Skip to content

Add support for mlkem768x25519 hybrid key exchange#137

Open
loganaden wants to merge 5 commits intoopeniked:masterfrom
cyberstormdotmu:mlkem768x25519
Open

Add support for mlkem768x25519 hybrid key exchange#137
loganaden wants to merge 5 commits intoopeniked:masterfrom
cyberstormdotmu:mlkem768x25519

Conversation

@loganaden
Copy link

@loganaden loganaden commented Jan 28, 2025

which resists to Quantum computers.

@loganaden
Add support for mlkem768x25519 hybrid key exchange
0af7e17 
which resists to Quantum computers.

Signed-off-by: Loganaden Velvindron <logan@cyberstorm.mu>
Signed-off-by: Jaykishan Mutkawoa <jay@cyberstorm.mu>
Signed-off-by: Kavish Nadan <kn@cyberstorm.mu>
@loganaden
plumb mlkem768x25519 pqc kex in iked and regress.
9fad2f8 
Signed-off-by: Loganaden Velvindron <logan@cyberstorm.mu>
Signed-off-by: Jaykishan Mutkawoa <jay@cyberstorm.mu>
Signed-off-by: Kavish Nadan <kn@cyberstorm.mu>
mfriedl
mfriedl reviewed Jan 29, 2025
View reviewed changes
mfriedl
mfriedl reviewed Jan 29, 2025
View reviewed changes
mfriedl
mfriedl reviewed Jan 29, 2025
View reviewed changes
mfriedl
mfriedl reviewed Jan 29, 2025
View reviewed changes
tobhe
tobhe requested changes Jan 29, 2025
View reviewed changes
Copy link
Member

@tobhe tobhe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the PR! Most of it already looks pretty good. I left a bunch of questions in-line.

iked/dh.c
cp += crypto_kem_mlkem768_PUBLICKEYBYTES;
}
crypto_scalarmult_curve25519(shared, curve25519->secret, cp);
/* result is hash of concatenation of KEM key and DH shared secret */
Copy link
Member

@tobhe tobhe Jan 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think in the case of ML-KEM we want to include the public keys in the hash too in order to achieve something close to MAL-BIND-K-PK security as defined in https://eprint.iacr.org/2023/1933.pdf.

https://durumcrustulum.com/2024/02/24/how-to-hold-kems/ provides a good summary.

Copy link
Contributor

@mfriedl mfriedl Jan 29, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

something like

        if (kemke->initiator) {
                /* we generate public key */
                kempub = kemke->public;
  ....
        } else {
                /* peer sends public key */
                kempub = cp;
...
        if ((ctx = EVP_MD_CTX_new()) == NULL ||
            EVP_DigestInit_ex(ctx, EVP_sha256(), NULL) != 1 ||
            EVP_DigestUpdate(ctx, kempub, ...) != 1 ||

@loganaden
Fix the naming, struct and style issues identified by Markus Friedl
a951e43 
and Tobias Heider.

Signed-off-by: Loganaden Velvindron <logan@cyberstorm.mu>
Signed-off-by: Jaykishan Mutkawoa <jay@cyberstorm.mu>
Signed-off-by: Kavish Nadan <kn@cyberstorm.mu>
@loganaden
Copy link
Author

loganaden commented Jan 29, 2025

Thank you for the PR! Most of it already looks pretty good. I left a bunch of questions in-line.

Most of the minor issues have been fixed. We are carefully looking at the last part and will push an update
accordingly.

@loganaden
switch from fatal_f() to exit() due to CI errors.
28afbdf 
Signed-off-by: Loganaden Velvindron <logan@cyberstorm.mu>
Signed-off-by: Jaykishan Mutkawoa <jay@cyberstorm.mu>
Signed-off-by: Kavish Nadan <kn@cyberstorm.mu>
@loganaden
Copy link
Author

loganaden commented Jan 30, 2025

@tobhe @mfriedl can you allow automatic CI run only for this PR ? it will be easier to correct CI issues.

@loganaden
Skip test for GROUP_MLKEM768X25519 in dhtest.
aacebc9 
Signed-off-by: Loganaden Velvindron <logan@cyberstorm.mu>
Signed-off-by: Jaykishan Mutkawoa <jay@cyberstorm.mu>
Signed-off-by: Kavish Nadan <kn@cyberstorm.mu>
mfriedl
mfriedl reviewed Feb 24, 2025
View reviewed changes
iked/libcrux_mlkem768_sha3.c
#define KRML_NOINLINE __attribute__((noinline, unused))
#define KRML_HOST_EPRINTF(...)
#define KRML_HOST_EXIT(x) fatal_f("internal error")
#define KRML_HOST_EXIT(x) exit(-1)
Copy link
Contributor

@mfriedl mfriedl Feb 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fatalx()?

Copy link
Author

@loganaden loganaden Feb 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mfriedl will change this. I am going to update the PR soon with one more bugfix.

@mfriedl
Copy link
Contributor

mfriedl commented Mar 31, 2025

fwiw, i've added pr #138 which binds the secret to the KEM-pubkey. it also uses the kem code directly w/o emulating the libcrypto API.

@loganaden
Copy link
Author

loganaden commented Apr 1, 2025

thanks @mfriedl

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tobhe tobhe tobhe requested changes

+1 more reviewer

@mfriedl mfriedl mfriedl left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@loganaden @mfriedl @tobhe