From 3c647ca6bb987c496652fd6bf279ef2625f41821 Mon Sep 17 00:00:00 2001
From: Frank Denis <124872+jedisct1@users.noreply.github.com>
Date: Mon, 24 Nov 2025 19:45:48 +0100
Subject: [PATCH] crypto.ml_kem: avoid redundant assignment & fix K-PKE.KeyGen
 (#26031)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

FIPS-203 algorithm 13 for deterministic key generation uses
(𝜌, 𝜎) ← G(𝑑 ‖ 𝑘) , not (𝜌, 𝜎) ← G(k ‖ d)
---
 lib/std/crypto/ml_kem.zig | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/lib/std/crypto/ml_kem.zig b/lib/std/crypto/ml_kem.zig
index 9f5c0286f1..9badac5d79 100644
--- a/lib/std/crypto/ml_kem.zig
+++ b/lib/std/crypto/ml_kem.zig
@@ -376,7 +376,6 @@ fn Kyber(comptime p: Params) type {
             /// Except in tests, applications should generally call `generate()` instead of this function.
             pub fn generateDeterministic(seed: [seed_length]u8) !KeyPair {
                 var ret: KeyPair = undefined;
-                ret.secret_key.z = seed[inner_seed_length..seed_length].*;
 
                 // Generate inner key
                 innerKeyFromSeed(
@@ -507,8 +506,8 @@ fn Kyber(comptime p: Params) type {
         fn innerKeyFromSeed(seed: [inner_seed_length]u8, pk: *InnerPk, sk: *InnerSk) void {
             var expanded_seed: [64]u8 = undefined;
             var h = sha3.Sha3_512.init(.{});
-            if (p.ml_kem) h.update(&[1]u8{p.k});
             h.update(&seed);
+            if (p.ml_kem) h.update(&[1]u8{p.k});
             h.final(&expanded_seed);
             pk.rho = expanded_seed[0..32].*;
             const sigma = expanded_seed[32..64];