Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Resolved issues:
Resolves PQCrypto-99
Description of changes:
NIST recently published FIPS-203 which standardizes the ML-KEM algorithm (formerly known as Kyber in s2n). Final standardization of the hybrid-PQ TLS groups to include the standardized version of ML-KEM is imminent. The draft for the final construction and IANA assignments is available here. The corresponding implementation of ML-KEM is merged and available in AWS-LC with a NID assigned here.
This PR implements
draft-kwiatkowski-tls-ecdhe-mlkem
with the assumption that it will be ratified as-is by the IETF. The document defines the TLS GroupsSecP256r1MLKEM768
andX25519MLKEM768
which succeed the existing "temporary" draft code points forSecP256r1Kyber768Draft00
andX25519Kyber768Draft00
. We expose these TLS groups under two new TLS security polices. An "IETF only" policy which drops support for all prior draft implementations which is intended to be the newdefault_pq
policy. A "mixed" policy is also provided which includes support for all existing drafts which is intended to be used for interim compatibility for customers that have already deployed draft standards.Call-outs:
S2N_LIBCRYPTO_SUPPORTS_MLKEM
was added to conditionally build in support for ML-KEM.s2n_pq_is_enabled
is simply an alias fors2n_libcrypto_supports_evp_kem
and references to this were either removed or renamed.Testing:
How is this change tested (unit tests, fuzz tests, etc.)? Are there any testing steps to be verified by the reviewer?
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.