| Thread Links | Date Links | ||||
|---|---|---|---|---|---|
| Thread Prev | Thread Next | Thread Index | Date Prev | Date Next | Date Index |
Thanks Dan for the quick response.
Other exchanges seem fine with their use of ML-KEM level determining the SHA2 hash function to use, except the transcript. This clarifies what is used for PTK. We have not looked at 11bi support for encrypting the association frames, but expect that is already specified by 11bi and your PQC document if the keys are available prior to association.
Another minor quirk is the random padding of various sizes (16, 24, 32) when encoding the Kyber public key using Kemeleon. The total length is a bit shorter and different from the Kyber public key size (797 instead of 800, say). It might be okay to extend the random padding to make the encoded size the same as normal Kyber public key size. But only if there is some advantage.
-N
Hi Nehru,
Thank you very much for this email to the reflector!
The PTK is always generated using a hash algorithm from 12.X. Since the PAKE has 2 messages sent prior to establishment of the ML-KEM parameter which fixes the hash algorithm, it notes in 12.X.4.2 that the hash algorithm for the transcript generation is SHA512. But the PTK stuff remains bound to the ML-KEM parameter.
I'm reworking the PAKE exchange to align with the 11bi method of password identifier privacy and, serendipitously, this issue goes away. I will strive to ensure that the wording is clear though. And if you do find anything that isn't, please do send a note to the reflector.
regards,
Dan.
--
"the object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." – Marcus Aurelius
On 10/13/25, 3:14 PM, "Nehru Bhandaru" <00000a7a761100fa-dmarc-request@xxxxxxxxxxxxxxxxx> wrote:
Hi Dan,
Hope all is well.
We’ve been looking at the 802.11 Authentication frame sequences for PQC PAKE from 11-25/1592r0, and have a question regarding which hash function gets used while computing the PTK (by hKDF). Not sure if we are missing something or if 11-25/1592r2 addresses this.
From the text, it is clear that for exchanges that are related to KEM, when parameters are known, Table 12.X maps the KEM level to the hash function (SHA256/384/512) - this includes PMK caching, OWE replacement, ID privacy exchange, and NOIC Exchange. It is also specified to use SHA-512 for computing the transcript T from the auth frame bodies which are exchanged before KEM parameters for NOIC are. What is the hash function used for computing the PTK - which is specified as -
PTK = HKDF-expand(HKDF-extract(T, PMK), “IEEE 802.11 PQC PTK Derivation”, PTKLen) ?
This comes after the two exchanges for PQC PAKE that may have different KEM parameters? Should it use the hash function as per NOIC KEM parameter or SHA-512 or something else.
Thanks
-N
To unsubscribe from the STDS-802-11-TGBT list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBT&A=1
To unsubscribe from the STDS-802-11-TGBT list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-TGBT&A=1
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature