-
Notifications
You must be signed in to change notification settings - Fork 572
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PQC: ML-KEM #3893
PQC: ML-KEM #3893
Conversation
20da875
to
8c19232
Compare
@reneme, that's great news. I highly appreciate that the different versions can be controlled in the build and invoked at run-time independently.
|
8c19232
to
2dcd938
Compare
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
2dcd938
to
f3481b2
Compare
This comment was marked as outdated.
This comment was marked as outdated.
Judging from appendix C.2, the only relevant addition is the domain separation in the seed expansion in Algorithm 13 (KeyGen). Basically, they just append a single byte |
f3481b2
to
eb47076
Compare
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as outdated.
This comment was marked as outdated.
Work on it was finished on Friday, it is now awaiting review. So feature-wise it's ready to go. Feel free to pull it into a local build if you want to start prototyping with ML-KEM. Any feedback is appreciated. |
My short feedback: it works fine. Thank you! |
While trying to integrate these changes into our Botan plugin I noticed (see strongswan/strongswan#2228) that these changes allocate the seed for the key pair in a different order, first d and then z instead of the other way around, which is what FIPS-203 describes and other implementations do (and e.g. the referenced KAT vectors do as well). So it's quite awkward to test this implementation using the API. Is there a specific reason this order was chosen? |
For reference: I added my view on this here. TL;DR: In my opinion, downstream users should not pose assumptions on the RNG invocation pattern of any implementation of ML-KEM. For testing with KAT vectors, they should prepare a concatenation of
Not really. We followed the order of operations as stated in FIPS 203, Algorithm 19. |
OK, thanks. That sounds like a way to handle this. I've successfully used
Sorry about that. I read the order in FIPS-203 wrong for some reason, it's definitely d before z (also for the inputs to Algorithm 16). So it's more the referenced KAT vectors, which allocate z before d from the DRBG, that made this awkward. |
3f469ca
to
a2498c1
Compare
adbceba
to
22a97fa
Compare
22a97fa
to
f37999f
Compare
This adapts the existing implementation of Kyber to accomodate the differences between Kyber 3.01 and the final FIPS 203 standard. Kyber (and Kyber 90s) remain supported. All references to the specification were updated to refer into the final FIPS 203. Also, this includes a number of refactorings and improvements in the shared code between Kyber and ML-KEM. Co-Authored-By: Fabian Albert <[email protected]> Co-Authored-By: Amos Treiber <[email protected]>
This adds 'official' KATs from the ACVP-Server provided by NIST. Also included are some python scripts to illustrate the pre-processing necessary to update those KAT files.
The kyber-specific functions remain supported but work slightly different, so that dedicated functions for ML-KEM became necessary.
f37999f
to
33000ab
Compare
Pull Request Dependencies
Descriptions
This builds on the existing Kyber implementation (and the flexibility added in #3387 and #4024) to provide an implementation of ML-KEM as specified in FIPS 203. The OIDs for ML-KEM are also updated to the official definition.
While reviewing the implementation for consistency with the final FIPS 203 we did some minor cleanups/refactorings. Those are currently intertwined in this PR, but could be moved into an independent commit or PR.
Note that each flavor of Kyber/ML-KEM can be disabled at compile time via the modules
kyber
,kyber_90s
,ml_kem
.Integration in FFI as well as into the Python bindings is also included and deprecates some of the kyber-specific FFI functions that are now replaced by algorithm-agnostic key encoding functions.
TODOs
We should probably also look into the official ACVP tests: #1, #2
We already haveprivate_key_bits()
andraw_private_key_bits()
, the latter could return the seed (if it is available). We'll somehow have to distinguish serialized from non-serialized keys for loading: simply by size? 🤔d||z
-type private key format)Either remove the tests entirely, or monitor whether an updated test vector is being released.
Decide on the API (see below)(as with the other FIPS-PRs, let's not bloat this even more and build an API bridge as a follow up)Open Questions re: API
Currently, there's no user-facing API that explicitly states "ML-KEM". Instead, users are expected to use the Kyber-classes with the ML-KEM parameter set. Technically, that should be fine, but I believe this will confuse people in a few years, when they didn't follow the PQC competition at the time and don't associate Kyber with ML-KEM anymore.
I see three options:
ml_kem.h
header (e.g. by flat-out inheriting from the Kyber classes)Also, the FFI currently provides kyber-specific APIs. They should just work (tm) with ML-KEM key material as well, but like above, the names might become confusing for some users in the near future.
Caveats
This pull request initially implemented the Initial Public Draft version of FIPS 203. It was never merged and eventually got updated to implement ML-KEM as specified in the final standard. As a result, no released version of Botan will implement ML-KEM-IPD.
Note that it is an addition! Kyber-R3 (and 90s mode) continue to work as before.
Example
Closes #4346