kem: add X25519MLKEM768 TLS hybrid KEM

bwesterb · bwesterb · commit 1a2c24d25989 · 2024-09-05T14:18:35.000+02:00
diff --git a/kem/hybrid/hybrid.go b/kem/hybrid/hybrid.go
@@ -1,13 +1,13 @@
-// Package hybrid defines several hybrid classical/quantum KEMs.
+// Package hybrid defines several hybrid classical/quantum KEMs for use in TLS.
 //
-// KEMs are combined by simple concatenation of shared secrets, cipher texts,
-// public keys, etc, see
+// Hybrid KEMs in TLS are created by simple concatenation
+// of shared secrets, cipher texts, public keys, etc.
+// This is safe for TLS, see eg.
 //
 //	https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/
 //	https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf
 //
-// Note that this is only fine if the shared secret is used in its entirety
-// in a next step, such as being hashed or used as key.
+// Note that this approach is not proven secure in broader context.
 //
 // For deriving a KEM keypair deterministically and encapsulating
 // deterministically, we expand a single seed to both using SHAKE256,
@@ -38,6 +38,7 @@ import (
 	"github.com/cloudflare/circl/kem/kyber/kyber1024"
 	"github.com/cloudflare/circl/kem/kyber/kyber512"
 	"github.com/cloudflare/circl/kem/kyber/kyber768"
+	"github.com/cloudflare/circl/kem/mlkem/mlkem768"
 )
 
 var ErrUninitialized = errors.New("public or private key not initialized")
@@ -57,6 +58,9 @@ func Kyber1024X448() kem.Scheme { return kyber1024X }
 // Returns the hybrid KEM of Kyber768Draft00 and P-256.
 func P256Kyber768Draft00() kem.Scheme { return p256Kyber768Draft00 }
 
+// Returns the hybrid KEM of ML-KEM-768 and X25519.
+func X25519MLKEM768() kem.Scheme { return xmlkem768 }
+
 var p256Kyber768Draft00 kem.Scheme = &scheme{
 	"P256Kyber768Draft00",
 	p256Kem,
@@ -87,6 +91,12 @@ var kyber1024X kem.Scheme = &scheme{
 	kyber1024.Scheme(),
 }
 
+var xmlkem768 kem.Scheme = &scheme{
+	"X25519MLKEM768",
+	mlkem768.Scheme(),
+	x25519Kem,
+}
+
 // Public key of a hybrid KEM.
 type publicKey struct {
 	scheme *scheme
diff --git a/kem/schemes/schemes.go b/kem/schemes/schemes.go
@@ -49,6 +49,7 @@ var allSchemes = [...]kem.Scheme{
 	hybrid.Kyber768X448(),
 	hybrid.Kyber1024X448(),
 	hybrid.P256Kyber768Draft00(),
+	hybrid.X25519MLKEM768(),
 }
 
 var allSchemeNames map[string]kem.Scheme
diff --git a/kem/schemes/schemes_test.go b/kem/schemes/schemes_test.go
@@ -163,4 +163,5 @@ func Example_schemes() {
 	// Kyber768-X448
 	// Kyber1024-X448
 	// P256Kyber768Draft00
+	// X25519MLKEM768
 }

Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,7 @@ var allSchemes = [...]kem.Scheme{`
`49`	`49`	`hybrid.Kyber768X448(),`
`50`	`50`	`hybrid.Kyber1024X448(),`
`51`	`51`	`hybrid.P256Kyber768Draft00(),`
	`52`	`+ hybrid.X25519MLKEM768(),`
`52`	`53`	`}`
`53`	`54`
`54`	`55`	`var allSchemeNames map[string]kem.Scheme`
Original file line number	Diff line number	Diff line change
`@@ -163,4 +163,5 @@ func Example_schemes() {`
`163`	`163`	`// Kyber768-X448`
`164`	`164`	`// Kyber1024-X448`
`165`	`165`	`// P256Kyber768Draft00`
	`166`	`+ // X25519MLKEM768`
`166`	`167`	`}`