Adding Kyber768 and Kyber1024 (round 3) KEMs (aws#784)

Co-authored-by: dkostic <[email protected]>
aqjune-aws · Feb 14, 2023 · fb42ac6 · fb42ac6
1 parent 3990d32
commit fb42ac6
Show file tree

Hide file tree

Showing 22 changed files with 2,582 additions and 748 deletions.
diff --git a/crypto/CMakeLists.txt b/crypto/CMakeLists.txt
@@ -360,8 +360,10 @@ add_library(
   hpke/hpke.c
   hrss/hrss.c
   kem/kem.c
-  kem/kyber_methods_placeholder.c
-  kyber/kyber512_ref.c
+  kem/kem_methods.c
+  kyber/kyber512r3_ref.c
+  kyber/kyber768r3_ref.c
+  kyber/kyber1024r3_ref.c
   kyber/pqcrystals_kyber_ref_common/fips202.c
   kyber/kem_kyber.c
   lhash/lhash.c

diff --git a/crypto/evp_extra/evp_extra_test.cc b/crypto/evp_extra/evp_extra_test.cc
@@ -1714,7 +1714,9 @@ struct KnownKEM {
 };
 
 static const struct KnownKEM kKEMs[] = {
-  {"Kyber512r3", NID_KYBER512_R3, 800, 1632, 768, 32, "kyber/kat/kyber512.txt"},
+  {"Kyber512r3", NID_KYBER512_R3, 800, 1632, 768, 32, "kyber/kat/kyber512r3.txt"},
+  {"Kyber768r3", NID_KYBER768_R3, 1184, 2400, 1088, 32, "kyber/kat/kyber768r3.txt"},
+  {"Kyber1024r3", NID_KYBER1024_R3, 1568, 3168, 1568, 32, "kyber/kat/kyber1024r3.txt"},
 };
 
 class PerKEMTest : public testing::TestWithParam<KnownKEM> {};

diff --git a/crypto/kem/internal.h b/crypto/kem/internal.h
@@ -25,8 +25,9 @@ typedef struct {
                 const uint8_t *secret_key);
 } KEM_METHOD;
 
-extern const KEM_METHOD kem_kyber512_r3_method;
-// extern const KEM_METHOD *KEM_kyber768_method;
+extern const KEM_METHOD kem_kyber512r3_method;
+extern const KEM_METHOD kem_kyber768r3_method;
+extern const KEM_METHOD kem_kyber1024r3_method;
 
 // KEM structure and helper functions.
 typedef struct {

diff --git a/crypto/kem/kem.c b/crypto/kem/kem.c
@@ -16,10 +16,12 @@
 //        - Kyber is not standardized yet, so we use the latest specification
 //          from Round 3 of NIST PQC project.
 
-#define AWSLC_NUM_BUILT_IN_KEMS 1
+#define AWSLC_NUM_BUILT_IN_KEMS 3
 
-// TODO(awslc): placeholder OID, replace with the real one when available.
-static const uint8_t kOIDKyber512r3[] = {0xff, 0xff, 0xff, 0xff};
+// TODO(awslc): placeholder OIDs, replace with the real ones when available.
+static const uint8_t kOIDKyber512r3[]  = {0xff, 0xff, 0xff, 0xff};
+static const uint8_t kOIDKyber768r3[]  = {0xff, 0xff, 0xff, 0xff};
+static const uint8_t kOIDKyber1024r3[] = {0xff, 0xff, 0xff, 0xff};
 
 static const KEM built_in_kems[AWSLC_NUM_BUILT_IN_KEMS] = {
   {
@@ -31,21 +33,32 @@ static const KEM built_in_kems[AWSLC_NUM_BUILT_IN_KEMS] = {
     1632,                    // kem.secret_key_len
     768,                     // kem.ciphertext_len
     32,                      // kem.shared_secret_len
-    &kem_kyber512_r3_method, // kem.method
+    &kem_kyber512r3_method,  // kem.method
   },
 
-  // Example how adding new KEM looks like:
-  // {
-  //   NID_KYBER768,         // kem.nid
-  //   kOIDKyber768,         // kem.oid
-  //   sizeof(kOIDKyber768), // kem.oid_len
-  //   "Kyber7678,           // kem.comment
-  //   1184,                 // kem.public_key_len
-  //   2400,                 // kem.secret_key_len
-  //   1088,                 // kem.ciphertext_len
-  //   32,                   // kem.shared_secret_len
-  //   &kem_kyber768_method, // kem.method
-  // },
+  {
+    NID_KYBER768_R3,         // kem.nid
+    kOIDKyber768r3,          // kem.oid
+    sizeof(kOIDKyber768r3),  // kem.oid_len
+    "Kyber768 Round-3",      // kem.comment
+    1184,                    // kem.public_key_len
+    2400,                    // kem.secret_key_len
+    1088,                    // kem.ciphertext_len
+    32,                      // kem.shared_secret_len
+    &kem_kyber768r3_method,  // kem.method
+  },
+
+  {
+    NID_KYBER1024_R3,         // kem.nid
+    kOIDKyber1024r3,          // kem.oid
+    sizeof(kOIDKyber1024r3),  // kem.oid_len
+    "Kyber1024 Round-3",      // kem.comment
+    1568,                     // kem.public_key_len
+    3168,                     // kem.secret_key_len
+    1568,                     // kem.ciphertext_len
+    32,                       // kem.shared_secret_len
+    &kem_kyber1024r3_method,  // kem.method
+  },
 };
 
 const KEM *KEM_find_kem_by_nid(int nid) {

diff --git a/crypto/kem/kem_methods.c b/crypto/kem/kem_methods.c
@@ -0,0 +1,79 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0 OR ISC
+
+#include <openssl/base.h>
+
+#include "../fipsmodule/delocate.h"
+#include "../internal.h"
+#include "internal.h"
+
+#include "../kyber/kem_kyber.h"
+
+static int kyber512r3_keygen(uint8_t *public_key,
+                             uint8_t *secret_key) {
+  return kyber512r3_keypair(public_key, secret_key) == 0;
+}
+
+static int kyber512r3_encaps(uint8_t *ciphertext,
+                             uint8_t *shared_secret,
+                             const uint8_t *public_key) {
+  return kyber512r3_encapsulate(ciphertext, shared_secret, public_key) == 0;
+}
+
+static int kyber512r3_decaps(uint8_t *shared_secret,
+                             const uint8_t *ciphertext,
+                             const uint8_t *secret_key) {
+  return kyber512r3_decapsulate(shared_secret, ciphertext, secret_key) == 0;
+}
+
+const KEM_METHOD kem_kyber512r3_method = {
+  kyber512r3_keygen,
+  kyber512r3_encaps,
+  kyber512r3_decaps,
+};
+
+static int kyber768r3_keygen(uint8_t *public_key,
+                             uint8_t *secret_key) {
+  return kyber768r3_keypair(public_key, secret_key) == 0;
+}
+
+static int kyber768r3_encaps(uint8_t *ciphertext,
+                             uint8_t *shared_secret,
+                             const uint8_t *public_key) {
+  return kyber768r3_encapsulate(ciphertext, shared_secret, public_key) == 0;
+}
+
+static int kyber768r3_decaps(uint8_t *shared_secret,
+                             const uint8_t *ciphertext,
+                             const uint8_t *secret_key) {
+  return kyber768r3_decapsulate(shared_secret, ciphertext, secret_key) == 0;
+}
+
+const KEM_METHOD kem_kyber768r3_method = {
+  kyber768r3_keygen,
+  kyber768r3_encaps,
+  kyber768r3_decaps,
+};
+
+static int kyber1024r3_keygen(uint8_t *public_key,
+                              uint8_t *secret_key) {
+  return kyber1024r3_keypair(public_key, secret_key) == 0;
+}
+
+static int kyber1024r3_encaps(uint8_t *ciphertext,
+                              uint8_t *shared_secret,
+                              const uint8_t *public_key) {
+  return kyber1024r3_encapsulate(ciphertext, shared_secret, public_key) == 0;
+}
+
+static int kyber1024r3_decaps(uint8_t *shared_secret,
+                              const uint8_t *ciphertext,
+                              const uint8_t *secret_key) {
+  return kyber1024r3_decapsulate(shared_secret, ciphertext, secret_key) == 0;
+}
+
+const KEM_METHOD kem_kyber1024r3_method = {
+  kyber1024r3_keygen,
+  kyber1024r3_encaps,
+  kyber1024r3_decaps,
+};
diff --git a/crypto/kem/kyber_methods_placeholder.c b/crypto/kem/kyber_methods_placeholder.c
diff --git a/crypto/kyber/README.md b/crypto/kyber/README.md
@@ -8,11 +8,11 @@ The AWS-LC team considers the official repository of [Kyber](https://github.com/
 
 NIST has not published the final PQ standard yet, and is not expected to do so until 2024. Therefore, the specification and implementation of Kyber is not finalized yet. Potentially, there will be changes to Kyber in the future. Some changes might even break backwards compatibility. The AWS-LC team follows the developments around the PQC project and will update the implementation and documentation if necessary. Therefore, AWS-LC can not promise backward compatibility of the Kyber implementation and API until NIST locks in the specification and reserves the right to change the implementation if necessary.
 
-**Supported versions.** AWS-LC supports only Kyber512 algorithm at this point. The NID assigned to Kyber512 is `NID_KYBER512` and the corresponding `PKEY` identifier is `EVP_PKEY_KYBER512`.
+**Supported versions.** AWS-LC supports Kyber512/768/1024 algorithms (as specified in the Round-3 submission of Kyber). The NIDs assigned to Kyber512/768/1024 are `NID_KYBER512_R3`, `NID_KYBER768_R3`, `NID_KYBER1024_R3`, respectively.
 
-**Source code origin and modifications.** The source code was taken from the primary source of Kyber at [link](https://github.com/pq-crystals/kyber), at [commit](https://github.com/pq-crystals/kyber/tree/faf5c3fe33e0b61c7c8a7888dd862bf5def17ad2) as of September 13th 2021. Only the reference C implementation of Kyber512 is currently integrated. The source code is in the `pqcrystals_kyber_ref_common` folder.
+**Source code origin and modifications.** The source code was taken from the primary source of Kyber at [link](https://github.com/pq-crystals/kyber), at [commit](https://github.com/pq-crystals/kyber/tree/faf5c3fe33e0b61c7c8a7888dd862bf5def17ad2) as of September 13th 2021. Only the reference C implementation of Kyber is currently integrated. The source code is in the `pqcrystals_kyber_ref_common` folder.
 
-To be able to compile multiple variants of Kyber without duplicating the code, we add a C file for each Kyber variant, directly include the required C and header files from `pqcrystals_kyber_ref_common`, and define the appropriate `KYBER_K` value to specify the variant to be compiled (see `kyber512_ref.c` for example).
+To be able to compile multiple variants of Kyber without duplicating the code, we add a C file for each Kyber variant, directly include the required C and header files from `pqcrystals_kyber_ref_common`, and define the appropriate `KYBER_K` value to specify the variant to be compiled (see `kyber512r3_ref.c` for example).
 
 The following changes were made to the source code in `pqcrystals_kyber_ref_common` (compared to the official Kyber repository):