cloudflare · armfazh · Jan 5, 2024 · Jan 18, 2025
diff --git a/hpke/algs.go b/hpke/algs.go
@@ -16,6 +16,7 @@ import (
 	"github.com/cloudflare/circl/ecc/p384"
 	"github.com/cloudflare/circl/kem"
 	"github.com/cloudflare/circl/kem/kyber/kyber768"
+	"github.com/cloudflare/circl/kem/xwing"
 	"golang.org/x/crypto/chacha20poly1305"
 	"golang.org/x/crypto/hkdf"
 )
@@ -39,6 +40,8 @@ const (
 	// KEM_X25519_KYBER768_DRAFT00 is a hybrid KEM built on DHKEM(X25519, HKDF-SHA256)
 	// and Kyber768Draft00
 	KEM_X25519_KYBER768_DRAFT00 KEM = 0x30
+	// KEM_XWING is a hybrid KEM using X25519 and ML-KEM-768.
+	KEM_XWING KEM = 0x647a
 )
 
 // IsValid returns true if the KEM identifier is supported by the HPKE package.
@@ -49,7 +52,8 @@ func (k KEM) IsValid() bool {
 		KEM_P521_HKDF_SHA512,
 		KEM_X25519_HKDF_SHA256,
 		KEM_X448_HKDF_SHA512,
-		KEM_X25519_KYBER768_DRAFT00:
+		KEM_X25519_KYBER768_DRAFT00,
+		KEM_XWING:
 		return true
 	default:
 		return false
@@ -58,7 +62,7 @@ func (k KEM) IsValid() bool {
 
 // Scheme returns an instance of a KEM that supports authentication. Panics if
 // the KEM identifier is invalid.
-func (k KEM) Scheme() kem.AuthScheme {
+func (k KEM) Scheme() kem.Scheme {
 	switch k {
 	case KEM_P256_HKDF_SHA256:
 		return dhkemp256hkdfsha256
@@ -72,6 +76,8 @@ func (k KEM) Scheme() kem.AuthScheme {
 		return dhkemx448hkdfsha512
 	case KEM_X25519_KYBER768_DRAFT00:
 		return hybridkemX25519Kyber768
+	case KEM_XWING:
+		return kemXwing
 	default:
 		panic(ErrInvalidKEM)
 	}
@@ -237,6 +243,7 @@ var (
 	dhkemp256hkdfsha256, dhkemp384hkdfsha384, dhkemp521hkdfsha512 shortKEM
 	dhkemx25519hkdfsha256, dhkemx448hkdfsha512                    xKEM
 	hybridkemX25519Kyber768                                       hybridKEM
+	kemXwing                                                      genericNoAuthKEM
 )
 
 func init() {
@@ -275,4 +282,7 @@ func init() {
 	hybridkemX25519Kyber768.kemBase.Hash = crypto.SHA256
 	hybridkemX25519Kyber768.kemA = dhkemx25519hkdfsha256
 	hybridkemX25519Kyber768.kemB = kyber768.Scheme()
+
+	kemXwing.Scheme = xwing.Scheme()
+	kemXwing.name = "HPKE_KEM_XWING"
 }
diff --git a/hpke/genericnoauthkem.go b/hpke/genericnoauthkem.go
@@ -0,0 +1,27 @@
+package hpke
+
+// Shim to use generic KEM (kem.Scheme) as HPKE KEM.
+
+import (
+	"github.com/cloudflare/circl/internal/sha3"
+	"github.com/cloudflare/circl/kem"
+)
+
+// genericNoAuthKEM wraps a generic KEM (kem.Scheme) to be used as a HPKE KEM.
+type genericNoAuthKEM struct {
+	kem.Scheme
+	name string
+}
+
+func (h genericNoAuthKEM) Name() string { return h.name }
+
+// HPKE requires DeriveKeyPair() to take any seed larger than the private key
+// size, whereas typical KEMs expect a specific seed size. We'll just use
+// SHAKE256 to hash it to the right size as in X-Wing.
+func (h genericNoAuthKEM) DeriveKeyPair(seed []byte) (kem.PublicKey, kem.PrivateKey) {
+	seed2 := make([]byte, h.Scheme.SeedSize())
+	hh := sha3.NewShake256()
+	_, _ = hh.Write(seed)
+	_, _ = hh.Read(seed2)
+	return h.Scheme.DeriveKeyPair(seed2)
+}
diff --git a/hpke/hpke.go b/hpke/hpke.go
@@ -224,7 +224,12 @@ func (s *Sender) allSetup(rnd io.Reader) ([]byte, Sealer, error) {
 	case modeBase, modePSK:
 		enc, ss, err = scheme.EncapsulateDeterministically(s.pkR, seed)
 	case modeAuth, modeAuthPSK:
-		enc, ss, err = scheme.AuthEncapsulateDeterministically(s.pkR, s.skS, seed)
+		authScheme, ok := scheme.(kem.AuthScheme)
+		if !ok {
+			return nil, nil, ErrInvalidAuthKEM
+		}
+
+		enc, ss, err = authScheme.AuthEncapsulateDeterministically(s.pkR, s.skS, seed)
 	}
 	if err != nil {
 		return nil, nil, err
@@ -246,7 +251,12 @@ func (r *Receiver) allSetup() (Opener, error) {
 	case modeBase, modePSK:
 		ss, err = scheme.Decapsulate(r.skR, r.enc)
 	case modeAuth, modeAuthPSK:
-		ss, err = scheme.AuthDecapsulate(r.skR, r.enc, r.pkS)
+		authScheme, ok := scheme.(kem.AuthScheme)
+		if !ok {
+			return nil, ErrInvalidAuthKEM
+		}
+
+		ss, err = authScheme.AuthDecapsulate(r.skR, r.enc, r.pkS)
 	}
 	if err != nil {
 		return nil, err
@@ -263,6 +273,7 @@ var (
 	ErrInvalidHPKESuite       = errors.New("hpke: invalid HPKE suite")
 	ErrInvalidKDF             = errors.New("hpke: invalid KDF identifier")
 	ErrInvalidKEM             = errors.New("hpke: invalid KEM identifier")
+	ErrInvalidAuthKEM         = errors.New("hpke: KEM does not support Auth mode")
 	ErrInvalidAEAD            = errors.New("hpke: invalid AEAD identifier")
 	ErrInvalidKEMPublicKey    = errors.New("hpke: invalid KEM public key")
 	ErrInvalidKEMPrivateKey   = errors.New("hpke: invalid KEM private key")

diff --git a/hpke/hpke_test.go b/hpke/hpke_test.go
@@ -160,6 +160,7 @@ func BenchmarkHpkeRoundTrip(b *testing.B) {
 	}{
 		{hpke.KEM_X25519_HKDF_SHA256, hpke.KDF_HKDF_SHA256, hpke.AEAD_AES128GCM},
 		{hpke.KEM_X25519_KYBER768_DRAFT00, hpke.KDF_HKDF_SHA256, hpke.AEAD_AES128GCM},
+		{hpke.KEM_XWING, hpke.KDF_HKDF_SHA256, hpke.AEAD_AES128GCM},
 	}
 	for _, test := range tests {
 		runHpkeBenchmark(b, test.kem, test.kdf, test.aead)

diff --git a/kem/schemes/schemes.go b/kem/schemes/schemes.go
@@ -29,6 +29,7 @@ import (
 	"github.com/cloudflare/circl/kem/mlkem/mlkem1024"
 	"github.com/cloudflare/circl/kem/mlkem/mlkem512"
 	"github.com/cloudflare/circl/kem/mlkem/mlkem768"
+	"github.com/cloudflare/circl/kem/xwing"
 )
 
 var allSchemes = [...]kem.Scheme{
@@ -50,6 +51,7 @@ var allSchemes = [...]kem.Scheme{
 	hybrid.Kyber1024X448(),
 	hybrid.P256Kyber768Draft00(),
 	hybrid.X25519MLKEM768(),
+	xwing.Scheme(),
 }
 
 var allSchemeNames map[string]kem.Scheme

diff --git a/kem/schemes/schemes_test.go b/kem/schemes/schemes_test.go
@@ -160,4 +160,5 @@ func Example_schemes() {
 	// Kyber1024-X448
 	// P256Kyber768Draft00
 	// X25519MLKEM768
+	// X-Wing
 }
diff --git a/kem/xwing/scheme.go b/kem/xwing/scheme.go
@@ -0,0 +1,140 @@
+package xwing
+
+import (
+	"bytes"
+	cryptoRand "crypto/rand"
+	"crypto/subtle"
+
+	"github.com/cloudflare/circl/kem"
+	"github.com/cloudflare/circl/kem/mlkem/mlkem768"
+)
+
+// This file contains the boilerplate code to connect X-Wing to the
+// generic KEM API.
+
+// Returns the generic KEM interface for  X-Wing PQ/T hybrid KEM.
+func Scheme() kem.Scheme { return scheme{} }
+
+type scheme struct{}
+
+func (scheme) Name() string               { return "X-Wing" }
+func (scheme) PublicKeySize() int         { return PublicKeySize }
+func (scheme) PrivateKeySize() int        { return PrivateKeySize }
+func (scheme) SeedSize() int              { return SeedSize }
+func (scheme) EncapsulationSeedSize() int { return EncapsulationSeedSize }
+func (scheme) SharedKeySize() int         { return SharedKeySize }
+func (scheme) CiphertextSize() int        { return CiphertextSize }
+func (*PrivateKey) Scheme() kem.Scheme    { return scheme{} }
+func (*PublicKey) Scheme() kem.Scheme     { return scheme{} }
+
+func (sch scheme) Encapsulate(pk kem.PublicKey) (ct, ss []byte, err error) {
+	var seed [EncapsulationSeedSize]byte
+	_, err = cryptoRand.Read(seed[:])
+	if err != nil {
+		return
+	}
+	return sch.EncapsulateDeterministically(pk, seed[:])
+}
+
+func (scheme) EncapsulateDeterministically(
+	pk kem.PublicKey, seed []byte,
+) ([]byte, []byte, error) {
+	if len(seed) != EncapsulationSeedSize {
+		return nil, nil, kem.ErrSeedSize
+	}
+	pub, ok := pk.(*PublicKey)
+	if !ok {
+		return nil, nil, kem.ErrTypeMismatch
+	}
+	var (
+		ct [CiphertextSize]byte
+		ss [SharedKeySize]byte
+	)
+	pub.EncapsulateTo(ct[:], ss[:], seed)
+	return ct[:], ss[:], nil
+}
+
+func (scheme) UnmarshalBinaryPublicKey(buf []byte) (kem.PublicKey, error) {
+	var pk PublicKey
+	if len(buf) != PublicKeySize {
+		return nil, kem.ErrPubKeySize
+	}
+
+	if err := pk.Unpack(buf); err != nil {
+		return nil, err
+	}
+	return &pk, nil
+}
+
+func (scheme) UnmarshalBinaryPrivateKey(buf []byte) (kem.PrivateKey, error) {
+	var sk PrivateKey
+	if len(buf) != PrivateKeySize {
+		return nil, kem.ErrPrivKeySize
+	}
+
+	sk.Unpack(buf)
+	return &sk, nil
+}
+
+func (sk *PrivateKey) MarshalBinary() ([]byte, error) {
+	var ret [PrivateKeySize]byte
+	sk.Pack(ret[:])
+	return ret[:], nil
+}
+
+func (sk *PrivateKey) Equal(other kem.PrivateKey) bool {
+	oth, ok := other.(*PrivateKey)
+	if !ok {
+		return false
+	}
+	return sk.m.Equal(&oth.m) &&
+		subtle.ConstantTimeCompare(oth.x[:], sk.x[:]) == 1
+}
+
+func (sk *PrivateKey) Public() kem.PublicKey {
+	var pk PublicKey
+	pk.m = *(sk.m.Public().(*mlkem768.PublicKey))
+	pk.x = sk.xpk
+	return &pk
+}
+
+func (pk *PublicKey) Equal(other kem.PublicKey) bool {
+	oth, ok := other.(*PublicKey)
+	if !ok {
+		return false
+	}
+	return pk.m.Equal(&oth.m) && bytes.Equal(pk.x[:], oth.x[:])
+}
+
+func (pk *PublicKey) MarshalBinary() ([]byte, error) {
+	var ret [PublicKeySize]byte
+	pk.Pack(ret[:])
+	return ret[:], nil
+}
+
+func (scheme) DeriveKeyPair(seed []byte) (kem.PublicKey, kem.PrivateKey) {
+	sk, pk := DeriveKeyPair(seed)
+	return pk, sk
+}
+
+func (scheme) GenerateKeyPair() (kem.PublicKey, kem.PrivateKey, error) {
+	sk, pk, err := GenerateKeyPair(nil)
+	return pk, sk, err
+}
+
+func (scheme) Decapsulate(sk kem.PrivateKey, ct []byte) ([]byte, error) {
+	if len(ct) != CiphertextSize {
+		return nil, kem.ErrCiphertextSize
+	}
+
+	var ss [SharedKeySize]byte
+
+	priv, ok := sk.(*PrivateKey)
+	if !ok {
+		return nil, kem.ErrTypeMismatch
+	}
+
+	priv.DecapsulateTo(ss[:], ct[:])
+
+	return ss[:], nil
+}