1.1-4">The HKDF-SHA2 options can be certified under SP.800-56Cr2 One-Step Key Derivation Option 2: <code>H(x) = HMAC-hash(salt, x)</code> where <code>salt</code> is the empty (0 octet) string, which will internally be mapped to the zero vector <code>0x00..00</code> of the correct input size for the underlying hash function in order to satisfy the requirement in <span>[<a href="#SP.800-56Cr2" class="cite xref">SP.800-56Cr2</a>]</span> that "nn the absence of an agreed-upon alternative – the default_salt shall be an all-zero byte string whose bit length equals that specified as the bit length of an input block for the hash function, hash". Note that since the desired shared secret key output length of 256 bits for all security levels aligns with the block size of SHA256, we do not need to use the HKDF-Extract step specified in <span>[<a href="#RFC5869" class="cite xref">RFC5869</a>]</span>, which further simplifies FIPS certification by allowing us to use the One-Step KDF rather than the Two-Step KDF from <span>[<a href="#SP.800-56Cr2" class="cite xref">SP.800-56Cr2</a>]</span>.<a href="#appendix-D.1.1-4" class="pilcrow">¶</a></p>
+<p id="appendix-D.1.1-4">The HKDF-SHA2 options can be certified under <span>[<a href="#SP.800-56Cr2" class="cite xref">SP.800-56Cr2</a>]</span> One-Step Key Derivation Option 2: <code>H(x) = HMAC-hash(salt, x)</code> where <code>salt</code> is the empty (0 octet) string, which will internally be mapped to the zero vector <code>0x00..00</code> of the correct input size for the underlying hash function in order to satisfy the requirement in <span>[<a href="#SP.800-56Cr2" class="cite xref">SP.800-56Cr2</a>]</span> that "in the absence of an agreed-upon alternative – the default_salt shall be an all-zero byte string whose bit length equals that specified as the bit length of an input block for the hash function, hash". Note that since the desired shared secret key output length of 256 bits for all security levels aligns with the block size of SHA256, we do not need to use the HKDF-Extract step specified in <span>[<a href="#RFC5869" class="cite xref">RFC5869</a>]</span>, which further simplifies FIPS certification by allowing us to use the One-Step KDF rather than the Two-Step KDF from <span>[<a href="#SP.800-56Cr2" class="cite xref">SP.800-56Cr2</a>]</span>.<a href="#appendix-D.1.1-4" class="pilcrow">¶</a></p>
 <p id="appendix-D.1.1-5">The SHA3 options can be certified under <span>[<a href="#SP.800-56Cr2" class="cite xref">SP.800-56Cr2</a>]</span> One-Step Key Derivation Option 1: <code>H(x) = hash(x)</code>.<a href="#appendix-D.1.1-5" class="pilcrow">¶</a></p>
 </section>
 </div>

diff --git a/draft-ietf-lamps-pq-composite-kem.txt b/draft-ietf-lamps-pq-composite-kem.txt
@@ -2685,12 +2685,12 @@ D.1.1.  FIPS certification of Combiner Function
    as specified on page 159 of the FIPS 140-3 Implementation Guidance
    [FIPS-140-3-IG].
 
-   The HKDF-SHA2 options can be certified under SP.800-56Cr2 One-Step
+   The HKDF-SHA2 options can be certified under [SP.800-56Cr2] One-Step
    Key Derivation Option 2: H(x) = HMAC-hash(salt, x) where salt is the
    empty (0 octet) string, which will internally be mapped to the zero
    vector 0x00..00 of the correct input size for the underlying hash
    function in order to satisfy the requirement in [SP.800-56Cr2] that
-   "nn the absence of an agreed-upon alternative – the default_salt
+   "in the absence of an agreed-upon alternative – the default_salt
    shall be an all-zero byte string whose bit length equals that
    specified as the bit length of an input block for the hash function,
    hash".  Note that since the desired shared secret key output length