New post-quantum kex: ML-KEM, and three hybrids of it.

As standardised by NIST in FIPS 203, this is a lattice-based post-quantum KEM. Very vaguely, the idea of it is that your public key is a matrix A and vector t, and the private key is the knowledge of how to decompose t into two vectors with all their coefficients small, one transformed by A relative to the other. Encryption of a binary secret starts by turning each bit into one of two maximally separated residues mod a prime q, and then adding 'noise' based on the public key in the form of small increments and decrements mod q, again with some of the noise transformed by A relative to the rest. Decryption uses the knowledge of t's decomposition to align the two sets of noise so that the _large_ changes (which masked the secret from an eavesdropper) cancel out, leaving only a collection of small changes to the original secret vector. Then the vector of input bits can be recovered by assuming that those accumulated small pieces of noise haven't concentrated in any particular residue enough to push it more than half way to the other of its possible starting values. A weird feature of it is that decryption is not a true mathematical inverse of encryption. The assumption that the noise doesn't get large enough to flip any bit of the secret is only probabilistically valid, not a hard guarantee. In other words, key agreement can fail, simply by getting particularly unlucky with the distribution of your random noise! However, the probability of a failure is very low - less than 2^-138 even for ML-KEM-512, and gets even smaller with the larger variants. An awkward feature for our purposes is that the matrix A, containing a large number of residues mod the prime q=3329, is required to be constructed by a process of rejection sampling, i.e. generating random 12-bit values and throwing away the out-of-range ones. That would be a real pain for our side-channel testing system, which generally handles rejection sampling badly (since it necessarily involves data-dependent control flow and timing variation). Fortunately, the matrix and the random seed it was made from are both public: the matrix seed is transmitted as part of the public key, so it's not necessary to try to hide it. Accordingly, I was able to get the implementation to pass testsc by means of not varying the matrix seed between runs, which is justified by the principle of testsc that you vary the _secrets_ to ensure timing is independent of them - and the matrix seed isn't a secret, so you're allowed to keep it the same. The three hybrid algorithms, defined by the current Internet-Draft draft-kampanakis-curdle-ssh-pq-ke, include one hybrid of ML-KEM-768 with Curve25519 in exactly the same way we were already hybridising NTRU Prime with Curve25519, and two more hybrids of ML-KEM with ECDH over a NIST curve. The former hybrid interoperates with the implementation in OpenSSH 9.9; all three interoperate with the fork 'openssh-oqs' at github.com/open-quantum-safe/openssh, and also with the Python library AsyncSSH.
2025-06-30 19:12:48 -05:00 · 2024-12-07 19:33:39 +00:00
parent b36d490b5d
commit e98615f0ba
15 changed files with 1618 additions and 4 deletions
--- a/test/cryptsuite.py
+++ b/test/cryptsuite.py
--- a/test/testcrypt-enum.h
+++ b/test/testcrypt-enum.h
@ -160,6 +160,12 @@ BEGIN_ENUM_TYPE(argon2flavour)
    ENUM_VALUE("Argon2id", Argon2id)
 END_ENUM_TYPE(argon2flavour)

+BEGIN_ENUM_TYPE(mlkem_params)
+    ENUM_VALUE("mlkem512", &mlkem_params_512)
+    ENUM_VALUE("mlkem768", &mlkem_params_768)
+    ENUM_VALUE("mlkem1024", &mlkem_params_1024)
+END_ENUM_TYPE(mlkem_params)
+
 BEGIN_ENUM_TYPE(fptype)
    ENUM_VALUE("md5", SSH_FPTYPE_MD5)
    ENUM_VALUE("sha256", SSH_FPTYPE_SHA256)
--- a/test/testcrypt-func.h
+++ b/test/testcrypt-func.h
@ -405,6 +405,36 @@ FUNC_WRAPPED(int16_list, ntru_encrypt, ARG(int16_list, plaintext),
 FUNC_WRAPPED(int16_list, ntru_decrypt, ARG(int16_list, ciphertext),
             ARG(val_ntrukeypair, keypair))

+/*
+ * ML-KEM and its subroutines.
+ */
+FUNC(void, mlkem_keygen,
+     ARG(out_val_string_binarysink, ek), ARG(out_val_string_binarysink, dk),
+     ARG(mlkem_params, params))
+FUNC_WRAPPED(void, mlkem_keygen_internal,
+             ARG(out_val_string_binarysink, ek),
+             ARG(out_val_string_binarysink, dk),
+             ARG(mlkem_params, params),
+             ARG(val_string_ptrlen, d), ARG(val_string_ptrlen, z))
+FUNC_WRAPPED(void, mlkem_keygen_rho_sigma,
+             ARG(out_val_string_binarysink, ek),
+             ARG(out_val_string_binarysink, dk),
+             ARG(mlkem_params, params), ARG(val_string_ptrlen, rho),
+             ARG(val_string_ptrlen, sigma), ARG(val_string_ptrlen, z))
+FUNC(boolean, mlkem_encaps,
+     ARG(out_val_string_binarysink, ciphertext),
+     ARG(out_val_string_binarysink, k),
+     ARG(mlkem_params, params),
+     ARG(val_string_ptrlen, ek))
+FUNC_WRAPPED(boolean, mlkem_encaps_internal,
+             ARG(out_val_string_binarysink, ciphertext),
+             ARG(out_val_string_binarysink, k),
+             ARG(mlkem_params, params),
+             ARG(val_string_ptrlen, ek), ARG(val_string_ptrlen, m))
+FUNC(boolean, mlkem_decaps, ARG(out_val_string_binarysink, k),
+     ARG(mlkem_params, params), ARG(val_string_ptrlen, dk),
+     ARG(val_string_ptrlen, ciphertext))
+
 /*
 * RSA key exchange, and also the BinarySource get function
 * get_ssh1_rsa_priv_agent, which is a convenient way to make an
--- a/test/testcrypt.c
+++ b/test/testcrypt.c
@ -36,6 +36,7 @@
 #include "mpint.h"
 #include "crypto/ecc.h"
 #include "crypto/ntru.h"
+#include "crypto/mlkem.h"
 #include "proxy/cproxy.h"

 static NORETURN PRINTF_LIKE(1, 2) void fatal_error(const char *p, ...)
@ -231,6 +232,7 @@ typedef struct mr_result TD_mr_result;
 typedef Argon2Flavour TD_argon2flavour;
 typedef FingerprintType TD_fptype;
 typedef HttpDigestHash TD_httpdigesthash;
+typedef const mlkem_params *TD_mlkem_params;

 #define BEGIN_ENUM_TYPE(name)                                           \
    static bool enum_translate_##name(ptrlen valname, TD_##name *out) { \
@ -444,12 +446,19 @@ static unsigned *get_out_uint(BinarySource *in)
    return uval;
 }

-static BinarySink *get_out_val_string_binarysink(BinarySource *in)
+static strbuf **get_out_val_string(BinarySource *in)
 {
    Value *val = value_new(VT_string);
-    val->vu_string = strbuf_new();
+    val->vu_string = NULL;
    add_finaliser(finaliser_return_value, val);
-    return BinarySink_UPCAST(val->vu_string);
+    return &val->vu_string;
+}
+
+static BinarySink *get_out_val_string_binarysink(BinarySource *in)
+{
+    strbuf *sb = strbuf_new();
+    *get_out_val_string(in) = sb;
+    return BinarySink_UPCAST(sb);
 }

 static void return_val_string_asciz_const(strbuf *out, const char *s);
@ -1031,6 +1040,33 @@ int16_list *ntru_decrypt_wrapper(int16_list *ciphertext, NTRUKeyPair *keypair)
    return out;
 }

+void mlkem_keygen_internal_wrapper(
+    BinarySink *ek, BinarySink *dk, const mlkem_params *params,
+    ptrlen d, ptrlen z)
+{
+    assert(d.len == 32 && "Invalid d length");
+    assert(z.len == 32 && "Invalid z length");
+    mlkem_keygen_internal(ek, dk, params, d.ptr, z.ptr);
+}
+
+void mlkem_keygen_rho_sigma_wrapper(
+    BinarySink *ek, BinarySink *dk, const mlkem_params *params,
+    ptrlen rho, ptrlen sigma, ptrlen z)
+{
+    assert(rho.len == 32 && "Invalid rho length");
+    assert(sigma.len == 32 && "Invalid sigma length");
+    assert(z.len == 32 && "Invalid z length");
+    mlkem_keygen_rho_sigma(ek, dk, params, rho.ptr, sigma.ptr, z.ptr);
+}
+
+bool mlkem_encaps_internal_wrapper(BinarySink *ciphertext, BinarySink *kout,
+                                   const mlkem_params *params, ptrlen ek,
+                                   ptrlen m)
+{
+    assert(m.len == 32 && "Invalid m length");
+    return mlkem_encaps_internal(ciphertext, kout, params, ek, m.ptr);
+}
+
 strbuf *rsa_ssh1_encrypt_wrapper(ptrlen input, RSAKey *key)
 {
    /* Fold the boolean return value in C into the string return value
--- a/test/testcrypt.py
+++ b/test/testcrypt.py
@ -182,7 +182,7 @@ def make_argword(arg, argtype, fnname, argindex, argname, to_preserve):
    if typename in {
            "hashalg", "macalg", "keyalg", "cipheralg",
            "dh_group", "ecdh_alg", "rsaorder", "primegenpolicy",
-            "argon2flavour", "fptype", "httpdigesthash"}:
+            "argon2flavour", "fptype", "httpdigesthash", "mlkem_params"}:
        arg = coerce_to_bytes(arg)
        if isinstance(arg, bytes) and b" " not in arg:
            dictkey = (typename, arg)
--- a/test/testsc.c
+++ b/test/testsc.c
@ -82,6 +82,7 @@
 #include "mpint.h"
 #include "crypto/ecc.h"
 #include "crypto/ntru.h"
+#include "crypto/mlkem.h"

 static NORETURN PRINTF_LIKE(1, 2) void fatal_error(const char *p, ...)
 {
@ -431,6 +432,9 @@ VOLATILE_WRAPPED_DEFN(static, size_t, looplimit, (size_t x))
    X(argon2)                                   \
    X(primegen_probabilistic)                   \
    X(ntru)                                     \
+    X(mlkem512)                                 \
+    X(mlkem768)                                 \
+    X(mlkem1024)                                \
    X(rfc6979_setup)                            \
    X(rfc6979_attempt)                          \
    /* end of list */
@ -1745,6 +1749,60 @@ static void test_ntru(void)
    strbuf_free(buffer);
 }

+static void test_mlkem(const mlkem_params *params)
+{
+    char rho[32], sigma[32], z[32], m[32], ek[1568], dk[3168], c[1568];
+    char k[32], k2[32];
+
+    /* rho is a random but public value, so side channels are allowed
+     * to reveal it (and undoubtedly will). So we don't vary it
+     * between runs. */
+    random_read(rho, 32);
+
+    for (size_t i = 0; i < looplimit(32); i++) {
+        random_advance_counter();
+        random_read(sigma, 32);
+        random_read(z, 32);
+        random_read(m, 32);
+
+        log_start();
+
+        /* Every other iteration, tamper with the ciphertext so that
+         * implicit rejection occurs, because we need to test that
+         * that too is done in constant time. */
+        unsigned tampering = i & 1;
+
+        buffer_sink ek_sink[1]; buffer_sink_init(ek_sink, ek, sizeof(ek));
+        buffer_sink dk_sink[1]; buffer_sink_init(dk_sink, dk, sizeof(dk));
+        buffer_sink c_sink[1]; buffer_sink_init(c_sink, c, sizeof(c));
+        buffer_sink k_sink[1]; buffer_sink_init(k_sink, k, sizeof(k));
+        mlkem_keygen_rho_sigma(
+            BinarySink_UPCAST(ek_sink), BinarySink_UPCAST(dk_sink),
+            params, rho, sigma, z);
+        ptrlen ek_pl = make_ptrlen(ek, ek_sink->out - ek);
+        ptrlen dk_pl = make_ptrlen(dk, dk_sink->out - dk);
+        mlkem_encaps_internal(
+            BinarySink_UPCAST(c_sink), BinarySink_UPCAST(k_sink),
+            params, ek_pl, m);
+        dk[0] ^= tampering;
+        ptrlen c_pl = make_ptrlen(c, c_sink->out - c);
+        buffer_sink_init(k_sink, k2, sizeof(k2));
+        bool success = mlkem_decaps(
+            BinarySink_UPCAST(k_sink), params, dk_pl, c_pl);
+
+        log_end();
+
+        assert(success);
+        unsigned eq_expected = tampering ^ 1;
+        unsigned eq = smemeq(k, k2, 32);
+        assert(eq == eq_expected);
+    }
+}
+
+static void test_mlkem512(void) { test_mlkem(&mlkem_params_512); }
+static void test_mlkem768(void) { test_mlkem(&mlkem_params_768); }
+static void test_mlkem1024(void) { test_mlkem(&mlkem_params_1024); }
+
 static void test_rfc6979_setup(void)
 {
    mp_int *q = mp_new(512);