Skip to content

Support ML-KEM #67

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
JacobBarthelmeh merged 2 commits into from
Feb 21, 2025
Merged

Support ML-KEM #67

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
db90b83
Support ML-KEM
kojiws Feb 21, 2025
2e2d9cd
Remove the --enable-experimental configure option
kojiws Feb 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions docs/asymmetric.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,3 +81,35 @@ ECC
.. autoclass:: EccPrivate
:members:
:inherited-members:

ML-KEM
------

.. autoclass:: MlKemType
:show-inheritance:

.. autoclass:: MlKemPublic
:private-members:
:members:
:inherited-members:

.. autoclass:: MlKemPrivate
:members:
:inherited-members:

**Example:**

>>> from wolfcrypt.ciphers import MlKemType, MlKemPrivate, MlKemPublic
>>>
>>> mlkem_type = MlKemType.ML_KEM_512
>>>
>>> mlkem_priv = MlKemPrivate.make_key(mlkem_type)
>>> pub_key = mlkem_priv.encode_pub_key()
>>>
>>> mlkem_pub = MlKemPublic(mlkem_type)
>>> mlkem_pub.decode_key(pub_key)
>>> ss_send, ct = mlkem_pub.encapsulate()
>>>
>>> ss_recv = mlkem_priv.decapsulate(ct)
>>> ss_send == ss_recv
True
34 changes: 33 additions & 1 deletion scripts/build_ffi.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -232,6 +232,9 @@ def make_flags(prefix, fips):
flags.append("--enable-pwdbased")
flags.append("--enable-pkcs7")

# ML-KEM
flags.append("--enable-kyber")

# disabling other configs enabled by default
flags.append("--disable-oldtls")
flags.append("--disable-oldnames")
Expand Down Expand Up @@ -442,6 +445,8 @@ def build_ffi(local_wolfssl, features):
#include <wolfssl/wolfcrypt/curve25519.h>
#include <wolfssl/wolfcrypt/poly1305.h>
#include <wolfssl/wolfcrypt/chacha20_poly1305.h>
#include <wolfssl/wolfcrypt/kyber.h>
#include <wolfssl/wolfcrypt/wc_kyber.h>
"""

init_source_string = """
Expand Down Expand Up @@ -478,6 +483,7 @@ def build_ffi(local_wolfssl, features):
int AESGCM_STREAM_ENABLED = """ + str(features["AESGCM_STREAM"]) + """;
int RSA_PSS_ENABLED = """ + str(features["RSA_PSS"]) + """;
int CHACHA20_POLY1305_ENABLED = """ + str(features["CHACHA20_POLY1305"]) + """;
int ML_KEM_ENABLED = """ + str(features["ML_KEM"]) + """;
"""

ffibuilder.set_source( "wolfcrypt._ffi", init_source_string,
Expand Down Expand Up @@ -513,6 +519,7 @@ def build_ffi(local_wolfssl, features):
extern int AESGCM_STREAM_ENABLED;
extern int RSA_PSS_ENABLED;
extern int CHACHA20_POLY1305_ENABLED;
extern int ML_KEM_ENABLED;

typedef unsigned char byte;
typedef unsigned int word32;
Expand Down Expand Up @@ -922,6 +929,30 @@ def build_ffi(local_wolfssl, features):
int wolfCrypt_GetPrivateKeyReadEnable_fips(enum wc_KeyType);
"""

if features["ML_KEM"]:
cdef += """
static const int WC_ML_KEM_512;
static const int WC_ML_KEM_768;
static const int WC_ML_KEM_1024;
static const int INVALID_DEVID;
typedef struct {...; } KyberKey;
int wc_KyberKey_CipherTextSize(KyberKey* key, word32* len);
int wc_KyberKey_SharedSecretSize(KyberKey* key, word32* len);
int wc_KyberKey_PrivateKeySize(KyberKey* key, word32* len);
int wc_KyberKey_PublicKeySize(KyberKey* key, word32* len);
int wc_KyberKey_Init(int type, KyberKey* key, void* heap, int devId);
void wc_KyberKey_Free(KyberKey* key);
int wc_KyberKey_MakeKey(KyberKey* key, WC_RNG* rng);
int wc_KyberKey_MakeKeyWithRandom(KyberKey* key, const unsigned char* rand, int len);
int wc_KyberKey_EncodePublicKey(KyberKey* key, unsigned char* out, word32 len);
int wc_KyberKey_DecodePublicKey(KyberKey* key, const unsigned char* in, word32 len);
int wc_KyberKey_Encapsulate(KyberKey* key, unsigned char* ct, unsigned char* ss, WC_RNG* rng);
int wc_KyberKey_EncapsulateWithRandom(KyberKey* key, unsigned char* ct, unsigned char* ss, const unsigned char* rand, int len);
int wc_KyberKey_Decapsulate(KyberKey* key, unsigned char* ss, const unsigned char* ct, word32 len);
int wc_KyberKey_EncodePrivateKey(KyberKey* key, unsigned char* out, word32 len);
int wc_KyberKey_DecodePrivateKey(KyberKey* key, const unsigned char* in, word32 len);
"""

ffibuilder.cdef(cdef)

def main(ffibuilder):
Expand Down Expand Up @@ -951,7 +982,8 @@ def main(ffibuilder):
"WC_RNG_SEED_CB": 0,
"AESGCM_STREAM": 1,
"RSA_PSS": 1,
"CHACHA20_POLY1305": 1
"CHACHA20_POLY1305": 1,
"ML_KEM": 1
}

# Ed448 requires SHAKE256, which isn't part of the Windows build, yet.
Expand Down
Loading