ProtonMail · Nov 26, 2024
diff --git a/‎internal/kmac/kmac.go
-147 b/‎internal/kmac/kmac.go
-147
diff --git a/‎internal/kmac/kmac_test.go
-142 b/‎internal/kmac/kmac_test.go
-142
diff --git a/‎openpgp/mlkem_ecdh/mlkem_ecdh.go
+13-29 b/‎openpgp/mlkem_ecdh/mlkem_ecdh.go
+13-29
@@ -7,7 +7,6 @@ import (
 	"fmt"
 	"io"
 
-	"github.com/ProtonMail/go-crypto/internal/kmac"
 	"github.com/ProtonMail/go-crypto/openpgp/internal/encoding"
 	"golang.org/x/crypto/sha3"
 
@@ -19,7 +18,6 @@ import (
 
 const (
 	maxSessionKeyLength = 64
-	domainSeparator     = "OpenPGPCompositeKDFv1"
 	MlKemSeedLen        = 64
 )
 
@@ -140,8 +138,8 @@ func Decrypt(priv *PrivateKey, kEphemeral, ecEphemeral, ciphertext []byte) (msg
 	return keywrap.Unwrap(kek, ciphertext)
 }
 
-// buildKey implements the composite KDF as specified in
-// https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-05.html#name-key-combiner
+// buildKey implements the composite KDF 2a from
+// https://mailarchive.ietf.org/arch/msg/openpgp/NMTCy707LICtxIhP3Xt1U5C8MF0/
 func buildKey(pub *PublicKey, eccSecretPoint, eccEphemeral, eccPublicKey, mlkemKeyShare, mlkemEphemeral []byte, mlkemPublicKey kem.PublicKey) ([]byte, error) {
 	h := sha3.New256()
 
@@ -160,35 +158,21 @@ func buildKey(pub *PublicKey, eccSecretPoint, eccEphemeral, eccPublicKey, mlkemK
 	//   mlkemEphemeral  - the ML-KEM ciphertext encoded as an octet string
 	//   mlkemPublicKey  - The ML-KEM public key of the recipient as an octet string
 	//   algId           - the OpenPGP algorithm ID of the public-key encryption algorithm
-	//   domainSeparator – the UTF-8 encoding of the string "OpenPGPCompositeKDFv1"
 	//   eccKeyShare     - the ECDH key share encoded as an octet string
 	//   eccEphemeral    - the ECDH ciphertext encoded as an octet string
 	//   eccPublicKey    - The ECDH public key of the recipient as an octet string
 
-	// KEK = KMAC256(
-	//           mlkemKeyShare || eccKeyShare,
-	//           mlkemEphemeral || eccEphemeral || mlkemPublicKey || ecdhPublicKey || algId,
-	//           256 (32 bytes),
-	//           domainSeparator
-	//       )
-
-	kMacKeyBuffer := make([]byte, len(mlkemKeyShare)+len(eccKeyShare))
-	copy(kMacKeyBuffer[:len(mlkemKeyShare)], mlkemKeyShare)
-	copy(kMacKeyBuffer[len(mlkemKeyShare):], eccKeyShare)
-
-	k, err := kmac.NewKMAC256(kMacKeyBuffer, 32, []byte(domainSeparator))
-	if err != nil {
-		return nil, err
-	}
-
-	// kmac hash never returns an error
-	_, _ = k.Write(mlkemEphemeral)
-	_, _ = k.Write(eccEphemeral)
-	_, _ = k.Write(serializedMlkemPublicKey)
-	_, _ = k.Write(eccPublicKey)
-	_, _ = k.Write([]byte{pub.AlgId})
-
-	return k.Sum(nil), nil
+	// 2a. SHA3-256(mlkemKeyShare || eccKeyShare || eccEphemeral || eccPublicKey || Domain)
+	//       where Domain is "Domain" for LAMPS, and "mlkemEphemeral || mlkemPublicKey || algId" for OpenPGP
+	h.Reset()
+	_, _ = h.Write(mlkemKeyShare)
+	_, _ = h.Write(eccKeyShare)
+	_, _ = h.Write(eccEphemeral)
+	_, _ = h.Write(eccPublicKey)
+	_, _ = h.Write(mlkemEphemeral)
+	_, _ = h.Write(serializedMlkemPublicKey)
+	_, _ = h.Write([]byte{pub.AlgId})
+	return h.Sum(nil), nil
 }
 
 // Validate checks that the public key corresponds to the private key