Skip to content

ML-KEM keygen Pairwise Consistency Test#1964

Merged
dkostic merged 2 commits intoaws:mainfrom
dkostic:ml-kem-keygen-pct
Nov 5, 2024
Merged

ML-KEM keygen Pairwise Consistency Test#1964
dkostic merged 2 commits intoaws:mainfrom
dkostic:ml-kem-keygen-pct

Conversation

@dkostic
Copy link
Copy Markdown
Contributor

@dkostic dkostic commented Nov 4, 2024

Issues:

N/A

Description of changes:

This change implements the ML-KEM Pairwise Consistency Test (PCT)
for key generation as required by FIPS 140-3 Implementation Guidance.

Call-outs:

Point out areas that need special attention or support during the review process. Discuss architecture or design changes.

Testing:

How is this change tested (unit tests, fuzz tests, etc.)? Are there any testing steps to be verified by the reviewer?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

@dkostic dkostic requested a review from a team as a code owner November 4, 2024 23:48
@darylmartin100 darylmartin100 requested review from justsmth, nebeid and torben-hansen and removed request for torben-hansen November 5, 2024 13:53
nebeid
nebeid reviewed Nov 5, 2024
View reviewed changes
crypto/fipsmodule/ml_kem/ml_kem_ref/kem.c
* Returns 0 (success)
* Returns 0 on success, aborts on failure.
**************************************************/
int crypto_kem_keypair(ml_kem_params *params,
Copy link
Copy Markdown
Contributor

@nebeid nebeid Nov 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible to add a death test in crypto/evp_extra/evp_extra_test.cc as done in

aws-lc/crypto/fipsmodule/ec/ec_test.cc

Line 1493 in 25709ca

TEST(ECDeathTest, SmallGroupOrderAndDie) {

Copy link
Copy Markdown
Contributor Author

@dkostic dkostic Nov 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not really because the PCT is part of keygen itself (and KEM params are hard-coded constants). In a future change I think I'll pull out the PCT as a separate function and add it as one of KEM methods and then call it in the high-level API. Maybe then we'll be able to implement a death test.

justsmth
justsmth reviewed Nov 5, 2024
View reviewed changes
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Nov 5, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 78.74%. Comparing base (48a4057) to head (9f62fba).
Report is 1 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1964      +/-   ##
==========================================
+ Coverage   78.73%   78.74%   +0.01%     
==========================================
  Files         590      590              
  Lines      101428   101429       +1     
  Branches    14384    14383       -1     
==========================================
+ Hits        79856    79871      +15     
+ Misses      20935    20919      -16     
- Partials      637      639       +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

nebeid
nebeid approved these changes Nov 5, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@nebeid nebeid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are there other checks that give assurance about the generated key in non-FIPS builds?

justsmth
justsmth approved these changes Nov 5, 2024
View reviewed changes
crypto/fipsmodule/ml_kem/ml_kem_ref/kem.c
* (an already allocated array filled with 2*KYBER_SYMBYTES random bytes)
**
* Returns 0 (success)
* Returns 0 on success, aborts on failure.
Copy link
Copy Markdown
Contributor

@justsmth justsmth Nov 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NP: It only "aborts on failure" when in FIPS mode.

crypto/fipsmodule/ml_kem/ml_kem_ref/kem.c
* (an already allocated array of KYBER_SECRETKEYBYTES bytes)
*
* Returns 0 (success)
* Returns 0 on success, aborts on failure.
Copy link
Copy Markdown
Contributor

@justsmth justsmth Nov 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NP: It only "aborts on failure" when in FIPS mode.

crypto/fipsmodule/ml_kem/ml_kem_ref/kem.c
@@ -34,6 +53,13 @@ int crypto_kem_keypair_derand(ml_kem_params *params,
hash_h(sk+params->secret_key_bytes-2*KYBER_SYMBYTES, pk, params->public_key_bytes);
Copy link
Copy Markdown
Contributor

@justsmth justsmth Nov 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NP: This hash operation documents that it returns NULL on failure. Should we be checking that?

@dkostic dkostic merged commit df9c564 into aws:main Nov 5, 2024
dkostic added a commit to dkostic/aws-lc that referenced this pull request Nov 5, 2024
@dkostic
ML-KEM keygen Pairwise Consistency Test (aws#1964)
c377ad8 
This change implements the ML-KEM Pairwise Consistency Test (PCT)
for key generation as required by FIPS 140-3 Implementation Guidance.
This effectively triples the runtime of key generation.
@dkostic dkostic mentioned this pull request Nov 5, 2024
Merged
@skmcgrail skmcgrail mentioned this pull request Nov 7, 2024
Merged
skmcgrail added a commit that referenced this pull request Nov 7, 2024
@skmcgrail
Prepare v1.38.0 release (#1975)
2d07d39 
## What's Changed
* 800-131Ar1: length of the key-derivation key shall be at least 112
bits. by @skmcgrail in #1924
* Marshalling/Unmarshalling DH public keys by @justsmth in
#1916
* Also prune SSM documents from ec2-test-framework by @samuel40791765 in
#1925
* Use illegal_parameter instead of decode_error for invalid key shares
by @justsmth in #1923
* Add null check in dh testing by @torben-hansen in
#1937
* DH paramgen callback by @justsmth in
#1928
* Upstream merge 2024 10 17 by @torben-hansen in
#1934
* Remove old Intel CPU types by @justsmth in
#1942
* Remove retries on PCT failure in EC and RSA key generation. by @nebeid
in #1938
* Add p4p, bump up time by @justsmth in
#1943
* PQ README by @jakemas in #1932
* bump mysql CI to 9.1.0 by @justsmth in
#1939
* HKDF, HKDF_expand, and PBKDF Truncated SHA2-512 by @skmcgrail in
#1946
* Missing functionality + Adding Nmap to our CI by @smittals2 in
#1915
* Fix FIPS.md typo by @justsmth in
#1950
* Support encode or decode ∞ like OpenSSL by @samuel40791765 in
#1930
* Expand support for EVP_PKEY_HMAC by @justsmth in
#1933
* Add PKCS7-internal BIO_f_cipher by @WillChilds-Klein in
#1836
* Add PKCS7-internal BIO_f_md by @WillChilds-Klein in
#1886
* Ruby Support - DSA custom md by @justsmth in
#1953
* Add support for POINT_CONVERSION_HYBRID by @samuel40791765 in
#1936
* Fixes for Coverity Alerts by @smittals2 in
#1960
* Also test w/ gcc 4.8 by @justsmth in
#1962
* Actually add support for SSL_get_server/peer_tmp_key by
@samuel40791765 in #1945
* Coverity Fix Null Check by @smittals2 in
#1965
* ML-KEM keygen Pairwise Consistency Test by @dkostic in
#1964
* EDDSA PCT by @torben-hansen in #1968
* Expose AES_cfb1_encrypt and AES_cfb8_encrypt by @skmcgrail in
#1967

**Full Changelog**:
v1.37.0...v1.38.0

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nebeid nebeid nebeid approved these changes

@justsmth justsmth justsmth approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@dkostic @codecov-commenter @nebeid @justsmth