Add ML-KEM support to HPKE (draft-ietf-hpke-pq-04)#3277
Draft
jakemas wants to merge 2 commits into
Draft
Conversation
Implement ML-KEM-512, ML-KEM-768, and ML-KEM-1024 as HPKE KEMs, enabling post-quantum-safe HPKE encryption. The priority ciphersuite is HPKE(ML-KEM-1024, HKDF-SHA384, AES-256-GCM). Changes: - Refactor evp_hpke_key_st to use heap-allocated key storage to accommodate ML-KEM key sizes (up to 3168 bytes) - Update EVP_HPKE_MAX constants for ML-KEM-1024 dimensions - Add HKDF-SHA384 KDF (EVP_hpke_hkdf_sha384) - Implement ML-KEM KEM functions (init, generate, encap, decap) for all three parameter sets - ML-KEM shared secret is used directly per draft-ietf-hpke-pq-04 (no ExtractAndExpand step) - Auth mode returns error for ML-KEM KEMs (not supported) - Validate secret keys via ml_kem_*_check_sk on init
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
This comment was marked as spam.
This comment was marked as spam.
Sorry, something went wrong.
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3277 +/- ##
==========================================
+ Coverage 78.16% 78.42% +0.26%
==========================================
Files 689 689
Lines 123334 124082 +748
Branches 17148 17241 +93
==========================================
+ Hits 96401 97313 +912
+ Misses 26022 25849 -173
- Partials 911 920 +9 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Cover the input validation branches in the ML-KEM KEM functions: - Wrong private key length (too short) - Corrupted private key (correct length, fails check_sk) - Wrong seed length via setup_sender_with_seed_for_testing - Wrong public key length for encap - Enc buffer too small - Public/private key export buffer too small - Copy of a zeroed (uninitialized) key
This comment was marked as spam.
This comment was marked as spam.
Sorry, something went wrong.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
evp_hpke_key_stto heap-allocated key storage for ML-KEM key sizesDetails
ML-KEM shared secret is used directly in the HPKE key schedule (no ExtractAndExpand). Auth mode is not supported for ML-KEM KEMs. Secret keys are validated via
ml_kem_*_check_sk()on init.FIPS 203 page 16
Performance
1000 iterations, 64-byte plaintext. Keygen is measured independently. Encap/Decap = setup_sender/setup_recipient (includes key schedule).
Benchmarks run on Intel Xeon Platinum 8175M (4c/8t @ 2.50GHz, 30 GiB RAM, AVX-512/AES-NI) running Linux 6.17.0-1013-aws.
ML-KEM-1024 full roundtrip is within 3% of X25519 DHKEM. ML-KEM-512/768 are faster due to skipping the ExtractAndExpand step.
Test plan
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.