The current implementation under the zeroize feature in ml-kem for DecapsulationKey implements a manual zeroize-on-drop pattern where Zeroize is implemented for internal fields, but not for the outer container type. Then ZeroizeOnDrop is implemented, but this is just a marker trait. As such, there is no actual implementation of Zeroize on DecapsulationKey, meaning users who want to put these types inside a larger container type cannot derive Zeroize on that type.
It seems like dhkem's DecapsulationKey, on the other hand, does implement Zeroize.
This could be quite easily fixed for ml-kem by reverting to the original proposed behaviour of #51, where Zeroize was implemented directly. This was replaced by a Drop implementation, which still works, but makes things awkward for library authors who want to wrap ml-kem types in their own containers.
If this is a deliberate decision to avoid users being able to use key material after zeroization, that makes sense, but why the discrepancy with dhkem?
Very happy to do a PR for this?
The current implementation under the
zeroizefeature inml-kemforDecapsulationKeyimplements a manual zeroize-on-drop pattern whereZeroizeis implemented for internal fields, but not for the outer container type. ThenZeroizeOnDropis implemented, but this is just a marker trait. As such, there is no actual implementation ofZeroizeonDecapsulationKey, meaning users who want to put these types inside a larger container type cannot deriveZeroizeon that type.It seems like
dhkem'sDecapsulationKey, on the other hand, does implementZeroize.This could be quite easily fixed for
ml-kemby reverting to the original proposed behaviour of #51, whereZeroizewas implemented directly. This was replaced by aDropimplementation, which still works, but makes things awkward for library authors who want to wrapml-kemtypes in their own containers.If this is a deliberate decision to avoid users being able to use key material after zeroization, that makes sense, but why the discrepancy with
dhkem?Very happy to do a PR for this?